2

I joined a server to a MS Active Directory using realmd/sssd. I installed apache with mod_auth_kerb and created a keytab on a windows server. But, I need to add more SPNs to the keytab.

I have tried using kadmin, but I get an error:

root@server /etc/httpd# kadmin -p admin@domain -q "ktadd -k /etc/httpd/krb5.keytab HTTP/service1.domain"
Authenticating as principal admin@domain with password.
Password for admin@domain:
Password for admin@domain:
kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface

I have been searching online, but as usual I am having a real hard time finding anything helpful relating to kerberos.

Authentication appears to be working, though I am missing principals;

[Wed Dec 30 12:06:49.076912 2015] [auth_kerb:error] [pid 5246] [client 10.30.10.5:10988]
    gss_acquire_cred() failed: Unspecified GSS failure.
    Minor code may provide more information (, No key table entry found matching HTTP/service1.domain@)
Community
  • 1
Morten Nilsen
  • 278
  • 5
  • 15
  • I think you need to do this on the Windows side, as in the question you linked. – Michael Hampton Dec 30 '15 at 15:33
  • As I wrote, I did use ktpass to create the keytab - but there is no way to add multiple SPNs using ktpass on windows. – Morten Nilsen Jan 03 '16 at 13:46
  • I have kind of grown to dislike kerberos.. Whenever it does not work, it seems like nobody knows the answers and starting over is often the quickest solution. As for this question, I am starting to think the only answer is to create a keytab file for each separate DSN, which is going to be a massive pain in my backside. – Morten Nilsen Jan 03 '16 at 22:25

2 Answers2

2

Not possible it seems, ended up creating a separate keytab for each site.

Morten Nilsen
  • 278
  • 5
  • 15
1

After creating various keytabs with ktpass.exe you can combine them with ktutil(1)

84104
  • 12,698
  • 6
  • 43
  • 75