7

I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got as far as the server setup yet! My plan just now is to try and get it working on my development PC as I have development work and debugging to do. So my goal is to have the Java server running on my PC, and the client running on the same machine connecting to it.

Here's what I've done so far, I'm really blundering my way through so I could be doing all kinds of wrong stuff!

Created a service principal name

I got one of our domain administrators to run this command:

setspn -A TEST/pc-name.mydomain.com my-user-name

This appeared to complete successfully and I can list this SPN successfully with

setspn -L my-user-name

Created a keytab file

I created a keytab with this command:

ktpass /princ TEST/pc-name.mydomain.com@MYDOMAIN.COM /pass <my-password> /ptype KRB5_NT_SRV_HST /out <keytab-filename>

This appears to create a keytab successfully, although it does warn that ptype and account type do not match (but whatever I choose for ptype, I get the same warning). If I run this command:

klist -k file:/<keytab-filename>

Then it lists the SPN I'd expect, namely TEST/pc-name.mydomain.com@MYDOMAIN.COM

The problem!

Now I want to check that the keytab works for this SPN, so I'm running

kinit -t <keytab-filename> TEST/pc-name.mydomain.com@MYDOMAIN.COM

I then get an error "krb_error 6 Client not found in Kerberos database".

What am I doing wrong?

user21693
  • 171
  • 1
  • 2
  • 4

1 Answers1

4

I'm not quite sure whether my-user-name refers to a computer object or a user object in active directory; I'll assume it's a user object. In that case, I think setspn is not appropriate; this is meant to modify the SPNs of existing machine accounts. For a user account, I'm skeptical that SRV_HST is right.

Apparently, support for SPNs associated with user objects is somewhat limited; I read somewhere that this is really restricted to one user. I also couldn't manage to get your ktpass invocation to work for me, as it insisted on a) specifying a user account (through mapuser) that should be associated with the SPN, and b) setting the SPN password. I think the latter is unavoidable to create a keytab through ktpass.

I managed to create a keytab in the "standard way", i.e. by setting up a dedicated user account and associating it with an SPN:

ktpass /princ TEST/host@DOMAIN /mapuser user@DOMAIN /pass *  /out foo.keytab /ptype KRB5_NT_PRINCIPAL

That operation (expectly) broke login for the user, however, I was then able to kinit with

 kinit -k -t /tmp/foo.keytab  TEST/host@DOMAIN
Martin v. Löwis
  • 580
  • 4
  • 15
  • Thanks for the answer. So yes, in my original question, my-user-name was a user object. Leaving that aside, I'm now confused though: are you saying don't use setspn at all? Following the thread back through everything I've been trying to do, I needed an SPN in order for the client code to use Kerberos for NegotiateStream. So how do I get the SPN in your scenario? Does ktpass create the SPN? – user21693 Oct 02 '09 at 08:30
  • We tried setspn -A TEST/host@DOMAIN host, that and the ktpass invocation worked, but kinit fails saying "Identifier doesn't match expected value". – user21693 Oct 02 '09 at 09:02
  • You need an active directory account that has a service name associated with it. There are two ways to achieve that: either set the userPrincipalName to the SPN; this is what ktpass does (IIUC), else AD will also look into the servicePrincipalName. I assumed that ktpass will always change the password; it seems that it doesn't if used the way you used it. As for "identifier does not match", can you try MIT kinit (I assume you use Java kinit)? – Martin v. Löwis Oct 02 '09 at 23:16
  • I also facing same problem in windows server 2008, Even MIT kinit shows the same error "client not found" – Kumar Mar 12 '15 at 06:03
  • I use this to check the Keytab: `java com.ibm.security.krb5.internal.tools.Klist -f -e -a -k FILE:D:\IBM\IBMSSO\SvcP8SSOAPP-FNTD101.keytab` (with IBM JAVA) – Tilo Nov 28 '16 at 23:21