From owner-freebsd-questions@freebsd.org Fri Jul 17 00:45:19 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA9FC9A3DF3 for ; Fri, 17 Jul 2015 00:45:19 +0000 (UTC) (envelope-from ggroth@gregs-garage.com) Received: from mail.gregs-garage.com (99-158-164-253.uvs.cicril.sbcglobal.net [99.158.164.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 793071A71 for ; Fri, 17 Jul 2015 00:45:18 +0000 (UTC) (envelope-from ggroth@gregs-garage.com) Received: from mail.gregs-garage.com (localhost [127.0.0.1]) by mail.gregs-garage.com (8.15.2/8.15.1) with ESMTP id t6H0jAEo052250 for ; Thu, 16 Jul 2015 19:45:11 -0500 (CDT) (envelope-from ggroth@gregs-garage.com) Received: (from www@localhost) by mail.gregs-garage.com (8.15.2/8.15.1/Submit) id t6H0jAnF052249; Thu, 16 Jul 2015 19:45:10 -0500 (CDT) (envelope-from ggroth@gregs-garage.com) X-Authentication-Warning: mail.gregs-garage.com: www set sender to ggroth@gregs-garage.com using -f To: freebsd-questions@freebsd.org Subject: Re: Kerberos X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 16 Jul 2015 19:45:10 -0500 From: Greg Groth In-Reply-To: <1383995814.37100404.1437030764957.JavaMail.zimbra@logitravel.com> References: <75d664eeb361264e9b4560a89b1a32bf@mail.gregs-garage.com> <1383995814.37100404.1437030764957.JavaMail.zimbra@logitravel.com> Message-ID: <4582000dcfad2dc26ca4076d2024f23f@mail.gregs-garage.com> X-Sender: ggroth@gregs-garage.com User-Agent: Roundcube Webmail/1.1.2 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.gregs-garage.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 00:45:19 -0000 On 2015-07-16 02:12, Raimund Sacherer wrote: > Hello Greg, > >> C:\Windows\system32>ktpass -princ >> HTTP/ad01.example.local@EXAMPLE.LOCAL >> -mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out >> :\temp\krb5.keytab > > For what its worth, we have a couple of servers authenticating against > an 2012 domain and we create the key tab file like this: > setspn -A HTTP/service.host.name windowsusername > > ktpass -out key.tab -princ HTTP/service.host.name@EXAMPLE.LOCAL > -mapUser windowsuser -mapOp set -pass password -crypto RC4-HMAC-NT > -pType KRB5_NT_PRINCIPAL > > > At times we have instead of RC4-HMAC-NT set ALL. > > Hope this helps, > > best Many, many thanks for answering. I tried the following from the commandline on the 2012 DC as Admin: C:\setspn -A HTTP/ad01.example.local aduser Checking domain DC=example,DC=local Registering ServicePrincipalNames for CN=ADUSER,CN=Users,DC=example,DC=local HTTP/ad01.example.local Updated object C:\ktpass -out C:\temp\krb5.keytab -princ HTTP/aduser.example.local@EXAMPLE.LOCAL -mapUser aduser -mapOp set -pass P@$$word -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL Targeting domain controller: AD01.example.local Using legacy password setting method Successfully mapped HTTP/aduser.example.local to aduser. Key created. Output keytab to C:\temp\krb5.keytab: Keytab version: 0x502 keysize 80 HTTP/aduser.example.local@EXAMPLE.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 29 etype 0x17 (RC4-HMAC) keylength 16 (0x923174d28eac78c4c29e92663ad82c2e) Copied the keytab to the /etc on the FreeBSD box (chown root:wheel / chmod600) and tried the following as root: root@BSD01:/ # kinit -k aduser kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping ("root@BSD01:/ # kinit -t /etc/krb5.keytab aduser" returns the same) if I try a bogus user: root@BSD01:/ # kinit -k bogususer kinit: krb5_get_init_creds: Client (bogususer@EXAMPLE.LOCAL) unknown It looks like it's communicating, and locating the user correctly, but something is going awry with the authentication? I've reset the password on the AD multiple times, and have verified I can log onto a workstation located in the "EXAMPLE" domain with the "aduser" credentials. Are there perhaps other permissions that need to be assigned on the DC to "aduser" in order to get this to work? Best regards, Greg Groth