Bizzare problem with authenticating a service principal with AD - Kerberos

This is a discussion on Bizzare problem with authenticating a service principal with AD - Kerberos ; I'm trying to get pam_krb5 working with an Active Directory domain. It works when I don't have a krb5.keytab file but it doesn't when I do, since the verification of the TGT using the service principal fails with an error: ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Bizzare problem with authenticating a service principal with AD

  1. Bizzare problem with authenticating a service principal with AD


    I'm trying to get pam_krb5 working with an Active Directory domain. It
    works when I don't have a krb5.keytab file but it doesn't when I do,
    since the verification of the TGT using the service principal fails with
    an error: "Key table entry not found". The keytab file is simple as it
    only contains the "host" service principal for the Ubuntu Linux box that
    I am testing with.

    So, I figured I screwed-up somehow with the generation of the keytab
    file using ktpass.exe. However, I don't think I did. When I run "klist
    -k", copy the principal name from the output, and paste that principal
    name to the end of "kinit -k", I still get the error:

    kinit(v5): Key table entry not found while getting initial credentials

    I am ready to pull all of my hair out. I ran strace on the invocation
    of kinit, and it seems to be reading the keytab file properly, and I ran
    tcpdump to see what's going on there. While at one point I saw "preauth
    required", turning off preauth in the AD Account settings for that
    principal seems to have fixed that.

    Does anybody have any ideas? Could I be missing something very obvious?

    Note: I have created host service principals for other hosts and the
    "kinit -k " works fine. The other hosts are running
    Solaris 8 with a locally built v1.6. On the Linux platform, I am using
    the Ubuntu/Debian package (patched v1.4.3, I think). I am striving to
    stick with pre-packaged software.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Bizzare problem with authenticating a service principal with AD

    >>>>> "Jason" == Jason Testart writes:

    Jason> I'm trying to get pam_krb5 working with an Active Directory domain. It
    Jason> works when I don't have a krb5.keytab file but it doesn't when I do,
    Jason> since the verification of the TGT using the service principal fails with
    Jason> an error: "Key table entry not found". The keytab file is simple as it
    Jason> only contains the "host" service principal for the Ubuntu Linux box that
    Jason> I am testing with.

    Jason> So, I figured I screwed-up somehow with the generation of the keytab
    Jason> file using ktpass.exe. However, I don't think I did. When I run "klist
    Jason> -k", copy the principal name from the output, and paste that principal
    Jason> name to the end of "kinit -k", I still get the error:

    Jason> kinit(v5): Key table entry not found while getting initial credentials

    Do your key version numbers match?
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Bizzare problem with authenticating a service principal withAD



    Tom Yu wrote:
    >>>>>> "Jason" == Jason Testart writes:

    >
    > Jason> I'm trying to get pam_krb5 working with an Active Directory domain. It
    > Jason> works when I don't have a krb5.keytab file but it doesn't when I do,
    > Jason> since the verification of the TGT using the service principal fails with
    > Jason> an error: "Key table entry not found". The keytab file is simple as it
    > Jason> only contains the "host" service principal for the Ubuntu Linux box that
    > Jason> I am testing with.
    >
    > Jason> So, I figured I screwed-up somehow with the generation of the keytab
    > Jason> file using ktpass.exe. However, I don't think I did. When I run "klist
    > Jason> -k", copy the principal name from the output, and paste that principal
    > Jason> name to the end of "kinit -k", I still get the error:
    >
    > Jason> kinit(v5): Key table entry not found while getting initial credentials
    >
    > Do your key version numbers match?


    Yes, they do. In AD, msDS-KeyVersionNumber is "2", and "klist -ke"
    gives a KVNO of 2.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Bizzare problem with authenticating a service principal withAD



    Jeffrey Altman said the following on 3/12/2007 12:01 AM:
    > Jason Testart wrote:
    >>
    >> Jeffrey Altman wrote:
    >>> Jason Testart wrote:
    >>>> I'm trying to get pam_krb5 working with an Active Directory
    >>>> domain. It works when I don't have a krb5.keytab file but it
    >>>> doesn't when I do, since the verification of the TGT using the
    >>>> service principal fails with an error: "Key table entry not
    >>>> found". The keytab file is simple as it only contains the
    >>>> "host" service principal for the Ubuntu Linux box that I am
    >>>> testing with.
    >>> What enctype is the service ticket being encrypted with?

    >> I used the default. "ktpass /?" says that's RC4-HMAC-NT.

