RE: windows 2003 AD and keytab file generation

[Paul Moore]

In windows all computer accounts have multiple SPNs; at least
host/computer, host/computer.domain, some have as many as 10 (or even
more!)

Heres my keytab

  31 host/[EMAIL PROTECTED] (ArcFour with
HMAC/md5) 
  31 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 
  31 HTTP/[EMAIL PROTECTED] (ArcFour with
HMAC/md5) 
  31 HTTP/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 
  31 [EMAIL PROTECTED] (ArcFour with HMAC/md5) 

The keytab entry is the same for each one - I don't recall the keytab
maint commands but you should be able to duplicate the key entry

(I created my keytab using our commercial product that is much easier
than doing it manually with ktpass etc)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 02, 2008 7:02 AM
To: Shambhulal R. Sharma
Cc: kerberos@mit.edu
Subject: Re: windows 2003 AD and keytab file generation



Shambhulal R. Sharma wrote:
> Hi All
>  
> I am trying to use Active Directory installed on Windows Server 2003 
> as KDC. I followed the Microsoft step-by-step guide 
> http://technet.microsoft.com/en-us/library/bb742433.aspx to create a 
> windows user account, ktpass command to map a service principal name 
> to the windows user account and generate a keytab file. So far I can 
> map one service principal name to one windows user account which works
fine.
>  
> I have a requirement where multiple services running on a system 
> should map their service principals to a single Windows User 
> preferably computer account. I would like to generate/prepare a single

> keytab file for all service [ftp,http, etc.] principal names using 
> ktpass and ktutil commands.
>  

 From reading your note and notes from others in the past, you may be
confused by the use of the term "user account" in the Microsoft article.
You need to have an account for the service, which has objectClass:
top, person, organizationalPerson and user. (It can also have an
objectClass  computer.) This account has nothing to do with the users
who will use the service.
It is an account for the service. It has to have a sAMAccountName that
is restricted to 19 characters and unique in the forest. We use a
convention
something like: --
a fictional example:host-mylinux-it
and the servicePrincipalName would be:  host/[EMAIL PROTECTED]
The account can be located anywhere in the directory tree.

> My questions:
>  
> Is it possible to use a computer account to map multiple service 
> principal names. I know about setspn command which can allow 
> add/delete/list operations to manage service principal association 
> with a windows user/computer account.

Yes. But note that since there is only one password per account, all
these principals will uses the same password to generate the keys. With
RC4 there is no salt so they will have the same key. This may not be
what you want.

>  
> The problem seems to be with ktpass command, I do not know how I can 
> generate keytab file for all service principal associated with a 
> single user/computer account. Every time I try to use the ktpass
-princ ...
> command it changes the kvno number which invalidates the previous 
> keytab files. I tried ktpass with multiple -princ <...> -princ <...> 
> options, which generates the keytab file only for the last principal 
> name specified in the ktpass command line.

The best way to do this is assign a different account for each service,
so each has its own password and thus a different key.
Like:
  host-mylinux   host/[EMAIL PROTECTED]
  HTTP-mylinux   HTTP/[EMAIL PROTECTED]

You could then ues the unix tools to merge keytab files generated by
ktpass if needed.

Or you could use something like msktutil or the Solaris scripts to do
all the ldap commands to AD to add/mod accounts and manage keytabs.

>  
> Is it possible to have multiple service principals associated with a 
> single computer/user account. Due to some security reasons this is not

> permitted on Windows.

Yes it is, but the will share the same key.

>  
> SAM SHARMA
>  
>  
>  
> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

"Best Practices for Integrating Kerberos Into Your Application" Draft Available

[Stephen C. Buckley]

I'm pleased to announce to availability our second white paper, "Best  
Practices for Integrating Kerberos Into Your Application"

It is available for free on our web site at:

http://www.kerberos.org/software/appskerberos.pdf


Additional documentation from a variety of sources is available here:

http://www.kerberos.org/software/whitepapers.html

Thanks again for your support of the Kerberos Consortium.

s


_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Stephen C. Buckley
Executive Director
Kerberos Consortium
Massachusetts Institute of Technology
77 Massachusetts Ave W92-159
Cambridge, MA 02139

web: http://www.kerberos.org




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

errors after creating keytab

[Tadoori (EXT), Vilas]

Hi All,
 
I have created a key tab in the following manner.
 
