Re: Active directory and Kerberos for unix authentication error
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Sat, 29 Dec 2007 03:28:26 +0100
make sure when you do this to use the latest version of KTPASS (W2K3 SP2)
have you enabled the DCs to accept DES encryption? http://support.microsoft.com/kb/833708
just create the account and then use KTPASS as that will also configure BOTH the userprincipalname as the serviceprincipalname. not need to use setspn
it depends on the version of KTPASS you are using, but some older versions require that you specify the keyversion number
The latest vesion does not require this as it queries AD for it and adjust it accordingly
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ste" <ste@xxxxxxxx> wrote in message news:5t239bF197b72U1@xxxxxxxxxxxxxxxxxxxxx
Hello,
I'm trying to debug from many days a problem without success. Simply I've a DC running Windows 2003 Std R2 SP2 acting as kdc and I've to authentication from a Linux client.
On Domain controller I've created a user (username blathapp ), flagged the "Use DES Encryptation".
Setup SPN:
setspn -A blauthapp/app1 blauthapp
Exported keytab
ktpass -out blauthapp.keytab -princ blauthapp/app1@xxxxxxxxxx -mapuser blauthapp@xxxxxxxxxx +rndPass -minPass 33 -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
keytab is created, zipped, and copied on Linux client. Unzipped. Check md5 and CRC.
Now run:
[root@itsm-bl1 ~]# kinit -k -t /tmp/blauthapp.keytab blauthapp/app1@xxxxxxxxxx
kinit(v5): Preauthentication failed while getting initial credentials
/etc/krb5.conf looks like as
[root@itsm-bl1 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 6000
default_realm = INET.LOCAL
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = dec-cbc-md5
[realms]
INET.LOCAL = {
kdc = addc-mi02.INET.LOCAL:88
}
[domain_realm]
.inet.local = INET.LOCAL
inet.local = INET.LOCAL
Clocked are syncronized. Windows KDC reports:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 21/12/2007
Time: 11.50.45
User: NT AUTHORITY\SYSTEM
Computer: ADDC-MI02
Description:
Pre-authentication failed:
User Name: blauthapp
User ID: INET\blauthapp
Service Name: krbtgt/INET.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: CLIENTIPADDR
All seems to be related to a passwortd...but whicih password?
ktpass.exe is version: 5.2.3790.1830
ktutil said me:
ktutil: rkt /tmp/blauthapp.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 blauthapp/app1@xxxxxxxxxx
Also, using kerberos tools on windows, on the same domain controller, running kinit generate the same error. If password is generated when keytab is created and that keytab is used directly in the DC can't have a wrong password!
Any hints?
Thanks
Stefano
.
- References:
- Prev by Date: Re: application directory partition
- Next by Date: Re: Active Directory - adding workstations to the domain.
- Previous by thread: Active directory and Kerberos for unix authentication error
- Next by thread: rundll32.exe
- Index(es):
Relevant Pages
|
