help using setspn and ktpass

Question

I'm trying to set up the SPNs and create a keytab file for tomcat kerberos spnego Single sign on.

the server running tomcat7 is ubuntu-ad1.wad.eng.hytrst.com the KDC is kerberos.wad.eng.hytrust.com the domain is WAD.ENG.HYTRUST.COM im using my ad user name of aulfeldt@WAD.ENG.HYTRUST.COM the machiene's AD account is ubuntu-ad1@WAD.ENG.HYTRUST.COM

first i create the spn to associate with a user name ( would love an explanation on why I need to do this?):

setspn HTTP/ubuntu-ad.wad.eng.hytrust.com aulfeldt@WAD.ENG.HYTRUST.COM

Then I create a keytab to copy to the web server:

ktpass /out tomcat.keytab /mapuser aulfeldt@WAD.ENG.HYTRUST.COM /crypto ALL /pass * /ptype KRB5_NT_PRINCIPAL

then i copy it to the web server and use ktutil to merge it with /etc/krb5.keytab.

when I try to test this with kinit i can't make it successfully read from the key table:

hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab http/ubuntu-ad1.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM
kinit: Client not found in Kerberos database while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab HTTP/ubuntu-ad1.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM
kinit: Client not found in Kerberos database while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab ubuntu-ad1.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM
kinit: Client not found in Kerberos database while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab ubuntu-ad1.wad.eng.hytrust.com
kinit: Client not found in Kerberos database while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab aulfeldt@WAD.ENG.HYTRUST.COM
kinit: Key table entry not found while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit -k -t /home/hytrust/tomcat.keytab ubuntu-ad1@WAD.ENG.HYTRUST.COM
kinit: Client not found in Kerberos database while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit  ubuntu-ad1@WAD.ENG.HYTRUST.COMPassword for ubuntu-ad1@WAD.ENG.HYTRUST.COM: 
kinit: Preauthentication failed while getting initial credentials
hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$ sudo  kinit  aulfeldt@WAD.ENG.HYTRUST.COM

Password for aulfeldt@WAD.ENG.HYTRUST.COM: hytrust@ubuntu-ad1:/usr/share/tomcat7/conf$

how does "Client not found in Kerberos database" differ from "Client not found in Kerberos database"? what do these errors really mean?

The web service's SPN has to be associated with a user account because the client is going to ask the KDC for a service ticket (ST) for "HTTP/ubuntu-ad1.wad.eng.hytrust.com". The KDC must already know that SPN attached to the service account in order to issue the correct ST. The client then presents the ST to the web service to prove it was authenticated by the KDC. **NOTE** Your client request must be using the URL of "ubuntu-ad1.wad.eng.hytrust.com" to successfully authenticate. If you're using NetBIOS names or hostnames, you will need to add an additional SPN like "HTTP/ubuntu-ad1". — Ryan Fisher, Jan 05 '12 at 01:46
That still doesn't answer on question why it has to be user account and not computer account with setspn command. — Boban P., Jul 19 '12 at 13:37

score 9 · Answer 1 · answered Jan 15 '14 at 22:35

(this question is a bit old, but my analysis might help others)

You seem to be missing some understanding and therefore not executing the commands correctly. I'm assuming that your KDC is actually an Active Directory KDC. This is not entirely clear from your description.

Firstly, in active directory kerberos (contrary to standard MIT/Heimdal kerberos) a Service Principal Name (SPN - a service running a machine) needs to be connected to a User Principal Name (UPN, a user siting behind a machine). Hence the mapping.

setspn will add the service principal name to a user by adding the ldap attribute to the cn of the user

ktpass will output your key tab and rewrite the UserPrincipalName to username/fully.qualified.domainname@REALM .

By doing a kinit -k -t key.tab principal a lookup will happen in both the key.tab file and active directory UPN on the principal. If it cannot find the principal in the key tab it will give an error like "Key table entry not found while getting initial credentials". If it cannot be found in the directory it will give "Client not found in Kerberos database while getting initial credentials".

Now to your issue at hand. It seems that you are missing the /princ parameter to ktpass. This is required to actually get the principal in the key tab file and get the mapping right. I wonder what a klist -k keytab gives.

so your lines should be something like (including putting the REALM at the right location:

setspn HTTP/ubuntu-ad.wad.eng.hytrust.com aulfeldt

ktpass /princ HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM /out tomcat.keytab /mapuser aulfeldt /crypto ALL /pass * /ptype KRB5_NT_PRINCIPAL

Extra: if you are using SAMBA 4 with the samba-tool to do this you will need to manually change userPrincipalName to (in this case): HTTP/ubuntu-ad.wad.eng.hytrust.com@WAD.ENG.HYTRUST.COM this is because the key tab generation of samba does not update the UPN and hence you will get an error when doing a lookup.

On a side note: an active directory machine name is COMPUTER$ (mark the $). Your's seems off.

Thank's man - you made my day! Your side note for Samba4 solved my problem I was sticked for days ... — Heiko Robert, Jun 20 '14 at 18:12

score 4 · Answer 2 · answered Jun 04 '11 at 00:24

Try using "setspn -Q " in Windows to see whether the SPN has been created properly:

C:\Windows\System32>setspn -Q HTTP/util01.example.com
CN=util01,OU=Servers,DC=example,DC=com
        HTTP/util01.example.com

Existing SPN found!

Then, check the keytab file to see if it matches:

[apache@util01 ~]$ klist -e -k /etc/httpd/conf/auth_httpd.keytab 
Keytab name: FILE:/etc/httpd/conf/auth_httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HTTP/util01.example.com@EXAMPLE.COM (DES cbc mode with RSA-MD5)

If they don't match (aside from the @EXAMPLE.COM realm bit), fix it so they do by re-exporting the keytab with ktpass.

If they do match, you should be able to get a ticket for exactly the SPN specified in the keytab (do not include the realm):

$ sudo kinit -k keytab.file HTTP/util01.example.com

Note that if you have previously created keytab files with ktpass, you may have multiple SPNs created with different user accounts. If setspn -Q HTTP/util01.example.com shows multiple SPNs with different accounts, you must delete all but one, via "setspn -D HTTP/util01.example.com oldaccount". If everything looks good via kinit and klist, but apache authentication via mod_auth_kerb fails, this can be a cause. — hurfdurf, Aug 22 '14 at 17:22

help using setspn and ktpass

2 Answers2