Client not found in kerberos database while getting initial

active-directory windows-server-2012 squid kerberos ubuntu-14.10
89,488

This command:

c:/> ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

I believe sets HTTP/[email protected] to be a service principal associated with the [email protected] user in AD. Active Directory does not typically allow you to authenticate as a service principal (specifically, does not let it acquire a TGT via an AS_REQ); in theory, service principals are supposed to be for accepting user credentials, not for authenticating to your kerberos realm.

This is different from Unix KDCs, which typically do not distinguish between "service principals" and "user principals" by default, allowing either to authenticate via kinit. In Active Directory, instead the KDC pretends that the principal doesn't exist when you try to kinit as it, which tends to be rather confusing.

If you can successfully authenticate as any other user, I would try testing if the service principal is functional by instead running:

$ kinit some_other_user
$ kvno HTTP/[email protected]

Which just acquires a service ticket for HTTP/[email protected]. Or, you may be able to authenticate as [email protected] instead of the service principal you set up.

If you need to be able to kinit as HTTP/[email protected] directly, I think that is possible, but you need to change the userPrincipalName attribute on the relevant AD account. I can't remember at the moment how to achieve that, but if I recall correctly, you can only have one such UPN; you can't have multiple different principal names you can kinit as for the same account.

Share:
89,488

Related videos on Youtube

Vinod Patidar
Author by

Vinod Patidar

Updated on September 18, 2022

Comments

  • Vinod Patidar
    Vinod Patidar over 1 year

    I am installing Squid3 on Ubuntu 14.10 and I want to integrate it ADDS on windows server 2012 using kerberos 5. My infrastructure are as follows:

    Default Gateway:

    192.168.1.1

    DNS & Domain Controller(Windows Server 2012 ):

    dc.mydomain.com

     address   192.168.1.250
 netmask 255.255.255.0
 gateway 192.168.1.1

    Proxy(Ubuntu Desktop 14.10) vmproxy

    address 192.168.1.251
netmask 255.255.255.0
gateway 192.168.1.1
dns-search mydomain.com
dns-nameservers 192.168.1.2

    Steps are as follows

    Step 1: Check DNS Lookup: its working fine both forward and reverse lookup.

    Step 2:Configure correct time zone on your proxy server: 

      $ sudo service ntp stop
  $ sudo ntpdate -b dc.mydomain.com
  $ sudo service ntp start

    Step 3:Install Kerberos Client Libraries and set Kerberos realm name, to MYDOMAIN.COM

    $ sudo apt-get install krb5-user

    Step 4:Edit Kerberos configuration file /etc/krb5.conf.

    [libdefaults]
default_realm = MYDOMAIN.COM    
default_tgs_enctypes = rc4-hmac des3-hmac-sha1    
default_tkt_enctypes = rc4-hmac des3-hmac-sha1

    Check Kerberos configuration is correct. by 

    $ kinit [email protected]
$ klist

    Step:5 creating a specialized user in Active Directory and mapping this user onto Kerberos principal name

    c:/> ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

    Step:6 Copy keytab file to /etc/krb5.keytab on vmproxy

    My /etc/krb5.conf are as follows:-

    [libdefaults]
default_realm= MYDOMAIN.COM
default_tgs_enctypes=rc4.hmac des3-hmac.sha1
default_tkt_enctypes=rc4.hmac des3-hmac.sha1

[realms]
MYDOMAIN.COM={

kdc=dc.mydomain.com
admin_server=dc.mydomain.com
default_domain=mydomain.com

}

[domain_realm]
.mydomain.com=  MYDOMAIN.COM
mydomain.com=MYDOMAIN.COM

    now when i testing the TGT from dc.mydomain.com as :

    $ kinit -V -k -t /etc/krb5.keytab HTTP/[email protected]

    it says:

    Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using Keytab: /etc/krb5.keytab
kinit:Client 'HTTP/[email protected]' not found in kerberos database while getting initial credentials

    While using

    $ kinit -k

    it says

    kinit:Cannot determine realm for host (principal host/vmproxy@)
  • Vinod Patidar
    Vinod Patidar about 9 years
    sorry for being late. while i run kvno HTTP/[email protected] it says server not found in kerberos database while getting initial credential for HTTP/[email protected]

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
Error authenticating squid with Active Directory and Kerberos
Squid Kerberos/LDAP Active Directory only works on IE not on Firefox and chrome
Add new server to Server Manager, get Kerberos error 0x80090322
Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP
Apache Kerberos Authentication - Client didn't delegate us their credential
How to verify kerberos token?
Edit Sudoers file to allow sudo rights to a AD domain group
How do I clear a user's cached Active Directory password on CentOS 7?
Windows 2012 Domain Controller NETLOGON error