I was a root when I added  the keytab.
in kadmin:

kadmin> ktadd -k /etc/krb5.keytab root/[EMAIL PROTECTED]
kadmin> exit

when i do an kinit -k it gives me the following error

bash-3.00# kinit -k
kinit(v5): Cannot resolve network address for KDC in realm  while
getting initial credentials
 
and when i do an kinit -p root/admin
even when i am tying the correct password it gives me the below error
kinit(v5): Password incorrect while getting initial credentials

Actually none of the commands work when I am doing kadmin it gives me
the follwoing message
bash-3.00# kadmin
Authenticating as principal root/[EMAIL PROTECTED] with password.
Password for root/[EMAIL PROTECTED]:

 
any advice to resolve this, when the keytab is deleated it works fine
but that defeats the purpose
 
regards
vilas

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Root Access

[Kevin Coffman]

This sounds like an NFS question?  You should ask on the Linux NFS
list: <[EMAIL PROTECTED]>

On Wed, Jul 2, 2008 at 2:21 AM, KJ, Latesh <[EMAIL PROTECTED]> wrote:
>
>  Hi,
>
>  On AIX 5.3 Kerberos when I mount a share of NetApp storage from Linux
> client having share access as anon=0. Files are created using nobody
> nobody. Any clues?
>  Note: The NIS is same on filer and client.
>
>  Thanks
>  Latesh KJ

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: [Ietf-krb-wg] Proxiable/forwardable question

[Jeffrey Altman]

Lewis Adam-CAL022 wrote:
 
It might help a lot if you give up on the hypothetical and 
tell us what you're really trying to do.  There's a good 
chance that there is a solution based on existing technology, 
but it's hard to tell without knowing more about what's going on.




Okay, so basically my situation is that I have a user which is going to
authenticate to a central server.  This central server will then alert
other application servers that the user is on-line.  So when the user
authenticates to the central server by sending it a Kerberos ticket, I
would like for that central server to forward the user's ticket to the
other (application) servers, and for the end result to be that the user
has a shared session key with each of those application servers. Is this
possible?


Let me start by suggesting that you hold this discussion on
kerberos@mit.edu instead of on the IETF Kerberos WG mailing list.
kerberos@mit.edu is for questions regarding Kerberos deployments
whereas this mailing list is intended for discussions regarding the
development of Kerberos protocol standards.

Next I will suggest if you have not already done so read one or more
of the tutorials on Kerberos so that you have a better idea of how the
protocol actually works and what the roles of the participants are.
You can find some good introductory tutorials at

  http://web.mit.edu/kerberos/papers.html

In your environment you have client C, the KDC K, the Central Server CS,
and an application server AS.  When C wants to authenticate to CS it 
obtains a service ticket for CS from K using a previously obtained 
Ticket Granting Ticket for the user.  This ticket T is encrypted in a 
key that only CS knows and contains a session key that is known to C.

If CS can decrypt T it can obtain the session key and with it C and CS
can prove their identity to one another.

If C ever talks to AS directly then C would obtain a service ticket for 
AS from K.  There is no need for CS to send a session key to AS.  If CS 
is going to be communicating to AS on behalf of C, then C could 
"forward" a ticket to CS that CS can use to authenticate to AS as C.


Note that it is very unclear from your description what your intended 
communication flow is or what protocols are involved.


