"Douglas E. Engert" <[email protected]> wrote in message news:[email protected]... > Windows treats principal names as case insensitive. > Kerberos treats them as case sensitive. > > Normally Kerberos host/hostn...@realm has "host" in lower case. > So why is Samba net ADS join is using upper case is not clear. > > If the net ads join adds the SPN in uppercase, then the ktpass > with lower case, it will work, as windows is case insensitive > and the SPN already exists. > > You could try changing the SPN to lower case. >
You could add a copy to the keytab with ktutil which has an uppercase HOST e.g. # ktutil ktutil: rkt /tmp/test.keytab ktutil: l -k slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/[email protected] (0xd962b1ecc18a809eb57c4a031193623a) ktutil: addent -key -p HOST/[email protected] -k 3 -e rc4-hmac Key for HOST/[email protected] (hex): d962b1ecc18a809eb57c4a031193623a ktutil: l -k slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/[email protected] (0xd962b1ecc18a809eb57c4a031193623a) 2 3 HOST/[email protected] (0xd962b1ecc18a809eb57c4a031193623a) ktutil: wkt /tmp/new.keytab ktutil: quit > > ravi channavajhala wrote: >> I'm setting up a Solaris 10 server as a test samba server with AD >> authentication. I'm running into a little bit of issue with Kerberos >> tickets. The setup is as follows >> >> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, >> LDAP >> (shipped with the distro) and IMU on windows. My LDAP client is working >> good and validates getent passwd <user> and can run ldaplist -l passwd >> <user> and ldapsearch, no issues. My ldap autnetication is set to >> simple, >> with proxyDnuser. >> >> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, >> nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files >> ldap' >> for both passwd and group and dns files for hosts. On windows the IMU, >> UNIX >> attributes are set to the correct NIS domain. >> >> I ran net ads join to successfully join the Solaris server into the AD, >> however net ads keytab create simply returns a new line without any >> errors. >> When I checked on windows, after net ADS join command, I see two service >> principals (SPN), the capitalization is intentional as this is how they >> appear when I run spnset hostname >> >> HOST/HOSTNAME >> >> HOST/hostname.domain.com (FQDN) >> >> I also setup a service account name (user object) on Windows whose name >> is >> same as the hostname (computer object). I generated the keytab file with >> >> ktpass -princ host/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass >> password >> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab >> >> > > So you have two accounts with the same SPN? (differing by case only?) > Or did you remove the net ads join created entry first? > >> >> I then ftped this file over to Solaris host and try to authenticate a >> user >> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: >> Server not found in Kerberos >> database >> > > Could be the case issue. krb5 is looking for "host" >> So, just for the heck of it I generated another krb5.keytab with the >> following >> >> ktpass -princ HOST/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass >> password >> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab >> >> Please note the HOST in capitals. Now, I get this error testing with >> this >> keytab >> >> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not >> found >> >> Running PAM in debug mode didn't reveal anything specific other than the >> obvious. >> > > Wireshark could be used to see the network traffic between server and KDC. > This sounds like a case issue... > >> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP >> servers >> return properly. I can add the SPNs forcibly with >> host/hostname.domain.com >> and host/hostname and try different combinations. But..first I need to >> understand this behavior, anyone??? >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
