gssapi/kerberos/active directory/ubuntu - Wrong principal in request

Question

I'm trying to setup a Clientserver with a Webservice to which Users of an Active Directory should be able to login with SSO.

I'm using SPNEGO with Kerberos on a Ubuntu 14.04 Server and nginx proxy to Naviserver for the Webservice to do that and get the Error Code: majorStatus: 851968 , minorStatus: 2529639056 (Wrong principal in request)

/etc/krb5.conf

    [libdefaults]
        default_realm = TEST.LOCAL
        default_keytab_name = /etc/staging.keytab
        rdns = false
        ignore_acceptor_hostname = true
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        allow_weak_crypto = true
        kdc_timesync = 1
        clockskew = 100
        ccache_type = 4
        forwardable = true
        proxiable = true
        ticket_lifetime = 25h
        renew_lifetime = 7d
        kdc_req_checksum_type = 4
[realms]
        TEST.LOCAL = {
                kdc = something.test.local
                admin_server = something.test.local
                default_domain = TEST.LOCAL
        }
[domain_realm]
        live.test.smth = TEST.LOCAL
        .live.test.smth = TEST.LOCAL
        staging.smth.else = TEST.LOCAL
        .staging.smth.else = TEST.LOCAL

in /etc/hosts is no 127.0.0.1

ActiveDirIP    test.local
myIP    staging.smth.else

I have a keytab File generated from the Active Directory Admins with

ktpass /princ HTTP/staging.smth.else@TEST.LOCAL /mapuser user-staging@test.local /pass *** /out staging.keytab /crypto DES-CBC-CRC /kvno 0 /ptype KRB5_NT_PRINCIPAL

And it works when I call kinit:

~$ kinit -S http/staging.smth.else@TEST.LOCAL staging@TEST.LOCAL
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: staging@TEST.LOCAL

Valid starting       Expires              Service principal
2016-02-12 13:31:44  2016-02-12 23:31:44  http/staging.smth.else@TEST.LOCAL
    renew until 2016-02-13 13:31:41

~$ kinit http/staging.smth.else@TEST.LOCAL
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: http/staging.smth.else@TEST.LOCAL

Valid starting       Expires              Service principal
2016-02-12 13:30:58  2016-02-12 23:30:58  krbtgt/TEST.LOCAL@TEST.LOCAL
    renew until 2016-02-13 13:30:49

~$ kinit staging@TEST.LOCAL
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: staging@TEST.LOCAL

Valid starting       Expires              Service principal
2016-02-12 13:32:13  2016-02-12 23:32:13  krbtgt/TEST.LOCAL@TEST.LOCAL
    renew until 2016-02-13 13:32:09

kvno is 3 but the Admin told me that kvno in Windows is irrelevant.

kvno staging@TEST.LOCAL
staging@TEST.LOCAL kvno = 3

In NaviServer Config is defined:

ns_section ns/server/${server}/module/knspnego
ns_param Krb5KeyTabFile "/etc/staging.keytab"
ns_param Krb5ServiceName "HTTP@staging.smth.else"
ns_param AuthType "SPNEGO"

hostname

hostname -f
staging.smth.else

Do you have any ideas where the problem is?

Sky · Answer 1 · 2016-06-08T09:39:49.823

1

I found the solution. In the keytab files was the wrong /crypto for our setting. It's working with /crypto ALL

edited Jun 08 '16 at 09:39

answered Feb 24 '16 at 11:33

Sky

11
3

score 0 · Answer 2 · answered Jun 29 '19 at 20:20

0

I had a similar problem. Replaced the encryption type rc4-hmac with these:

arcfour-hmac
aes128-cts
aes256-cts
des-cbc-crc
des-cbc-md5

Then restarted my services, that fixed it

answered Jun 29 '19 at 20:20

Jose Martinez Poblete

1

gssapi/kerberos/active directory/ubuntu - Wrong principal in request

2 Answers2