I have set followup-to [EMAIL PROTECTED]

Jeffrey Altman


smime.p7s
Description: S/MIME Cryptographic Signature

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: windows 2003 AD and keytab file generation

[Douglas E. Engert]

Shambhulal R. Sharma wrote:
> Hi All
>  
> I am trying to use Active Directory installed on Windows Server 2003 as
> KDC. I followed the Microsoft step-by-step guide
> http://technet.microsoft.com/en-us/library/bb742433.aspx to create a
> windows user account, ktpass command to map a service principal name to
> the windows user account and generate a keytab file. So far I can map
> one service principal name to one windows user account which works fine.
>  
> I have a requirement where multiple services running on a system should
> map their service principals to a single Windows User preferably
> computer account. I would like to generate/prepare a single keytab file
> for all service [ftp,http, etc.] principal names using ktpass and ktutil
> commands.
>  

 From reading your note and notes from others in the past, you may be confused
by the use of the term "user account" in the Microsoft article. You need to have
an account for the service, which has objectClass:  top, person,
organizationalPerson and user. (It can also have an objectClass  computer.)
This account has nothing to do with the users who will use the service.
It is an account for the service. It has to have a sAMAccountName that is
restricted to 19 characters and unique in the forest. We use a convention
something like: --
a fictional example:host-mylinux-it
and the servicePrincipalName would be:  host/[EMAIL PROTECTED]
The account can be located anywhere in the directory tree.

> My questions:
>  
> Is it possible to use a computer account to map multiple service
> principal names. I know about setspn command which can allow
> add/delete/list operations to manage service principal association with
> a windows user/computer account.

Yes. But note that since there is only one password per account, all these
principals will uses the same password to generate the keys. With RC4 there
is no salt so they will have the same key. This may not be what you want.

>  
> The problem seems to be with ktpass command, I do not know how I can
> generate keytab file for all service principal associated with a single
> user/computer account. Every time I try to use the ktpass -princ ...
> command it changes the kvno number which invalidates the previous keytab
> files. I tried ktpass with multiple -princ <...> -princ <...> options,
> which generates the keytab file only for the last principal name
> specified in the ktpass command line.

The best way to do this is assign a different account for each service,
so each has its own password and thus a different key.
Like:
  host-mylinux   host/[EMAIL PROTECTED]
  HTTP-mylinux   HTTP/[EMAIL PROTECTED]

You could then ues the unix tools to merge keytab files generated
by ktpass if needed.

Or you could use something like msktutil or the Solaris scripts
to do all the ldap commands to AD to add/mod accounts and manage keytabs.

>  
> Is it possible to have multiple service principals associated with a
> single computer/user account. Due to some security reasons this is not
> permitted on Windows.

Yes it is, but the will share the same key.

>  
> SAM SHARMA
>  
>  
>  
>   
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Kinit/kadmin does not work

[Tadoori (EXT), Vilas]

Ok ... i have rectified the issue.
I do not maintain an .profile and usually do a bash on my solaris box.
It was an elementary mistake that caused this problem
earlier I have downloaded the kerberos distribution file
krb5-1.6.3.tar.gz
Later I built the same it then created the following dir structure
/usr/local
all the kerberos biniares are in bin and sbin respectively.
When i exited out o bash on firday i lost my path to these binaries, in
the hurry i have done the following to map the same back to my path
 
export $PATH:/usr/local/sbin and bin
this made the earlier binaries take into effect as my path was looking
like
/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 
I realized it and set that straight and everything is normal...
 
 
I other thing that i want to raise is why is that the kerberos binaries
would not work with the x86 solaris intel based installation...
 
Regards
Vilas

  _  

From: Tadoori (EXT), Vilas 
Sent: Monday, June 30, 2008 9:46 PM
To: kerberos@mit.edu
Subject: Kinit/kadmin does not work


Dear All,
 
It is really strange that the kinit does not work for me.
I am pretty confident about my krb5.conf and kdc.conf files.
They are good on the linux suse but when I have acutally started working
over the weekend ...it gives me this message as below for the kinit(on
solaris)
 
bash-3.00# kinit
kinit(v5): Cannot find KDC for requested realm while getting initial
credentials
 
The kadmin also is acting strange
 
bash-3.00# kadmin -p x_tadoor
Authenticating as principal x_tadoor with password.
Password for [EMAIL PROTECTED] *
kadmin: Communication failure with server while initializing kadmin
interface

* intentionally crossed the realm
 
 
This is giving problems on the SunOS x 86 architecture.
 
bash-3.00# uname -a
SunOS hysuntcsso 5.10 Generic_118855-33 i86pc i386 i86pc

This is really frustratingany help will be greatly appreciated.
 
Regards
Vilas

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos