Ray Vand
2013-04-19 20:26:01 UTC
Hello,
I am new to Kerberos world and having issue with setting this up and need help and direction.
I am trying to setup SSO in the following environment.
Domain: company.com
Short Domain: AD (This how we login to User Client - AD\<Login Name>
AD domain server --> ads (Windows 2008 R2 )
SAP Server --> SAPSVR (Sun Solaris 10)
User Client --> Mac OS 10.8
I have created user in AD domain server as below
user: sapldap
Password: Changem3 (never expire)
Use DES encryption type for this account
Then I ran the following two command in AD Domain sever
C:\Windows\system32>setspn -A sapldap/ads.company.com AD\sapldap
Registering ServicePrincipalNames for CN=sapldap,CN=Users,DC=company,DC=com
sapldap/ads.company.com
Updated object
C:\Windows\system32>ktpass -princ sapldap/***@COMPANY.COM -mapuser AD\sapldap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass Changem3 -out sapldap.keytab
Targeting domain controller: ADS.company.com
Using legacy password setting method
Successfully mapped sapldap/ads.company.com to sapldap.
Key created.
Output keytab to sapldap.keytab:
Keytab version: 0x502
keysize 66 sapldap/***@COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x5785314ff4ada2b6)
Account sapldap has been set for DES-only encryption.
Then I moved the sapldap.keytab to my SAP Server in tmp directory
In my SAP Server, I ran the following commands
modify /etc/krb5.conf as below:
libdefaults]
default_realm = COMPANY.COM
default_keytab_name = /etc/krb5.keytab
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
COMPANY.COM = {
kdc = ads.company.com:88
admin_server = ads.company.com
default.domain = COMPANY.COM
kpasswd_server = ads.company.com
}
[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
Then
# ktutil
ktutil: rkt /tmp/sapldap
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 7 sapldap/***@COMPANY.COM (DES cvc mode with RSA-MD5)
ktutil: wkt /etc/krb5.keytab
ktutil: q
Here is where I am getting error/having issue when running next command.
# kinit -V -k sapldap/***@COMPANY.COM
kinit(v5): Key table entry not found while getting initial credentials
but if I use it without -k option it working and It takes password
# kinit sapldap/***@COMPANY.COM
Password for sapldap/***@COMPANY.COM:
Then when I try klist
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sapldap/***@COMPANY.COM
Valid starting Expires Service principal
04/19/13 10:01:53 04/19/13 20:01:53 krbtgt/***@COMPANY.COM
renew until 04/26/13 10:01:53
I appreciate any help.
Regards,
RayV
I am new to Kerberos world and having issue with setting this up and need help and direction.
I am trying to setup SSO in the following environment.
Domain: company.com
Short Domain: AD (This how we login to User Client - AD\<Login Name>
AD domain server --> ads (Windows 2008 R2 )
SAP Server --> SAPSVR (Sun Solaris 10)
User Client --> Mac OS 10.8
I have created user in AD domain server as below
user: sapldap
Password: Changem3 (never expire)
Use DES encryption type for this account
Then I ran the following two command in AD Domain sever
C:\Windows\system32>setspn -A sapldap/ads.company.com AD\sapldap
Registering ServicePrincipalNames for CN=sapldap,CN=Users,DC=company,DC=com
sapldap/ads.company.com
Updated object
C:\Windows\system32>ktpass -princ sapldap/***@COMPANY.COM -mapuser AD\sapldap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass Changem3 -out sapldap.keytab
Targeting domain controller: ADS.company.com
Using legacy password setting method
Successfully mapped sapldap/ads.company.com to sapldap.
Key created.
Output keytab to sapldap.keytab:
Keytab version: 0x502
keysize 66 sapldap/***@COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x5785314ff4ada2b6)
Account sapldap has been set for DES-only encryption.
Then I moved the sapldap.keytab to my SAP Server in tmp directory
In my SAP Server, I ran the following commands
modify /etc/krb5.conf as below:
libdefaults]
default_realm = COMPANY.COM
default_keytab_name = /etc/krb5.keytab
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
COMPANY.COM = {
kdc = ads.company.com:88
admin_server = ads.company.com
default.domain = COMPANY.COM
kpasswd_server = ads.company.com
}
[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
Then
# ktutil
ktutil: rkt /tmp/sapldap
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 7 sapldap/***@COMPANY.COM (DES cvc mode with RSA-MD5)
ktutil: wkt /etc/krb5.keytab
ktutil: q
Here is where I am getting error/having issue when running next command.
# kinit -V -k sapldap/***@COMPANY.COM
kinit(v5): Key table entry not found while getting initial credentials
but if I use it without -k option it working and It takes password
# kinit sapldap/***@COMPANY.COM
Password for sapldap/***@COMPANY.COM:
Then when I try klist
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sapldap/***@COMPANY.COM
Valid starting Expires Service principal
04/19/13 10:01:53 04/19/13 20:01:53 krbtgt/***@COMPANY.COM
renew until 04/26/13 10:01:53
I appreciate any help.
Regards,
RayV