Date: Thu, 16 Jul 2015 19:45:10 -0500 From: Greg Groth <ggroth@gregs-garage.com> To: freebsd-questions@freebsd.org Subject: Re: Kerberos Message-ID: <4582000dcfad2dc26ca4076d2024f23f@mail.gregs-garage.com> In-Reply-To: <1383995814.37100404.1437030764957.JavaMail.zimbra@logitravel.com> References: <75d664eeb361264e9b4560a89b1a32bf@mail.gregs-garage.com> <1383995814.37100404.1437030764957.JavaMail.zimbra@logitravel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-07-16 02:12, Raimund Sacherer wrote:
> Hello Greg,
>
>> C:\Windows\system32>ktpass -princ
>> HTTP/ad01.example.local@EXAMPLE.LOCAL
>> -mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out
>> :\temp\krb5.keytab
>
> For what its worth, we have a couple of servers authenticating against
> an 2012 domain and we create the key tab file like this:
> setspn -A HTTP/service.host.name windowsusername
>
> ktpass -out key.tab -princ HTTP/service.host.name@EXAMPLE.LOCAL
> -mapUser windowsuser -mapOp set -pass password -crypto RC4-HMAC-NT
> -pType KRB5_NT_PRINCIPAL
>
>
> At times we have instead of RC4-HMAC-NT set ALL.
>
> Hope this helps,
>
> best
Many, many thanks for answering. I tried the following from the
commandline on the 2012 DC as Admin:
C:\setspn -A HTTP/ad01.example.local aduser
Checking domain DC=example,DC=local
Registering ServicePrincipalNames for
CN=ADUSER,CN=Users,DC=example,DC=local
HTTP/ad01.example.local
Updated object
C:\ktpass -out C:\temp\krb5.keytab -princ
HTTP/aduser.example.local@EXAMPLE.LOCAL -mapUser aduser -mapOp set -pass
P@$$word -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Targeting domain controller: AD01.example.local
Using legacy password setting method
Successfully mapped HTTP/aduser.example.local to aduser.
Key created.
Output keytab to C:\temp\krb5.keytab:
Keytab version: 0x502
keysize 80 HTTP/aduser.example.local@EXAMPLE.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 29 etype 0x17 (RC4-HMAC) keylength 16
(0x923174d28eac78c4c29e92663ad82c2e)
Copied the keytab to the /etc on the FreeBSD box (chown root:wheel /
chmod600) and tried the following as root:
root@BSD01:/ # kinit -k aduser
kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping
("root@BSD01:/ # kinit -t /etc/krb5.keytab aduser" returns the same)
if I try a bogus user:
root@BSD01:/ # kinit -k bogususer
kinit: krb5_get_init_creds: Client (bogususer@EXAMPLE.LOCAL) unknown
It looks like it's communicating, and locating the user correctly, but
something is going awry with the authentication? I've reset the
password on the AD multiple times, and have verified I can log onto a
workstation located in the "EXAMPLE" domain with the "aduser"
credentials. Are there perhaps other permissions that need to be
assigned on the DC to "aduser" in order to get this to work?
Best regards,
Greg Groth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4582000dcfad2dc26ca4076d2024f23f>