    > ktpass exports a key of the enctype you request. that is not
    > necessarily the enctype used to encrypt the service ticket that is
    > issued. What is the enctype of the service ticket received by your
    > service?


    Right. Sorry about that. I'm a bit of a noobie at Kerberos. So AFAIK,
    based on reading and looking at pcap files of kerberos traffic, Active
    Directory uses des-cbc-md5 or des-cbc-crc to encrypt tickets it issues,
    like the TGT in this case.

    Thanks Jeffrey, you got me thinking in the right direction:

    I just took a look at the keytab files on those Solaris hosts that I
    mentioned work, and what do you know, the host keys are des-cbc-md5.
    But get this, I used ktpass the same way to create those as I did this
    one. I believe the difference is in how I created the AD account for
    the service principal. For the working Solaris hosts, I used a perl
    script to create the accounts via LDAP, then in a second step I ran a
    batch of ktpass commands. In the perl script, I set the
    userAccountControl attribute (setting the USE_DES_KEY_ONLY property).
    Perhaps this affects how ktpass behaves? In the case of this Linux
    host, I created the account using the GUI snap-in and I didn't set any
    properties before generating the keytab file.

    So I just recreated the keytab with the different enctype. Now when I
    kinit, I get either:

    kinit(v5): Password incorrect while getting initial credentials

    or

    kinit(v5): Preauthentication failed while getting initial credentials

    depending if the "require preauth" is set for the account in AD.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Bizzare problem with authenticating a service principal withAD



    Jeffrey Altman wrote:
    > Jason Testart wrote:
    >> I'm trying to get pam_krb5 working with an Active Directory domain. It
    >> works when I don't have a krb5.keytab file but it doesn't when I do,
    >> since the verification of the TGT using the service principal fails with
    >> an error: "Key table entry not found". The keytab file is simple as it
    >> only contains the "host" service principal for the Ubuntu Linux box that
    >> I am testing with.

    > What enctype is the service ticket being encrypted with?


    I used the default. "ktpass /?" says that's RC4-HMAC-NT.

    >
    > Does that enctype exist in the keytab?


    "ArcFour with HMAC/md5". Sounds like a match.

    >
    > Does the kvno of the service ticket match the kvno of the entry in the
    > keytab?


    Yes.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Bizzare problem with authenticating a service principal withAD

    You did not provide the host name, the default realm name in
    the krb5.conf, the AD domain name or the ktpass command you used.
    I have seen many people have problems with the names. If Tom's
    or Jeff's suggestions don't help. have a look at the names.

    Jason Testart wrote:
    > I'm trying to get pam_krb5 working with an Active Directory domain. It
    > works when I don't have a krb5.keytab file but it doesn't when I do,
    > since the verification of the TGT using the service principal fails with
    > an error: "Key table entry not found". The keytab file is simple as it
    > only contains the "host" service principal for the Ubuntu Linux box that
    > I am testing with.
    >
    > So, I figured I screwed-up somehow with the generation of the keytab
    > file using ktpass.exe. However, I don't think I did. When I run "klist
    > -k", copy the principal name from the output, and paste that principal
    > name to the end of "kinit -k", I still get the error:
    >
    > kinit(v5): Key table entry not found while getting initial credentials
    >
    > I am ready to pull all of my hair out. I ran strace on the invocation
    > of kinit, and it seems to be reading the keytab file properly, and I ran
    > tcpdump to see what's going on there. While at one point I saw "preauth
    > required", turning off preauth in the AD Account settings for that
    > principal seems to have fixed that.
    >
    > Does anybody have any ideas? Could I be missing something very obvious?
    >
    > Note: I have created host service principals for other hosts and the
    > "kinit -k " works fine. The other hosts are running
    > Solaris 8 with a locally built v1.6. On the Linux platform, I am using
    > the Ubuntu/Debian package (patched v1.4.3, I think). I am striving to
    > stick with pre-packaged software.
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Bizzare problem with authenticating a service principal with AD

    >>>>> "Jason" == Jason Testart writes:

    Jason> So I just recreated the keytab with the different enctype. Now when I
    Jason> kinit, I get either:

    Jason> kinit(v5): Password incorrect while getting initial credentials

    Jason> or

    Jason> kinit(v5): Preauthentication failed while getting initial credentials

    Jason> depending if the "require preauth" is set for the account in AD.

