3

I am trying to create a keytab file. i see a warning

  WARNING: pType and account type do not match. This might cause  problems.

The command i use is 

  ktpass -princ HTTP/bloodhound.domain.com@DOMAIN.COM -mapuser ldaplookup@domain.com -crypto rc4-hmac-nt -pass **** -ptype KRB5_NT_SRV_HST -out "C:\Documents and Settings\Administrator\bloodhound.kytab"

I want to use this for SSO on apache. I am creating this on windows server 2003 r2 sp2

output

Targeting domain controller: fezziwig.uk.domain.com
Using legacy password setting method
Successfully mapped HTTP/bloodhound.domain.com to ldaplookup.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to C:\Documents and Settings\Administrator.UK-GGS-DOMAIN\bloodhound.keytab:
Keytab version: 0x502
keysize 82 HTTP/bloodhound.domain.com@DOMAIN.COM ptype 3 (KRB5_NT_SRV_HST) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0xde184005d851613980cffb9580bdd193)

I have followed many steps that show same as http://www.zimbra.com/docs/os/7.2.3/administration_guide/wwhelp/wwhimpl/common/html/wwhelp.htm#href=7.2.3_Open_Source_admin.Create_the_Kerberos_Keytab_File.html&single=true

But none do not work. when i test with kvno i get following

[root@portal-test conf]# klist -ke bloodhound1.keytab 
Keytab name: FILE:bloodhound1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  27 HTTP/bloodhound.domain.com@DOMAIN.COM (ArcFour with HMAC/md5) 
[root@portal-test conf]# kvno HTTP/bloodhound.domain.com@DOMAIN.COM
kvno: Server not found in Kerberos database while getting credentials for HTTP/bloodhound.domain.com@DOMAIN.COM

Update

webserver i want to access using url http://cobra.woking/

following command i enetered in windows server 2008 r2 standard

ktpass -princ HTTP/cobra.woking@spectrumasa.com -mapuser ldaplookup@spectrumasa.com -crypto rc4-hmac-nt -pass password -ptype KRB5_NT_SRV_HST -out "C:\Temp\cobra.kytab" -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: echo.spectrumasa.com
Successfully mapped HTTP/cobra.woking to ldaplookup.
Password succesfully set!
Key created.
Output keytab to C:\Temp\cobra.kytab:
Keytab version: 0x502
keysize 68 HTTP/cobra.woking@spectrumasa.com ptype 1 (KRB5_NT_PRINCIPAL) vno 33 etype 0x17 (RC4-HMAC
) keylength 16 (0xde184005d851613980cffb9580bdd193)

copied file over to webserver. updated webserver config to:

<Directory /opt/html/trac>
        AuthType Kerberos
        AuthName KerberosLogin
        KrbServiceName HTTP/cobra.woking
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms SPECTRUMASA.COM
        Krb5KeyTab /tmp/cobra.kytab

        AuthLDAPURL ldap://ldapauth.spectrumasa.com/ou=TechSupport,ou=Woking,ou=Sites,dc=spectrumasa,dc=com?userPrincipalName
        AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=spectrumasa,dc=com
        AuthLDAPBindPassword password

        #require valid-user
        Require ldap-group cn=support,cn=Users,dc=spectrumasa,dc=com
        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/intranet/info/unauthorized\"></html>"
</Directory>

tested keytab

klist -ke cobra.kytab 
Keytab name: FILE:cobra.kytab
KVNO Principal
---- --------------------------------------------------------------------------
  33 HTTP/cobra.woking@spectrumasa.com (arcfour-hmac) 

kvno HTTP/cobra.woking@spectrumasa.com
kvno: Ticket expired while getting credentials for HTTP/cobra.woking@spectrumasa.com

When accessing the url i get in ie, but in firefox i get password prompt then it works.

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, ), referer: http://cobra.woking/trac/

How do i fix this?

I already have an intranet keytab file working for this server

[root@cobra conf]# klist -ke intranet.keytab
Keytab name: FILE:intranet.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM (arcfour-hmac) 
[root@cobra conf]# kvno HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM
kvno: Ticket expired while getting credentials for HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM

2nd update

I have recreated keytab again using following

ktpass -princ HTTP/cobra@SPECTRUMASA.COM -mapuser ldaplookup@spectrumasa.com -crypto rc4-hmac-nt -pass password -out "C:\Temp\cobra1.keytab" -ptype KRB5_NT_PRINCIPAL

in my DNS i have

  cobra         A   172.16.0.216

in apache i have 

KrbServiceName HTTP/cobra
Krb5KeyTab /etc/httpd/conf/cobra1.keytab

When i try to access http::/cobra/trac i get asked for my password 3 times. the log shows

on url enter. 1st password prompt display SPECTRUM/user

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, )

2nd password prompt display COBRA/user and log shows

gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)

3rd password prompt i have to enter user and password and it works.

I have added http://cobra and http://cobra.spectrumasa.com to ie trusted sites.

shorif2000
  • 357
  • 1
  • 7
  • 26
  • 1
    Given how old and close to EoS Server 2003 is, you really ought to replace it. The fact that something isn't working on 2003 is a perfect pretense to update it to something modern. As a bonus, you have a better chance of finding someone who can actually help you with your issue. – HopelessN00b Aug 22 '14 at 12:29
  • i have server 2008 in the domain as well – shorif2000 Aug 27 '14 at 10:16

1 Answers1

5

The error you get in the output is because you are not mapping the SPN to a principal. You should use a ptype switch of -ptype KRB5_NT_PRINCIPAL so as to avoid the error.

KRB5_NT_PRINCIPAL is the general principal type (recommended) as documented by Microsoft.

lantrix
  • 239
  • 3
  • 7