Re: Re: Kerberos authentication with MIT KDC

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Rob,

 Before you used xst you must have created the principal with a command 
like add_principal or ank with either a -pw or -randkey option. This would 
have set the password for the principal.  Can you try the same kinit on your 
Centos box ( I assume you have the correct krb5.conf) ?

 If you get prompted can you try kinit -kt squid.keytab 
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx ?  it should not create 
an error and a klist -e should show the default principal of 
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxxx

An example:

opensuse11:~ # kinit -kt /etc/squid/squid.keytab 
HTTP/opensuse11.suse.home@xxxxxxxxx
opensuse11:~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/opensuse11.suse.home@xxxxxxxxx

Valid starting     Expires            Service principal
12/10/10 20:16:42  12/11/10 06:16:42  krbtgt/SUSE.HOME@xxxxxxxxx
       renew until 12/11/10 20:16:42, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5

Markus


"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message 
news:4CFFF127020000370004E33C@xxxxxx
Markus,

I do get a password prompt although I don't remember setting a password for 
it.

xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for 
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx:
Kerberos Login Failed:
Password incorrect

In Open Directory, I just added a new machine(what I assumed was a host 
principal) named proxyserver but adding a machine via OD's workgroup manager 
doesn't ask for a password that I can remember.  I didn't add an actual user 
named proxyserver because that didn't make sense to me for a host.

Thanks,
Rob


----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169


> > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 5:44 PM >>>
Hi Rob,

What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?

Markus

> "Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
> news:4CFFADF6.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx
> Hi Markus,
>
> I created the service principal with kadmin on the apple server.  The
> actual command was kadmin.local -q "add_principal
> HTTP/proxyserver.paragould.psd".  I used kadmin also to export the keytab.
> Here's exactly what I did:
>
> xserve:~ root# kadmin.local
> Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password.
> kadmin.local:  xst -k proxyserver.keytab
> HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to
> keytab WRFILE:proxyserver.keytab.
> Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab
> WRFILE:proxyserver.keytab.
> Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added
> to keytab WRFILE:proxyserver.keytab.
> Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added
> to keytab WRFILE:proxyserver.keytab.
> kadmin.local:  q
>
> xserve:~ root# klist -k proxyserver.keytab
> Keytab name: WRFILE:proxyserver.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>   5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>   5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>   5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>
> xserve:~ root# kadmin.local -q "list_principals" | grep -i http
> HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> HTTP/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx
> http/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>
> That last command to list the http principals confused me and I'm not
> familiar with kerberos at all really.  Is it showing there are http service
> principals for both proxyserver.paragould.psd and xserve.paragould.psd or
> does the KDC automatically add a http service principal for itself too?  In
> this case, xserve.paragould.psd is the KDC server running on OS X Server
> 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS
> 5.5.   I copied the exported proxyserver.keytab to /etc/squid/ on the host
> proxyserver.paragould.psd and made sure the squid user had read access to
> it.  Running kinit squidserver and giving it's password works I think.
> klist after that shows:
>
> [root@proxyserver squid]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: squidserver@xxxxxxxxxxxxxxxxxxxx
>
> Valid starting     Expires            Service principal
> 12/08/10 15:38:42  12/09/10 01:38:42
> krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx
> renew until 12/09/10 15:38:42
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> I'm sure I've missed something or messed something up but I'm at a loss as
> what it is or where to even start looking.  Thanks for any help!
>
> Regards,
> Rob
>
>
>
>
> ----------------
> Rob Asher
> Network Systems Technician
> Paragould School District
> 870-236-7744 x169
>
>
>
> > > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 2:39 PM >>>
> Hi Rob,
>
>  It looks like your kdc does not know about the service principal
> HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
>  How did you create the entry and keytab ?
>
> Markus



---------- 

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.



---------- 

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.