Hi All,

I am trying to get HTCondor with Kerberos authentication (https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication) to work on some linux machines I have which I joined to Windows Active Directory
with realmd. HTCondor tries to authenticate with the machine principal, but I am having a hard time figuring out what that is. When I run 'klist -k' I see a bunch of entries from /etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I run '
kinit -k' I get "kinit: Client $(hostname) not found in Kerberos database".

I then interrogated the realm with adcli, using 'adcli testjoin --verbose' and it outputs the computer account name as HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get back the error "kinit: Keytab contains no suitible keys for HOST/
HOSTNAME@REALM".

I am confused because when I run 'adcli update --verbose' it says it updated the keytab at /etc/krb5.keytab and outputs the same account name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head about
this, what am I doing wrong here?

Thanks,
Wes


Public Content
________________________________
The information contained in this e-mail and any attachments from Numerica Corporation may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended
recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any
attachments.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

On 7/30/20 1:00 PM, Wesley Taylor wrote:

I am confused because when I run 'adcli update --verbose' it says it updated the keytab at /etc/krb5.keytab and outputs the same account name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head

about this, what am I doing wrong here?

It might help to send a transcript of the klist -k output and the kinit commands.

Note that the case of principal names is significant on the MIT krb5
side, and generally isn't on Windows.

You can set the environment variable KRB5_TRACE to get additional
information about what commands are trying to do behind the scenes, e.g. "KRB5_TRACE=/dev/stdout kinit -k host/hostname@REALM".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

On Thu, Jul 30, 2020 at 10:07 AM Wesley Taylor <wesley.taylor@numerica.us> wrote:

Hi All,

I am trying to get HTCondor with Kerberos authentication ( https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication)
to work on some linux machines I have which I joined to Windows Active Directory with realmd.

Working with AD as a KDC can be challenging. Problems that I frequently
have to deal are caused by the fact that AD does not use the principal name
to identify the LDAP entries that define the principal. We use Russ
Allbery's wallet to create keytabs which uses msktutil and LDAP to interact with AD. Wallet creates a unique 20 character string that is used as the
CN for the distinguished name for the entry holding the principal name
entry. The actual principal name is stored in the LDAP
attributes userPrincipalName and servicePrincipalName. When I encounter problems with the CN-to-principal name mapping I examine the KDC entry
using ldapsearch. For example:

$ ldapsearch -Q -LLL -h ad-server -b ou=keytabs,dc=domain,dc=com
cn="*keddie*" userPrincipalName servicePrincipalName dNSHostName
dn: CN=keddie.domain.co000,OU=keytabs,OU=DROPBOX,DC=dropbox,DC=internal dNSHostName: keddie.domain.com
userPrincipalName: host/keddie.domain.com@DROPBOX.INTERNAL servicePrincipalName: host/keddie.domain.com

If you can access AD with ldapsearch you should be able to determine the correct principal name to use.

A very common command phrasing we use in bash scripts on linux systems is:

k5start -f /etc/krb5.keytab host/`hostname -f` -- <some command>

A specific example is:

k5start -f /etc/krb5.keytab host/`hostname -f` -- ldapwhoami -h openldap-server

Bill

--
Bill MacAllister
Corp SRE, Dropbox

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

Wesley,
when joining hosts to AD a computer account is created and a UPN and
SPNs are set on it.
Unlike MIT kerberos in AD heavy use of aliases is employed so each host
have a "host password/key" that is shared with all the aliases created.
Most notably there are the UPN, generally of the form
computername$@REALM and the SPNs which are a large number of
service/fqdn@REALM principal names.

The important part here is that while you can get tickets for any of
those names (the KDC has many canonicalization rules that will also
match in a case-insensitive way) when you ask for a TGT (the kinit
operation) AD normally will accept a request only if the UPN form is
used as the client principal and will refuse other forms (even though
the key is the same).

realmd has an option to specify what to set the UPN to to change the
default AD behavior. (See the --user-principal option in realm.8
manpage). You can use it to control what to use at join time, then you
should be able to use exactly that name to kinit from the generated
keytan.

HTH,
Simo.

On Thu, 2020-07-30 at 17:00 +0000, Wesley Taylor wrote:

Hi All,

I am trying to get HTCondor with Kerberos authentication ( https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication
) to work on some linux machines I have which I joined to Windows
Active Directory with realmd. HTCondor tries to authenticate with the
machine principal, but I am having a hard time figuring out what that
is. When I run 'klist -k' I see a bunch of entries from
/etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I
run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos database".

I then interrogated the realm with adcli, using 'adcli testjoin --
verbose' and it outputs the computer account name as
HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get
back the error "kinit: Keytab contains no suitible keys for HOST/HOSTNAME@REALM".

I am confused because when I run 'adcli update --verbose' it says it
updated the keytab at /etc/krb5.keytab and outputs the same account
name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head about this, what am I doing
wrong here?

Thanks,
Wes

Public Content
________________________________
The information contained in this e-mail and any attachments from
Numerica Corporation may contain confidential and/or proprietary
information, and is intended only for the named recipient to whom it
was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its
attachments is strictly prohibited. If you have received this e-mail
in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.

________________________________________________
Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)