Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Jul 2015 12:36:38 -0500
From:      greg <greg@mail.gregs-garage.com>
To:        freebsd-questions@freebsd.org
Subject:   Kerberos
Message-ID:  <75d664eeb361264e9b4560a89b1a32bf@mail.gregs-garage.com>

next in thread | raw e-mail | index | archive | help
Setting up a fresh install of FreeBSD 10.1 to run RT42 on Apache 2.4 
with PHP 5.6 & a MySQL 5.6 backend.  So far, so good.  Now trying to 
configure Apache to authenticate against a fresh install of Windows 2012 
using ap24-mod_auth_kerb2, and I'm running into a brick wall.

uname -a : FreeBSD ATBSD01 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0: 
Wed May 13 06:54:13 UTC 2015     
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


So far I've created a user on the Windows domain to use in the keytab
I've configured my krb5.conf file
I've generated a keytab file on the Windows box, and installed it on the 
FreeBSD server, and configured Apache to use the keytab to authenticate 
a test directory, but so far, no luck.

To troubleshoot the config, I've been trying using the command line 
tools for Kerberos.

Here's my krb5.conf:

[libdefaults]
default_realm = EXAMPLE.LOCAL

[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL

[realms]
EXAMPLE.LOCAL = {
admin_server=ad01.example.local:749
kdc=ad01.example.local:88
}

Here's the command I ran on the windows box:

C:\Windows\system32>ktpass -princ HTTP/ad01.example.local@EXAMPLE.LOCAL 
-mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out 
:\temp\krb5.keytab

I then copy the krb5.keytab file to the /etc directory on the FreeBSD 
server, then run chown root:wheel on the file, and chmod 600.

 From the FreeBSD box, I can do the following:

$ kinit aduser
aduser@EXAMPLE.LOCAL's Password: P@$$word

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: aduser@EXAMPLE.LOCAL
   Issued                Expires               Principal
Jul 15 12:06:49 2015  Jul 15 22:06:49 2015  
krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL

It works.

However if I try:

$ kinit -k aduser

I get:

kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping

("kinit -t /etc/krb5.keytab aduser" returns the same)

I've tried to validate the keytab file by running:

$ ktutil list

and get the following:

Vno  Type              Principal                                      
Aliases
  27  arcfour-hmac-md5  HTTP/ad01.example.local@EXAMPLE.LOCAL

I get the same result if I run as root.

I've sat and combed through WireShark captures, and the only thing I 
notice is that if I run kinit without the keytab, I can see the windows 
server responding a single time with an error message of 
"KRB5KDC_ERR_PREAUTH_REQUIRED", it then continues through the 
communication and a ticket is created.  However if I attempt to use 
kinit and specify the keytab file, I see two 
"KRB5KDC_ERR_PREAUTH_REQUIRED" errors, one after the other, and the 
communication stops.

I'm guessing that either the password was never saved correctly to the 
keytab or kinit isn't reading / transmitting it to the Windows server.

I've tried multiple versions of the keytab file (as seen by the version 
number from kutil, this was attempt 28) with the same result.  I've 
tried specifying the encoding type, changing the username to 
domain\username, as well as username@domain.local, nothing seems to 
work.

Any ideas on how to progress from here?

Best regards.

Greg Groth






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75d664eeb361264e9b4560a89b1a32bf>