Create Machine Keytab on Linux for Active Directory authentication

The blog posts outline the troubleshooting I had gone through to get a machine keytab file working with Active Directory 2012 and CentOS 6.5

STEP 1. My first attempt was to create the machine keytab file using samba’s net utility.

[root@mysql04p ~]# net ads keytab create -U tatroc

Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter tatroc's password:

In my /etc/samba/smb.conf I had the following line.

kerberos method = secrets and keytab

STEP 2. Verify that the machine principle names were created in the /etc/krb5.keytab file

[root@mysql04p ~]# klist -Kke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  36 host/mysql04p.lab.net@LAB.NET (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 host/mysql04p.lab.net@LAB.NET (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 host/mysql04p.lab.net@LAB.NET (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 host/mysql04p.lab.net@LAB.NET (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 host/mysql04p.lab.net@LAB.NET (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)
  36 host/mysql04p@LAB.NET (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 host/mysql04p@LAB.NET (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 host/mysql04p@LAB.NET (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 host/mysql04p@LAB.NET (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 host/mysql04p@LAB.NET (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)
  36 MYSQL04P$@LAB.NET (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 MYSQL04P$@LAB.NET (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 MYSQL04P$@LAB.NET (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 MYSQL04P$@LAB.NET (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 MYSQL04P$@LAB.NET (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)

STEP 3. Try to initialize the keytab file. I fail to get a Kerberos ticket from Active Directory.

Received the message:
Client ‘host/mysql04p.lab.net@LAB.NET’ not found in Kerberos database while getting initial credentials

[root@mysql04p ~]# kinit -k
kinit: Client 'host/mysql04p.lab.net@LAB.NET' not found in Kerberos database while getting initial credentials
[root@mysql04p ~]#

STEP 4. After some googling, I discovered that I could create the machine keytab through another avenue. By logging into the domain controller and running the ktpass.exe program as administrator.

C:\Windows\system32>ktpass /princ host/mysql04p.lab.net@LAB.NET /mapuser LAB\mysql04p$ +rndPass /crypto all /ptype KRB5_
NT_PRINCIPAL /out krb5.keytab

Targeting domain controller: DC01.lab.net
Using legacy password setting method
Successfully mapped host/mysql04p.lab.net to mysql04p$.
WARNING: Account mysql04p$ is not a user account (uacflags=0x11001).
WARNING: Resetting mysql04p$'s password may cause authentication problems if mysql04p$ is being used as a server.

Reset mysql04p$'s password [y/n]?  y
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 56 host/mysql04p.lab.net@LAB.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x1 (DES-CBC-CRC) keylength 8 (0xf1730
404c80bd37a)
keysize 56 host/mysql04p.lab.net@LAB.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x3 (DES-CBC-MD5) keylength 8 (0xf1730
404c80bd37a)
keysize 64 host/mysql04p.lab.net@LAB.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x17 (RC4-HMAC) keylength 16 (0x54eaee
166661deb5ee63eec76faec0e1)
keysize 80 host/mysql04p.lab.net@LAB.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x12 (AES256-SHA1) keylength 32 (0x553
cb01aba00c555c88d355b7196585cb9968ce4ecda7070cd1d89e6ee4413d0)
keysize 64 host/mysql04p.lab.net@LAB.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x11 (AES128-SHA1) keylength 16 (0xee5
9e989a9033978ef299330a36c7d0b)

C:\Windows\system32>

STEP 5. Copy the keytab file to the Linux computer mysql04p:/etc/krb5.keytab
The initialize the keytab file.

[root@mysql04p ~]# kinit -k

STEP 6. run klist to verify that the machine has received a ticket.

[root@mysql04p ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/mysql04p.lab.net@LAB.NET

Valid starting     Expires            Service principal
04/22/15 17:56:13  04/23/15 03:56:13  krbtgt/LAB.NET@LAB.NET
        renew until 04/29/15 17:56:13
[root@mysql04p ~]#

STEP 7. You can now use the keytab file to authenticate to resources in Active Directory.

kinit -k; ls -la

Summary:
I was able to successfully create the machine keytab by using the ktpass.exe on the windows 2012 domain controller. Then copying that file to the Linux system.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s