It could be because of the wrong use of msktutil. The -s option require
HTP/<fqdn>.
msktutil --help shows:
-s, --service <name> Adds the service <name> for the current host.
The service is of the form <service>/<hostname>.
If the hostname is omitted, assumes current
hostname.
Markus
"James Robertson" <j_at_mesrobertson.com> wrote in message
news:CAMALoy_r0Me_7HXCYs0-oKTowDMp-7JgD+fARGv4RNmO60QS7A_at_mail.gmail.com...
> >
>> You should use two different computer accounts. For Kerberos the machine
>> name does not matter only the user- and service-principalname is of
>> importance. So use net ads join <computername> and for msktutil use
>> something like <computername>-HTTP as computername.
>>
>> The issue with using the same name is that samba runs a daemon which
>> regularly changes the computer account password and thereby also changes
>> the
>> Kerberos key making the keytab with the extracted Kerberos key invalid.
>> Many
>> people use user accounts instead of computer accounts because they use
>> thw
>> MS ktpass tool which only works with user accounts, whereas msktutil can
>> work with computer accounts. I dislike user accounts as you may have to
>> create exceptions to your domain password policy for users (e.g. don't
>> expire password).
>>
>
> I have tried to create a separate account for Kerberos using msktutil
> but I am having some problems.
>
> If I use a computer account name 3MSYDPROXY01-HTTP (where the hostname
> of the proxy is 3msydproxy01.example.local) I can never get msktutil
> --autoupdate to work after resetting the account in AD because the
> try_machine_password step in msktutil always fails. If the computer
> account name matches the hostname it works fine.
>
> I have been doing the following for testing:
>
> Check no existing tickets exist
> # kdestroy
>
> Remove the existing keytab to start fresh (this is the location
> referenced in /etc/krb5.conf)
> # rm /etc/squid3/PROXY.keytab
>
> Delete the account on the domain using dc1.example.local
>
> Obtain a new ticket using administrator account
> # kinit administrator
>
> Add the proxy to the domain with the name "3MSYDPROXY01-HTTP" (SPN and
> UPN are based on the hostname) - the process works to add the computer
> account.
> # msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s HTTP -k
> /etc/squid3/PROXY.keytab --computer-name 3MSYDPROXY01-HTTP \
> --upn HTTP/3msydproxy01.example.local --server dc1.example.local
> --verbose --enctypes 28
>
> Destroy the administrator ticket
> # kdestroy
>
> Reset the computer account in AD using dc1.example.local
>
> Run msktutil --auto-update and show output
> # msktutil --auto-update --verbose --computer-name 3msydproxy01-http
> --server dc1.example.local
> -- init_password: Wiping the computer password structure
> -- get_default_keytab: Obtaining the default keytab name:
> /etc/squid3/PROXY.keytab
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-VHa0ko
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: 3msydproxy01-http$
> -- try_machine_keytab_princ: Trying to authenticate for
> 3msydproxy01-http$ from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for
> host/3msydproxy01.example.local from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for
> 3msydproxy01-http$ with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- try_user_creds: Error: krb5_cc_get_principal failed (No
> credentials cache found)
> -- try_user_creds: User ticket cache was not valid.
> Error: could not find any credentials to authenticate with. Neither
> keytab,
> default machine password, nor calling user's tickets worked. Try
> "kinit"ing yourself some tickets with permission to create computer
> objects, or pre-creating the computer object in AD and selecting
> 'reset account'.
> -- ~KRB5Context: Destroying Kerberos Context
>
>
> I would make one point here: When using the proxy's hostname for
> kerberos i.e. 3msydproxy01 instead of 3msydproxy01-http it works fine
> and the try_machine_password step works as long as the --computer-name
> is lower case (I can ommit the --computer-name option and it works
> also obviously). I tried adding 3msydproxy01-http in upper case and
> lower case to AD and upper and lower case in the msktutil command and
> neither method works.
>
> I also tried with the SPN and UPN as 3msydproxy01-http.example.local
> but this made no difference (and from my understanding would have
> nothing to do with the try_machine_password msktutil step anyway).
>
> I am using msktutil from here http://fuhm.net/software/msktutil/releases/
>
> This may not be a problem as long as the computer account is never
> reset but I need to cover all possible outcomes.
>
Received on Thu Jan 05 2012 - 12:45:05 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 05 2012 - 12:00:02 MST