f



RE: kinit request on keytab fails using 2K3sp1 KDC

David,

The easiest solution to this problem is to use the ktpass which was
shipped with Windows 2003, and not the one with SP1.

Alternatively, you can use one of the many tools available that replace
the need for ktpass, and use computer accounts for key storage. These
tools do not suffer from the same issues as ktpass.

It seems that the sp1 version of ktpass stores a key with a specific
kvno in the keytab file, and the kvno in the domain controller for the
same principal is different. This is why you cannot use the keytab file
to authenticate.

Thanks, Tim 

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of David Telfer
Sent: 22 March 2006 17:09
To: kerberos@mit.edu
Subject: kinit request on keytab fails using 2K3sp1 KDC

Hello,

I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to

configuring mod_auth_kerb.  I have used the following command to 
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ 
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype 
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3.  I have 
transfered the keytab to /etc/krb5.keytab.  When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk@SMG.PLC.UK

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit 
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a 
clock slew error (I haven't seen an error of this nature appear with 
this version of krb so I'm not sure whether it would explicitly state
this).

 From reading a few mailing list posts I have discovered some people 
having issues with ktpass on service pack 1.  One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thr
ead/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem  I have followed the advice given, ensuring 
that the kvno's match and changing the system users password prior to 
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential 
entry to ensure that it isn't the issue);

[libdefaults]
        default_realm = SMG.PLC.UK
[domain_realm]
        connect.smg.plc.uk = SMG.PLC.UK
[realms]
        SMG.PLC.UK = {
                kdc = pqdomc01.smg.plc.uk
                admin_server = pqdomc01.smg.plc.uk
                default_domain = smg.plc.uk
        }

Has anyone experienced a similar problem to this?  I have to assume 
there is a problem with the keytab but I'm at a loss as to what the 
problem could be.

David Telfer
david@2fluid.co.uk




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tim.alsop (50)
3/22/2006 5:19:58 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

5 Replies
722 Views

Similar Articles

[PageSpeed] 12

>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:

    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.

Yes; it always sets the kvno in the keytab it writes to 1, regardless of
the value in the KDB (which of course changes each time the key is
extracted).  So, you can only use the keytab the first time you extract
it.  If you have to do it again, just delete the principal and re-create
it.

-- 
  Richard Silverman
  res@qoxp.net


0
res49 (1410)
3/22/2006 10:14:02 PM
On Wednesday 22 March 2006 18:19, Tim Alsop wrote:

> Alternatively, you can use one of the many tools available that replace
> the need for ktpass, and use computer accounts for key storage. These
> tools do not suffer from the same issues as ktpass.

What are that tools?
Can you send searchkeywords or pointers so I can find and use them?

Thank you,
Achim
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kerberosml (25)
3/23/2006 12:23:21 AM
Richard E. Silverman wrote:
>>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
> 
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why you
>     TA> cannot use the keytab file to authenticate.
> 
> Yes; it always sets the kvno in the keytab it writes to 1, regardless of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you extract
> it.  If you have to do it again, just delete the principal and re-create
> it.

ktpass allows you to specify the kvno on the command line.
You can obtain the kvno for the service principal with the MIT kvno utility.

Jeffrey Altman
0
jaltman2 (417)
3/23/2006 1:10:46 AM
>>>>> "JA" == Jeffrey Altman <jaltman2@nyc.rr.com> writes:

    JA> Richard E. Silverman wrote:
    >>>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
    >>
    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.
    >>  Yes; it always sets the kvno in the keytab it writes to 1,
    >> regardless of the value in the KDB (which of course changes each
    >> time the key is extracted).  So, you can only use the keytab the
    >> first time you extract it.  If you have to do it again, just delete
    >> the principal and re-create it.

    JA> ktpass allows you to specify the kvno on the command line.  You
    JA> can obtain the kvno for the service principal with the MIT kvno
    JA> utility.

Somehow I never noticed that, probably because I couldn't imagine why
you'd need such a thing.  :)  Thanks.

    JA> Jeffrey Altman

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
3/23/2006 2:20:46 AM

Achim Grolms wrote:

> On Wednesday 22 March 2006 18:19, Tim Alsop wrote:
> 
> 
>>Alternatively, you can use one of the many tools available that replace
>>the need for ktpass, and use computer accounts for key storage. These
>>tools do not suffer from the same issues as ktpass.
> 
> 
> What are that tools?
> Can you send searchkeywords or pointers so I can find and use them?

Google for msktutil  which will get you to
http://www.pppl.gov/~dperry/mskturil-0.3.16.tar.gz
We are using this.

Goolge for netjoin
This is an update of the MS netjoin.

Samba has some tools, but adds too many principal in many cases.



Something else that can be very helpfull is to use
the Windows mmc with the ADSI edit to lok at the registry.
You can look at the account that was created, and look at the KVNO
as the ms-DS-KeyVersionNumber.
Other interesting fields are the userPrincipalName,
and servicePrincipalName.

Keep in mind that the Windows has a single password that
is used to generate the keys on the fly for each of the
principals (userPrincipalName and servicePrincipalName)
asociated with the account.

Kerberos uses a seperate key for each principal created when the
kettrab is created. So if you change the password on the account,
you have to change the keys in the keytab at the same time for
all the principal assiciated with that account.

Msktutil tries to do this for your.



> 
> Thank you,
> Achim
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
3/23/2006 3:03:05 PM
Reply: