Client not found in kerberos database while getting initial
This command:
c:/> ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
I believe sets HTTP/[email protected] to be a service principal associated with the [email protected] user in AD. Active Directory does not typically allow you to authenticate as a service principal (specifically, does not let it acquire a TGT via an AS_REQ); in theory, service principals are supposed to be for accepting user credentials, not for authenticating to your kerberos realm.
This is different from Unix KDCs, which typically do not distinguish between "service principals" and "user principals" by default, allowing either to authenticate via kinit
. In Active Directory, instead the KDC pretends that the principal doesn't exist when you try to kinit
as it, which tends to be rather confusing.
If you can successfully authenticate as any other user, I would try testing if the service principal is functional by instead running:
$ kinit some_other_user
$ kvno HTTP/[email protected]
Which just acquires a service ticket for HTTP/[email protected]. Or, you may be able to authenticate as [email protected] instead of the service principal you set up.
If you need to be able to kinit
as HTTP/[email protected] directly, I think that is possible, but you need to change the userPrincipalName attribute on the relevant AD account. I can't remember at the moment how to achieve that, but if I recall correctly, you can only have one such UPN; you can't have multiple different principal names you can kinit
as for the same account.
Related videos on Youtube
Vinod Patidar
Updated on September 18, 2022Comments
-
Vinod Patidar over 1 year
I am installing Squid3 on Ubuntu 14.10 and I want to integrate it ADDS on windows server 2012 using kerberos 5. My infrastructure are as follows:
Default Gateway:
192.168.1.1
DNS & Domain Controller(Windows Server 2012 ):
dc.mydomain.com
address 192.168.1.250 netmask 255.255.255.0 gateway 192.168.1.1
Proxy(Ubuntu Desktop 14.10) vmproxy
address 192.168.1.251 netmask 255.255.255.0 gateway 192.168.1.1 dns-search mydomain.com dns-nameservers 192.168.1.2
Steps are as follows
Step 1: Check DNS Lookup: its working fine both forward and reverse lookup.
Step 2:Configure correct time zone on your proxy server:
$ sudo service ntp stop $ sudo ntpdate -b dc.mydomain.com $ sudo service ntp start
Step 3:Install Kerberos Client Libraries and set Kerberos realm name, to MYDOMAIN.COM
$ sudo apt-get install krb5-user
Step 4:Edit Kerberos configuration file /etc/krb5.conf.
[libdefaults] default_realm = MYDOMAIN.COM default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac des3-hmac-sha1
Check Kerberos configuration is correct. by
$ kinit [email protected] $ klist
Step:5 creating a specialized user in Active Directory and mapping this user onto Kerberos principal name
c:/> ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
Step:6 Copy keytab file to /etc/krb5.keytab on vmproxy
My /etc/krb5.conf are as follows:-
[libdefaults] default_realm= MYDOMAIN.COM default_tgs_enctypes=rc4.hmac des3-hmac.sha1 default_tkt_enctypes=rc4.hmac des3-hmac.sha1 [realms] MYDOMAIN.COM={ kdc=dc.mydomain.com admin_server=dc.mydomain.com default_domain=mydomain.com } [domain_realm] .mydomain.com= MYDOMAIN.COM mydomain.com=MYDOMAIN.COM
now when i testing the TGT from dc.mydomain.com as :
$ kinit -V -k -t /etc/krb5.keytab HTTP/[email protected]
it says:
Using default cache: /tmp/krb5cc_0 Using principal: HTTP/[email protected] Using Keytab: /etc/krb5.keytab kinit:Client 'HTTP/[email protected]' not found in kerberos database while getting initial credentials
While using
$ kinit -k
it says
kinit:Cannot determine realm for host (principal host/vmproxy@)
-
Vinod Patidar about 9 yearssorry for being late. while i run kvno HTTP/[email protected] it says server not found in kerberos database while getting initial credential for HTTP/[email protected]