Re: AD 2003; MS's ktpass made account corrupted
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Thu, 13 Dec 2007 09:15:24 -0600
Henoc wrote:
Thanks Douglas for your help.
Just one thing to make clear for me (I'm not a Kerberos specialist so I
would like to be sure ) :
So I got my computer WWWSRVHOST joined to my domain It has most of the time these spn already made by AD :
HOST/WWWSRVHOST@xxxxxxxx
(Some of you examples use FQDN, some FDN. You refer to the machine
as WWWSRVHOST but it also has a DNS hostname. You attempts
at obfuscating the information in the e-mail is making
it hard to understand your situation.
First of all, is the computer WWWSRVHOST a Windows machine?
Is WWWSRVHOST the name?
What is its DNS name?
Is it joined to the domain?
What is the AD domain name?
And you want to run a web server on it?
If this is all Microsoft servers and web servers, you should not
have to create any keytabs. It should be done for you.
Are trying to run some web server under cygwin?
If so use two seperate windows accounts, one for the host service
handled by windows join, and one for the HTTP service,
and use ktpass. (This keeps them seperate, and avoids the common
passwrod issue.)
The account name does not have to be the spn.
My goal is :
- (1) - to add a HTTP/WWWSRVHOST@xxxxxxx SPN to my computer's entry
- (2) - then to produce the corresponding Keytab file
So to reach this :
a)- under a unix box or via cygwin on the same windows I have to install
mskutil (didn't succeed finding a windows version )
No there is no. You should not need this with windows.
b)- emit these kind of command line : (not that the computer pre-exist in
the domain;
You said the computer was joined. Now you say it is no.
in most of my client environment it is a windows box on which I
have to install my stuff)
msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST@xxxxxxx >
Did you actually get it to run?
Is that all so simple ?? I can't believe I have been turning around for
decades for something so easy. Should post this on different forums to avoid this for other people.
I can test before Friday or Monday
If I made some huge mistake in my understanding, please let me know
Thanks again for your help, which was very useful
Sincerely
-----Message d'origine-----
De : Douglas E. Engert [mailto:deengert@xxxxxxx] Envoyé : mercredi 12 décembre 2007 21:23
À : Henoc@xxxxxxxxxxxxx
Cc : kerberos@xxxxxxx
Objet : Re: AD 2003; MS's ktpass made account corrupted
Henoc@xxxxxxxxxxxxx wrote:Hi Eeery one.
I'm turning to you to know if you have found a way to deal with the bug
on windows' ktpass tool :
When used to deliver a keytab it corrompts the account.
ktpass was not intended to be used with computer accounts for
computers joined to the domain. It was intended to be used to add
unix machine principals and create keytabs for non-domain machines.
But see below...
The computer can't any more log on the windows Domain.
When you run ktpass with it will update AD and create a keytab.
The machine that was joined, has the old password stached away,
so it won't match.
You have to delete it's account on the AD side and then rebind it to theYes gets the machine password and the password in AD in sync.
domain.
I have tried microsoft so-called corrective; I have been told to go onSP2;all of this wich do exactly the same.
------------------------------- most accurate entry in the microsoft KB :
http://support.microsoft.com/kb/939980/en-usaccount after you reset the user account password by using theYou cannot log on to a Windows Server 2003 domain by using a user
ktpass.exe tool together with the -pass * parameter
in fact not limited to "/pass * " as long as I have tested with "/pass
mypasswd" it fails also.
and also the first problem on microsoft KB was :http://support.microsoft.com/kb/919557/enare generated by using the Ktpass.exe tool on a Windows Server 2003You receive pre-authentication errors when you use keytab files that
SP1-based computer
-------------------------------
So here is my question :
Did you succed in creating correct keytab and still not breaking your
computer's appartnance to his AD domain. ?
If yes please let me step by step what to do. (AND MOST OF ALL Send me a
private mail with the binary)
Or is there a alternative to the use of microsoft's ktpass on windows ?
Yes, msktutil. Uses OpenSSL to talk to AD, to add accounts and principals,
and create keytabs. Can handle multiple principals using the same AD
account.
PS : I use this style of command line :
*/ktpass /out httpSrv.keytab /mapuser WWWSRVHOST /princ
HTTP//**/WWWSRVHOST/**/@TESTDOMAIN.LOCAL /crypto RC4-HMAC-NT /pass *
/ptype KRB5_NT_PRINCIPAL/*
Are you using the same AD account for a host principal *AND* a HTTP
principal?
If yes, that is your problem, AD only stores one password per account,
so if you create the keytab for http, the keytab for the host will not
match any more.
Use a different /mapuser account for each.
Thanks
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Prev by Date: Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
- Next by Date: Apache2, mod-auth-kerb, Active Directory, Windows 2003, single signon problems, help needed
- Previous by thread: RE: AD 2003; MS's ktpass made account corrupted
- Next by thread: RE: AD 2003; MS's ktpass made account corrupted
- Index(es):
Relevant Pages
|
