Re: Re: Re: Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Fri, 6 Jan 2012 13:57:15 -0000

"James Robertson" <j@xxxxxxxxxxxxxxxx> wrote in message 
news:0bd901cccc28$e3187210$a9495630$@mesrobertson.com...

This doesn't matter what does the next lines say ?

 -- try_machine_keytab_princ: Trying to authenticate for HTTP
/3msydproxy01.example.local from local keytab...

This should be successful.

The kinit test before the update and a wireshark capture would help 
identify
the issue (i.e. a msktutil error).

From what I can tell the packet capture seems to indicate that msktutil is 
trying to use host/3msydproxy01-http.example.local, when it should be 
host/3msydproxy01.example.local.  I could be wrong about this and would 
appreciate if someone could review the capture output.  What is the 
preferred way to post the output of the wireshark capture on the mailing 
list?

You can send it directly to me as .cap file. Can you also include traffic on 
port 53 (DNS) and 389 (LDAP) ?

So here is the process from start to finish for the computer name 
3MSYDPROXY01-HTTP

###
### kdestroy and remove account from AD. Then kinit with administrator 
account
###

###
### Run msktutil
###

# msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s 
HTTP/3msydproxy01.example.local -k /etc/squid3/PROXY.keytab \
 --computer-name 3MSYDPROXY01-HTTP --upn 
HTTP/3msydproxy01.example.local --server 
dc1.example.local --verbose --enctypes 28
-- init_password: Wiping the computer password structure
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-dYTpBb
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: 3MSYDPROXY01-HTTP$
-- try_machine_keytab_princ: Trying to authenticate for 3MSYDPROXY01-HTTP$ 
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for 
host/3msydproxy01.example.local from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for 3MSYDPROXY01-HTTP$ 
with password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4

-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: XXXXXXX@EXAMPLE.LOCAL
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

-- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the 
computer account
-- generate_new_password:  Characters read from /dev/udandom = 90
-- ldap_check_account: Checking that a computer account for 
3MSYDPROXY01-HTTP$ exists
-- ldap_check_account: Computer account not found, create the account

No computer account for 3MSYDPROXY01-HTTP found, creating a new one.
dn: cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL
-- ldap_check_account_strings: Inspecting (and updating) computer account 
attributes
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to 
3msydproxy01.example.local
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set 
userPrincipalName to HTTP/3msydproxy01.example.local@EXAMPLE.LOCAL
-- ldap_set_supportedEncryptionTypes: DEE 
dn=cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL 
old=7 new=28

-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set 
msDs-supportedEncryptionTypes to 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 
0x200000 to 0x0
-- ldap_set_userAccountControl_flag:  userAccountControl not changed 
0x1000

-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache

-- ldap_get_pwdLastSet: pwdLastSet is 0
-- set_password: Successfully set password, waiting for it to be reflected 
in LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 129702931724574634
-- set_password: Successfully reset computer's password
-- ldap_add_principal: Checking that adding principal 
host/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a 
conflict
-- ldap_add_principal: Adding principal host/3msydproxy01.example.local to 
LDAP entry
-- ldap_add_principal: Checking that adding principal 
HTTP/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a 
conflict
-- ldap_add_principal: Adding principal HTTP/3msydproxy01.example.local to 
LDAP entry
-- execute: Updating all entries for 3msydproxy01.example.local in the 
keytab WRFILE:/etc/squid3/PROXY.keytab

-- update_keytab: Updating all entires for 3MSYDPROXY01-HTTP$
-- ldap_get_kvno: KVNO is 2
-- add_principal_keytab: Adding principal to keytab: 3MSYDPROXY01-HTTP$
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: 
host/3msydproxy01.example.local
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: 
HTTP/3msydproxy01.example.local
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of 
EXAMPLE.LOCALhost3msydproxy01-http.example.local
-- add_principal_keytab:   Adding entry of enctype 0x12
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context

###
### run kinit successfully.
###

# kinit -kt /etc/squid3/PROXY.keytab HTTP/3msydproxy01.example.local
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/3msydproxy01.example.local@EXAMPLE.LOCAL

Valid starting     Expires            Service principal
01/06/12 14:41:23  01/07/12 00:41:23  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
       renew until 01/07/12 14:41:23

This looks good so far.

