Friday, March 21, 2014

give me the keys!

create me a keytab for an http service.  okay.

your time is working right.  right.  okay.

* create:  servicename@my.domain.which.has.the.same.name.as.my.REALM
* went into servicename account properties and enabled Kerberos delegation.

* run following:
ktpass -princ HTTP/the-machine@REALM 
 -out c:\the.magic.happen\the-machine.keytab-out -mapuser servicetest 
 -MapOp set -pass sillypass

output:
Targeting domain controller: dc.my.domain.which.has.the.same.name.as.my.REALM
Using legacy password setting method

Successfully mapped HTTP/the-machine to servicename.
WARNING: pType and account type do not match. This might cause  problems.
Key created.

Output keytab to c:\the.magic.happen\the-machine.keytab-out:
Keytab version: 0x502
keysize 69 HTTP/the-machine@REALM ptype 0 (KRB5_NT_UNKNOWN) 
 vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x21837fd1736393d862a71c177e16fbb3)

* test spn:
setspn -L servicetest

output:
Registered ServicePrincipalNames for 
 CN=ServiceName,OU=Service Accounts,DC=REALM:    HTTP/the-machine

well then. that pType error was no fun. let's do it again.
ktpass -princ HTTP/the-machine@REALM /out c:\the.magic.happen\the-machine.keytab-out /crypto all /ptype KRB5_NT_PRINCIPAL /mapuser REALM\servicetest /MapOp set /pass sillypass
Targeting domain controller: dc.my.domain.which.has.the.same.name.as.my.REALM
Using legacy password setting method
Successfully mapped HTTP/the-machine to servicetest.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\the.magic.happen\the-machine.keytab-out:
Keytab version: 0x502
keysize 74 HTTP/the-machine@REALMM ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x1 (DES-CBC-CRC) keylength 8 (0x15e95efb798af485)
keysize 74 HTTP/the-machine@REALM ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x3 (DES-CBC-MD5) keylength 8 (0x15e95efb798af485)
keysize 82 HTTP/the-machine@REALM 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x17 (RC4-HMAC) keylength 16 (0x21837fd1736393d862a71c177e16fbb3)
keysize 98 HTTP/the-machine@REALM ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x12 (AES256-SHA1) keylength 32 (0xba3ab609c8e50b75ba09b28ef60794bd589100bc16b796ca1e3f5d4fde4ccea6)
keysize 82 HTTP/the-machine@REALM ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x11 (AES128-SHA1) keylength 16 (0xcecabf70e2c94eb5712c1c07b8d6ef58)
and you can always add -kvno 0 to the end of the ktpass command (notice vno 12 that's because i created a keytab prior).
Post a Comment