>"James Robertson" <j_at_mesrobertson.com> wrote in message
>news:0bd901cccc28$e3187210$a9495630$@mesrobertson.com...
>
>> This doesn't matter what does the next lines say ?
>>
>> -- try_machine_keytab_princ: Trying to authenticate for HTTP
>> /3msydproxy01.example.local from local keytab...
>>
>> This should be successful.
>>
>> The kinit test before the update and a wireshark capture would help
>> identify
>> the issue (i.e. a msktutil error).
>>
>
>From what I can tell the packet capture seems to indicate that msktutil is
>trying to use host/3msydproxy01-http.example.local, when it should be
>host/3msydproxy01.example.local. I could be wrong about this and would
>appreciate if someone could review the capture output. What is the
>preferred way to post the output of the wireshark capture on the mailing
>list?
>
You can send it directly to me as .cap file. Can you also include traffic on
port 53 (DNS) and 389 (LDAP) ?
>So here is the process from start to finish for the computer name
>3MSYDPROXY01-HTTP
>
>###
>### kdestroy and remove account from AD. Then kinit with administrator
>account
>###
>
>###
>### Run msktutil
>###
>
># msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s
>HTTP/3msydproxy01.example.local -k /etc/squid3/PROXY.keytab \
> --computer-name 3MSYDPROXY01-HTTP --upn
> HTTP/3msydproxy01.example.local --server
> dc1.example.local --verbose --enctypes 28
> -- init_password: Wiping the computer password structure
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-dYTpBb
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: 3MSYDPROXY01-HTTP$
> -- try_machine_keytab_princ: Trying to authenticate for 3MSYDPROXY01-HTTP$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for
> host/3msydproxy01.example.local from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for 3MSYDPROXY01-HTTP$
> with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
> not found in Kerberos database)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- finalize_exec: Authenticated using method 4
>
> -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
> -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
>SASL/GSSAPI authentication started
>SASL username: XXXXXXX_at_EXAMPLE.LOCAL
>SASL SSF: 56
>SASL data security layer installed.
> -- ldap_connect: LDAP_OPT_X_SASL_SSF=56
>
> -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
> -- init_password: Wiping the computer password structure
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- generate_new_password: Characters read from /dev/udandom = 90
> -- ldap_check_account: Checking that a computer account for
> 3MSYDPROXY01-HTTP$ exists
> -- ldap_check_account: Computer account not found, create the account
>
>No computer account for 3MSYDPROXY01-HTTP found, creating a new one.
>dn: cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL
> -- ldap_check_account_strings: Inspecting (and updating) computer account
> attributes
> -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to
> 3msydproxy01.example.local
> -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
> userPrincipalName to HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL
> -- ldap_set_supportedEncryptionTypes: DEE
> dn=cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL
> old=7 new=28
>
> -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
> msDs-supportedEncryptionTypes to 28
> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
> 0x200000 to 0x0
> -- ldap_set_userAccountControl_flag: userAccountControl not changed
> 0x1000
>
> -- set_password: Attempting to reset computer's password
> -- set_password: Try change password using user's ticket cache
>
> -- ldap_get_pwdLastSet: pwdLastSet is 0
> -- set_password: Successfully set password, waiting for it to be reflected
> in LDAP.
> -- ldap_get_pwdLastSet: pwdLastSet is 129702931724574634
> -- set_password: Successfully reset computer's password
> -- ldap_add_principal: Checking that adding principal
> host/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a
> conflict
> -- ldap_add_principal: Adding principal host/3msydproxy01.example.local to
> LDAP entry
> -- ldap_add_principal: Checking that adding principal
> HTTP/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a
> conflict
> -- ldap_add_principal: Adding principal HTTP/3msydproxy01.example.local to
> LDAP entry
> -- execute: Updating all entries for 3msydproxy01.example.local in the
> keytab WRFILE:/etc/squid3/PROXY.keytab
>
> -- update_keytab: Updating all entires for 3MSYDPROXY01-HTTP$
> -- ldap_get_kvno: KVNO is 2
> -- add_principal_keytab: Adding principal to keytab: 3MSYDPROXY01-HTTP$
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- add_principal_keytab: Adding principal to keytab:
> host/3msydproxy01.example.local
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- add_principal_keytab: Adding principal to keytab:
> HTTP/3msydproxy01.example.local
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> EXAMPLE.LOCALhost3msydproxy01-http.example.local
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- ~msktutil_exec: Destroying msktutil_exec
> -- ldap_cleanup: Disconnecting from LDAP server
> -- init_password: Wiping the computer password structure
> -- ~KRB5Context: Destroying Kerberos Context
>
>###
>### run kinit successfully.
>###
>
># kinit -kt /etc/squid3/PROXY.keytab HTTP/3msydproxy01.example.local
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL
>
>Valid starting Expires Service principal
>01/06/12 14:41:23 01/07/12 00:41:23 krbtgt/EXAMPLE.LOCAL_at_EXAMPLE.LOCAL
> renew until 01/07/12 14:41:23
>
This looks good so far.
>###
>### Reset computer account in AD
>###
>
>###
>### Run msktutil update. This is different after having run the kinit
>command but fails with (5) Access denied at the end
>###
>
># msktutil --auto-update --verbose --computer-name
>3msydproxy01-http --server dc1.example.local -s
>HTTP/3msydproxy01.example.local
> -- init_password: Wiping the computer password structure
> -- get_default_keytab: Obtaining the default keytab name:
> /etc/squid3/PROXY.keytab
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-QGX1t2
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: 3msydproxy01-http$
> -- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
> table entry not found)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for
> host/3msydproxy01.example.local from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
This is suprising as during the creation the log said:
-- ldap_add_principal: Adding principal host/3msydproxy01.example.local to
LDAP entry
-- ldap_add_principal: Checking that adding principal
HTTP/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a conflict
-- ldap_add_principal: Adding principal HTTP/3msydproxy01.example.local to
LDAP entry
Can you looak at the AD entry with adsiedit.msc ? Does the service principal
attribute have two entries - one for host and one for HTTP ?
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for 3msydproxy01-http$
> with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- finalize_exec: Authenticated using method 4
>
> -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
> -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
>SASL/GSSAPI authentication started
>SASL username: HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL
>SASL SSF: 56
>SASL data security layer installed.
> -- ldap_connect: LDAP_OPT_X_SASL_SSF=56
>
> -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
> -- get_default_ou: Determining default OU:
> CN=Computers,DC=example,DC=local
> -- init_password: Wiping the computer password structure
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- generate_new_password: Characters read from /dev/udandom = 88
> -- ldap_check_account: Checking that a computer account for
> 3msydproxy01-http$ exists
> -- ldap_check_account: Checking computer account - found
> -- ldap_check_account: Found userAccountControl = 0x1000
>
> -- ldap_check_account: Found supportedEncryptionTypes = 28
>
> -- ldap_check_account: Found dNSHostName = 3msydproxy01.example.local
>
> -- ldap_check_account: Found Principal: HTTP/3msydproxy01.example.local
> -- ldap_check_account: Found Principal: host/3msydproxy01.example.local
> -- ldap_check_account: Found User Principal:
> HTTP/3msydproxy01.example.local
> -- ldap_check_account_strings: Inspecting (and updating) computer account
> attributes
> -- ldap_set_supportedEncryptionTypes: No need to change
> msDs-supportedEncryptionTypes they are 28
>
> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
> 0x200000 to 0x0
> -- ldap_set_userAccountControl_flag: userAccountControl not changed
> 0x1000
>
> -- set_password: Attempting to reset computer's password
> -- set_password: Try change password using user's ticket cache
>
> -- ldap_get_pwdLastSet: pwdLastSet is 129702932842880732
>Error: Unable to set machine password for 3msydproxy01-http$: (5) Access
>denieduïB³
>Error: set_password failed
This is surprising as a "user" should be allowed to change its own password.
Do you have an AD password policy which does not allow immediate password
changes ?
> -- ~msktutil_exec: Destroying msktutil_exec
> -- ldap_cleanup: Disconnecting from LDAP server
> -- init_password: Wiping the computer password structure
> -- ~KRB5Context: Destroying Kerberos Context
>
>
>###
>### If I run kdestroy and kill the HTTP/3msydproxy01.example.local ticket)
>the following is logged from msktutil
>###
>
># msktutil --auto-update --verbose --computer-name
>3msydproxy01-http --server dc1.example.local -s
>HTTP/3msydproxy01.example.local
> -- init_password: Wiping the computer password structure
> -- get_default_keytab: Obtaining the default keytab name:
> /etc/squid3/PROXY.keytab
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-Twfgw2
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: 3msydproxy01-http$
> -- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
> table entry not found)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for
> host/3msydproxy01.example.local from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
See above I would expect this to work or to use HTTP/<fqdn> not host/<fqdn>.
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for 3msydproxy01-http$
> with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials
> cache found)
> -- try_user_creds: User ticket cache was not valid.
>Error: could not find any credentials to authenticate with. Neither keytab,
> default machine password, nor calling user's tickets worked. Try
> "kinit"ing yourself some tickets with permission to create computer
> objects, or pre-creating the computer object in AD and selecting
> 'reset account'.
> -- ~KRB5Context: Destroying Kerberos Context
>
>
Let me try to reproduce with the latest release from
http://fuhm.net/software/msktutil/releases/
Regards
Markus
Received on Fri Jan 06 2012 - 13:58:00 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 06 2012 - 12:00:02 MST