    What version of Windows is running on the AD server? One problem I
    think I've seen is that in some recent versions of Windows, AD uses a
    different salt for the password than the usual principal-name salt.
    (AD stores the actual password, rather than a key.) I thought this
    should only be a problem if you're typing a password into an MIT krb5
    ktutil or similar keytab tool, but I think ktpass may have the same
    problem.

    In one case I encountered, I think the reason was that AD was using
    the NetBIOS name for the server instead of its FQDN to create the
    "principal name" for the salt. Does the server in question have a
    hostname which is longer than 14 or 15 (I can't remember the exact
    number) characters?

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Bizzare problem with authenticating a service principal withAD



    Tom Yu said the following on 3/12/2007 12:29 PM:

    >
    > In one case I encountered, I think the reason was that AD was using
    > the NetBIOS name for the server instead of its FQDN to create the
    > "principal name" for the salt. Does the server in question have a
    > hostname which is longer than 14 or 15 (I can't remember the exact
    > number) characters?


    I just watched the traffic, and I'm getting a pre-auth required followed
    by a pre-auth failed. In both cases, the salt appears to be the name of
    the AD account that the service principal is mapped to. Is this my
    problem? How does one fix this?

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Bizzare problem with authenticating a service principal withAD



    Tom Yu said the following on 3/12/2007 12:29 PM:
    >>>>>> "Jason" == Jason Testart writes:

    >
    > Jason> So I just recreated the keytab with the different enctype. Now when I
    > Jason> kinit, I get either:
    >
    > Jason> kinit(v5): Password incorrect while getting initial credentials
    >
    > Jason> or
    >
    > Jason> kinit(v5): Preauthentication failed while getting initial credentials
    >
    > Jason> depending if the "require preauth" is set for the account in AD.
    >
    > What version of Windows is running on the AD server? One problem I
    > think I've seen is that in some recent versions of Windows, AD uses a
    > different salt for the password than the usual principal-name salt.
    > (AD stores the actual password, rather than a key.) I thought this
    > should only be a problem if you're typing a password into an MIT krb5
    > ktutil or similar keytab tool, but I think ktpass may have the same
    > problem.


    The server is running Server 2003 SP1. One thing I am not clear on is
    the password you give ktpass. Does this set the actual "login" password
    for the AD account, or is there a different password for the key?

    >
    > In one case I encountered, I think the reason was that AD was using
    > the NetBIOS name for the server instead of its FQDN to create the
    > "principal name" for the salt. Does the server in question have a
    > hostname which is longer than 14 or 15 (I can't remember the exact
    > number) characters?


    Well the hostname is 6 characters long, the FQDN is of course much
    longer (> 15 characters).
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Bizzare problem with authenticating a service principal withAD


    Jason Testart said the following on 3/12/2007 1:55 PM:
    >
    >
    > Tom Yu said the following on 3/12/2007 12:29 PM:
    >
    >>
    >> In one case I encountered, I think the reason was that AD was using
    >> the NetBIOS name for the server instead of its FQDN to create the
    >> "principal name" for the salt. Does the server in question have a
    >> hostname which is longer than 14 or 15 (I can't remember the exact
    >> number) characters?

    >
    > I just watched the traffic, and I'm getting a pre-auth required followed
    > by a pre-auth failed. In both cases, the salt appears to be the name of
    > the AD account that the service principal is mapped to. Is this my
    > problem? How does one fix this?
    >
    >


    The source of my problems all along was ktpass.exe. For some reason, it
    just isn't generating proper keytab files.

    My solution was to remove the AD account for the principal, then change
    my perl script to make the service/user principal mapping directly, and
    to set the account password (unicodePwd). I then re-created the
    principal using the perl script, and used the password to manually
    generate a keytab file using addent in ktutil.

    I'm so happy to now get a TGT when running "kinit -k
    host/@"!!

    Thanks for the help!

    jt

    P.S.: Is there a PERL interface to something ktutil-like? I have yet to
    Google for this...
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Bizzare problem with authenticating a service principal with AD


    >What version of Windows is running on the AD server? One problem I
    >think I've seen is that in some recent versions of Windows, AD uses a
    >different salt for the password than the usual principal-name salt.
    >(AD stores the actual password, rather than a key.) I thought this
    >should only be a problem if you're typing a password into an MIT krb5
    >ktutil or similar keytab tool, but I think ktpass may have the same
    >problem.


    Note that rc4-hmac keys are unsalted, and AD does store keys rather
    than passwords (Windows workstations joined to a domain store the
    password).

    -- Luke

    --
    www.padl.com | www.lukehoward.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread