On Sat, 6 May 2006 16:02:50 +0100
"Markus Moeller" wrote:

> As I have seen in the past people asking about how to create a keytab with a
> Computer account I put some details together:
>
> 1) The ktpass version I used is from Windows2003 R2 File Version:
> 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)

Excellent. I was wondering how to do this. Apparently my Support Tools
package was out of date though - I had to grab the latest to get /crypto
to support anything but des-cbc-md5.

Thanks,
Mike
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

In addition to my previous mail

> As I have seen in the past people asking about how to create a keytab with
> a Computer account I put some details together:
>
> 1) The ktpass version I used is from Windows2003 R2 File Version:
> 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
>
> 2) I only create RC4 keytabs as now MIT and Heimdal support it.

The other reason to use only RC4 is that ktpass has a bug when used with
Computer accounts on Windows 2003 SP1. ktpass uses the wrong Salt, which has
been corrected in tools like msktutil). A ktpass with DES on a User acount
looks like:

ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /rndpass /out
DESUSER.keytab /princ TESTUSERSPN/DES@WINDOWS2003.HOME /mapuser
testUser@WINDOWS2003.HOME
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTUSERSPN/DES to testUser.
Key created.
Output keytab to DESUSER.keytab:
Keytab version: 0x502
keysize 59 TESTUSERSPN/DES@WINDOWS2003.HOME ptype 1 (KRB5_NT_PRINCIPAL) vno
3 et
ype 0x1 (DES-CBC-CRC) keylength 8 (0xd925940d9be5c4ec)
Account testUser has been set for DES-only encryption.

And a kinit -kt DESUSER.keytab TESTUSERSPN/DES@WINDOWS2003.HOME gives the
following AS-REQ/AS-REP

No. Time Source Destination Protocol
Info
1 0.000000 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ

Frame 1 (227 bytes on wire, 227 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY

No. Time Source Destination Protocol
Info
2 0.019198 w2k3.windows2003.home opensuse.suse.home KRB5 KRB
Error: KRB5KDC_ERR_PREAUTH_REQUIRED



Frame 2 (273 bytes on wire, 273 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-05-07 14:09:01 (Z)
susec: 390398
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Realm: WINDOWS2003.HOME
Server Name (Unknown): krbtgt/WINDOWS2003.HOME
e-data
padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP
Type: PA-ENCTYPE-INFO (11)
Value: 30523027A003020103A120041E57494E444F575332303033.. .
des-cbc-md5 des-cbc-crc
Encryption type: des-cbc-md5 (3)
Salt:
57494E444F5753323030332E484F4D455445535455534552.. .
Encryption type: des-cbc-crc (1)
Salt:
57494E444F5753323030332E484F4D455445535455534552.. .
Type: PA-ENC-TIMESTAMP (2)
Value:
Type: PA-PK-AS-REP (15)
Value:

No. Time Source Destination Protocol
Info
3 0.039415 opensuse.suse.home w2k3.windows2003.home KRB5
AS-REQ


Frame 3 (293 bytes on wire, 293 bytes captured)
Linux cooked capture
Internet Protocol, Src: opensuse.suse.home (192.168.1.7), Dst:
w2k3.windows2003.home (192.168.1.5)
User Datagram Protocol, Src Port: 32788 (32788), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP
Type: PA-ENC-TIMESTAMP (2)
Value: 3031A003020101A22A0428800FD47DB57CC5D12C0241DF59.. .
des-cbc-crc
Encryption type: des-cbc-crc (1)
enc PA_ENC_TIMESTAMP:
800FD47DB57CC5D12C0241DF592D88C7DA11BBBC89241B2A.. .
KDC_REQ_BODY

No. Time Source Destination Protocol
Info
4 0.047715 w2k3.windows2003.home opensuse.suse.home KRB5
AS-REP

Frame 4 (1389 bytes on wire, 1389 bytes captured)
Linux cooked capture
Internet Protocol, Src: w2k3.windows2003.home (192.168.1.5), Dst:
opensuse.suse.home (192.168.1.7)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32788 (32788)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 57494E444F5753323030332E484F4D455445535455534552.. .
Client Realm: WINDOWS2003.HOME
Client Name (Principal): TESTUSERSPN/DES
Ticket
enc-part des-cbc-crc


which uses a Salt of: 57 49 4e 44 4f 57 53 32 30 30 33 2e 48 4f 4d 45 54 45
53 54 55 53 45 52 53 50 4e 44 45 53 =
WINDOWS2003.HOMETESTUSERSPNDES


