FWIW MIT Kerberos 1.7 will address this. -- Luke
On 07/05/2009, at 5:49 AM, Markus Moeller wrote: > > "Douglas E. Engert" <[email protected]> wrote in message > news:[email protected]... >> Windows treats principal names as case insensitive. >> Kerberos treats them as case sensitive. >> >> Normally Kerberos host/hostn...@realm has "host" in lower case. >> So why is Samba net ADS join is using upper case is not clear. >> >> If the net ads join adds the SPN in uppercase, then the ktpass >> with lower case, it will work, as windows is case insensitive >> and the SPN already exists. >> >> You could try changing the SPN to lower case. >> > > You could add a copy to the keytab with ktutil which has an > uppercase HOST > e.g. > > # ktutil > ktutil: rkt /tmp/test.keytab > ktutil: l -k > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 host/[email protected] > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: addent -key -p HOST/[email protected] -k 3 -e > rc4-hmac > Key for HOST/[email protected] (hex): > d962b1ecc18a809eb57c4a031193623a > ktutil: l -k > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 host/[email protected] > (0xd962b1ecc18a809eb57c4a031193623a) > 2 3 HOST/[email protected] > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: wkt /tmp/new.keytab > ktutil: quit > > >> >> ravi channavajhala wrote: >>> I'm setting up a Solaris 10 server as a test samba server with AD >>> authentication. I'm running into a little bit of issue with >>> Kerberos >>> tickets. The setup is as follows >>> >>> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, >>> Kerberos, >>> LDAP >>> (shipped with the distro) and IMU on windows. My LDAP client is >>> working >>> good and validates getent passwd <user> and can run ldaplist -l >>> passwd >>> <user> and ldapsearch, no issues. My ldap autnetication is set to >>> simple, >>> with proxyDnuser. >>> >>> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, >>> nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use >>> 'files >>> ldap' >>> for both passwd and group and dns files for hosts. On windows the >>> IMU, >>> UNIX >>> attributes are set to the correct NIS domain. >>> >>> I ran net ads join to successfully join the Solaris server into >>> the AD, >>> however net ads keytab create simply returns a new line without any >>> errors. >>> When I checked on windows, after net ADS join command, I see two >>> service >>> principals (SPN), the capitalization is intentional as this is how >>> they >>> appear when I run spnset hostname >>> >>> HOST/HOSTNAME >>> >>> HOST/hostname.domain.com (FQDN) >>> >>> I also setup a service account name (user object) on Windows whose >>> name >>> is >>> same as the hostname (computer object). I generated the keytab >>> file with >>> >>> ktpass -princ host/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass >>> password >>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp >>> \krb5.keytab >>> >>> >> >> So you have two accounts with the same SPN? (differing by case only?) >> Or did you remove the net ads join created entry first? >> >>> >>> I then ftped this file over to Solaris host and try to >>> authenticate a >>> user >>> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: >>> Server not found in Kerberos >>> database >>> >> >> Could be the case issue. krb5 is looking for "host" >>> So, just for the heck of it I generated another krb5.keytab with the >>> following >>> >>> ktpass -princ HOST/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass >>> password >>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp >>> \krb5.keytab >>> >>> Please note the HOST in capitals. Now, I get this error testing >>> with >>> this >>> keytab >>> >>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not >>> found >>> >>> Running PAM in debug mode didn't reveal anything specific other >>> than the >>> obvious. >>> >> >> Wireshark could be used to see the network traffic between server >> and KDC. >> This sounds like a case issue... >> >>> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP >>> servers >>> return properly. I can add the SPNs forcibly with >>> host/hostname.domain.com >>> and host/hostname and try different combinations. But..first I >>> need to >>> understand this behavior, anyone??? >>> >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> >> -- >> >> Douglas E. Engert <[email protected]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- www.padl.com | www.fghr.net ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