###
### Reset computer account in AD
###

###
### Run msktutil update.  This is different after having run the kinit 
command but fails with (5) Access denied at the end
###

# msktutil --auto-update --verbose --computer-name 
3msydproxy01-http --server dc1.example.local -s 
HTTP/3msydproxy01.example.local
-- init_password: Wiping the computer password structure
-- get_default_keytab: Obtaining the default keytab name: 
/etc/squid3/PROXY.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-QGX1t2
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: 3msydproxy01-http$
-- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$ 
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key 
table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for 
host/3msydproxy01.example.local from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Client not found in Kerberos database)

This is suprising as during the creation the log said:
 -- ldap_add_principal: Adding principal host/3msydproxy01.example.local to 
LDAP entry
 -- ldap_add_principal: Checking that adding principal 
HTTP/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/3msydproxy01.example.local to 
LDAP entry

Can you looak at the AD entry with adsiedit.msc ? Does the service principal 
attribute have two entries - one for host and one for HTTP ?

-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for 3msydproxy01-http$ 
with password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed 
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4

-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: HTTP/3msydproxy01.example.local@EXAMPLE.LOCAL
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

-- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
-- get_default_ou: Determining default OU: 
CN=Computers,DC=example,DC=local
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the 
computer account
-- generate_new_password:  Characters read from /dev/udandom = 88
-- ldap_check_account: Checking that a computer account for 
3msydproxy01-http$ exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000

-- ldap_check_account: Found supportedEncryptionTypes = 28

-- ldap_check_account: Found dNSHostName = 3msydproxy01.example.local

-- ldap_check_account:   Found Principal: HTTP/3msydproxy01.example.local
-- ldap_check_account:   Found Principal: host/3msydproxy01.example.local
-- ldap_check_account:   Found User Principal: 
HTTP/3msydproxy01.example.local
-- ldap_check_account_strings: Inspecting (and updating) computer account 
attributes
-- ldap_set_supportedEncryptionTypes: No need to change 
msDs-supportedEncryptionTypes they are 28

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 
0x200000 to 0x0
-- ldap_set_userAccountControl_flag:  userAccountControl not changed 
0x1000

-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache

-- ldap_get_pwdLastSet: pwdLastSet is 129702932842880732
Error: Unable to set machine password for 3msydproxy01-http$: (5) Access 
denieduÃ¯BÂ³
Error: set_password failed

This is surprising as a "user" should be allowed to change its own password. 
Do you have an AD password policy which does not allow immediate password 
changes ?

-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context

###
### If I run kdestroy and kill the HTTP/3msydproxy01.example.local ticket) 
the following is logged from msktutil
###

# msktutil --auto-update --verbose --computer-name 
3msydproxy01-http --server dc1.example.local -s 
HTTP/3msydproxy01.example.local
-- init_password: Wiping the computer password structure
-- get_default_keytab: Obtaining the default keytab name: 
/etc/squid3/PROXY.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-Twfgw2
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: 3msydproxy01-http$
-- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$ 
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key 
table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for 
host/3msydproxy01.example.local from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Client not found in Kerberos database)

See above I would expect this to work or to use HTTP/<fqdn> not host/<fqdn>.

-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for 3msydproxy01-http$ 
with password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed 
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials 
cache found)
-- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
    default machine password, nor calling user's tickets worked. Try
    "kinit"ing yourself some tickets with permission to create computer
    objects, or pre-creating the computer object in AD and selecting
    'reset account'.
-- ~KRB5Context: Destroying Kerberos Context

Let me try to reproduce with the latest release from 
http://fuhm.net/software/msktutil/releases/

Regards
Markus 