The Salt stored in the keytab is the correct value:

hexdump -C DESUSER.keytab
00000000 05 02 00 00 00 3b 00 02 00 10 57 49 4e 44 4f 57
|.....;....WINDOW|
00000010 53 32 30 30 33 2e 48 4f 4d 45 00 0b 54 45 53 54
|S2003.HOME..TEST|
00000020 55 53 45 52 53 50 4e 00 03 44 45 53 00 00 00 01
|USERSPN..DES....|
00000030 00 00 00 00 03 00 01 00 08 d9 25 94 0d 9b e5 c4
|..........%.....|
00000040 ec |.|
00000041

Markus Moeller wrote:
> As I have seen in the past people asking about how to create a keytab with a
> Computer account I put some details together:
>
> 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
> testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN@WINDOWS2003.HOME /crypto
> RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL

> 4) I tested the keytab with kfw 3.0
> c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
> TESTSPN/FQDN@WINDOWS2003.HOME
> c:\Program Files\MIT\Kerberos\bin\klist.exe -e


First thank you for this post. It was a big help in getting me as far
as I am. However, for some reason I am unable to get this final step
to work. I created it with a computer account as you indicated, and
was able to successfully create ktpass files. I then copy them over to
the appropriate server and I can klist the keytab:

# klist -Kek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 host/testsrv.corp.dc@CORP.DC (ArcFour with HMAC/md5)
(0x68df3e78ac80ad80417213d837e2f17b)

I then try the kinit command you used:

# kinit -kt /etc/krb5.conf host/testsrv.corp.dc@CORP.DC
kinit(v5): Client not found in Kerberos database while getting initial
credentials

The local box hostname matches this output, as does the reverse lookup.
/etc/hosts has:
127.0.0.1 localhost.localdomain localhost
10.0.0.30 testsrv.corp.dc testsrv

In addition I have tried using ssh, with GSSAPI configured:
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Miscellaneous failure
Server not found in Kerberos database

debug1: Trying to start again

[on the server]
Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
57857 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 1
Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
ssh2

I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
avail. I also tried switching to using user accounts instead of
computer accounts, but that doesn't work either.

The server I'm working with can talk to the KDC. I have successfully
obtained a TGT locally via kinit for my user account. If anyone has
some suggestions, I would greatly appreciate it.

You can check with adsiedit.msc if the entry exists by selecting the Domain
tree, right click and select New -> Query. Give the query a name, select a
root, select subtree and type a query like
serviceprincipalname=host/testsrv.corp.dc* . This should show you one and
only one entry corresponding to your computer account. If this is OK check
your Kerberos configuration on the Unix machine. DO you have a realm domain
mapping or do you use DNS records ?

BTW Did you use the same ktpass version ?
Regards
Markus


wrote in message
news:1148505472.389354.288930@j33g2000cwa.googlegr oups.com...
>
> Markus Moeller wrote:
>> As I have seen in the past people asking about how to create a keytab
>> with a
>> Computer account I put some details together:
>>
>> 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
>> testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN@WINDOWS2003.HOME
>> /crypto
>> RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
>
>> 4) I tested the keytab with kfw 3.0
>> c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
>> TESTSPN/FQDN@WINDOWS2003.HOME
>> c:\Program Files\MIT\Kerberos\bin\klist.exe -e
>
>
> First thank you for this post. It was a big help in getting me as far
> as I am. However, for some reason I am unable to get this final step
> to work. I created it with a computer account as you indicated, and
> was able to successfully create ktpass files. I then copy them over to
> the appropriate server and I can klist the keytab:
>
> # klist -Kek
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 7 host/testsrv.corp.dc@CORP.DC (ArcFour with HMAC/md5)
> (0x68df3e78ac80ad80417213d837e2f17b)
>
> I then try the kinit command you used:
>
> # kinit -kt /etc/krb5.conf host/testsrv.corp.dc@CORP.DC
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> The local box hostname matches this output, as does the reverse lookup.
> /etc/hosts has:
> 127.0.0.1 localhost.localdomain localhost
> 10.0.0.30 testsrv.corp.dc testsrv
>
> In addition I have tried using ssh, with GSSAPI configured:
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Server not found in Kerberos database
>
> debug1: Trying to start again
>
> [on the server]
> Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
> 57857 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 2 failures 1
> Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
> ssh2
>
> I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
> avail. I also tried switching to using user accounts instead of
> computer accounts, but that doesn't work either.
>
> The server I'm working with can talk to the KDC. I have successfully
> obtained a TGT locally via kinit for my user account. If anyone has
> some suggestions, I would greatly appreciate it.
>

Markus Moeller wrote:
> You can check with adsiedit.msc if the entry exists by selecting the Domain
> tree, right click and select New -> Query. Give the query a name, select a
> root, select subtree and type a query like
> serviceprincipalname=host/testsrv.corp.dc* . This should show you one and
> only one entry corresponding to your computer account. If this is OK check

No, this gives no results. Even if I specify the OU that it is in.
However, if I go to the object in ADSI edit and view its properties, I
can find servicePrincipleName and it has the right information.

> your Kerberos configuration on the Unix machine. DO you have a realm domain
> mapping or do you use DNS records ?

I have tried both.

> BTW Did you use the same ktpass version ?

5.2.3790.1830

> No, this gives no results. Even if I specify the OU that it is in.
> However, if I go to the object in ADSI edit and view its properties, I
> can find servicePrincipleName and it has the right information.

never mind. I'm a moron. I insist on spelling it Principle, not
Principal, so of course I'm not finding it.

I redid the search with the right spelling and came up with exactly one
match for host/testsrv.corp.dc.

Can you provide a tcpdump or snoop of traffic on port 88 and 53 to analyse
in Ethereal ?

Regards
Markus

"Shamgar" wrote in message
news:1148651221.376969.242680@g10g2000cwb.googlegr oups.com...
>> No, this gives no results. Even if I specify the OU that it is in.
>> However, if I go to the object in ADSI edit and view its properties, I
>> can find servicePrincipleName and it has the right information.
>
> never mind. I'm a moron. I insist on spelling it Principle, not
> Principal, so of course I'm not finding it.
>
> I redid the search with the right spelling and came up with exactly one
> match for host/testsrv.corp.dc.
>

Even I can ran into this problem and some how i could make it work with
ktpass version 5.2.3790.131 (with out rc4-hmac-nt).

Where as newer sp1-ktpass worked with USER accounts. When I wanted to
convert from user accounts to computer accounts, i ran into all kinds
of problems.

The tool i used to diagnose is css_adkadmin and also keytabs from this
tools worked for me even with rc4-hamc. Binary version of this is also
available. I hope we get one nice robust KTPASS which works as its
supposed from Microsoft and provide more meaningful error messages.

Mean while I just ran into following doc.
http://support.microsoft.com/default...;en-us;q175468

Article ID : 175468 : Effects of machine account replication on a
domain

I am not sure how "Domain Member: Disable machine account password
changes & Domain Controller: Refuse machine account password changes"
parameters effects my keytab. And for some reason if this happens, do i
need to regerate keytab again? hope some make me clear on this.

May be we need nice little check list, what needs to be looked at:

1. we need to check:

userPrincipalName: host/hp.abc.net@ABC.NET
servicePrincipalName: host/hp.abc.net

2. msDS-KeyVersionNumber == KVNO should be same

3. sAMAccountName: hp$

3. userAccountCtrl =

http://msdn.microsoft.com/library/de..._flag_enum.asp

thanks



Markus Moeller wrote:
> Can you provide a tcpdump or snoop of traffic on port 88 and 53 to analyse
> in Ethereal ?
>
> Regards
> Markus
>
> "Shamgar" wrote in message
> news:1148651221.376969.242680@g10g2000cwb.googlegr oups.com...
> >> No, this gives no results. Even if I specify the OU that it is in.
> >> However, if I go to the object in ADSI edit and view its properties, I
> >> can find servicePrincipleName and it has the right information.
> >
> > never mind. I'm a moron. I insist on spelling it Principle, not
> > Principal, so of course I'm not finding it.
> >
> > I redid the search with the right spelling and came up with exactly one
> > match for host/testsrv.corp.dc.
> >