GSSAPI - Windows Active Directory Interoperability - error accepting context: Wrong principal in request

1
votes

We are writing softwares that run on both Windows and Linux, and plan to use Windows Active Directory for authentication. I am struggling with the issues described below, and would appreciate any help very much:

Domain name: CORP.COMPANY.COM

Test programming running on the one Linux machine: host1.corp.company.com

The test program comes from the gss-sample from krb5-1.11.3 downloaded files.

The server will be named "gssapitest".

Based on "Step-by-Step Guide to Kerberos 5(krb5 1.0) Interoperability(from Microsoft) ,

First create a user "host1" in the AD to represent the host host1.corp.company.com (the linux machine).

Use ktpass to generate the keytab (run from Windows):

ktpass /princ host/[email protected] /mapuser host1 /pass
hostpassword /out file1.keytab

Now in AD, create another domain user "gssapitest" to represent the test server program, and map user similarly:

ktpass /princ gssapitest/[email protected] /mapuser
gssapitest /pass gssapitestpassword /out file2.keytab

copy file1.keytab and file2.keytab to the Linux machine host1, and merge them to /etc/krb5.keytab.

In Linux, "ktutil" shows the content of /etc/krb5.keytab like the following:

slot KVNO Principal
1 4 host/[email protected]
2 5 gssapitest/[email protected]

On windows, register the service (using "setspn") for the Linux server program so that the result looks like (2 entries, one with mapped host name, the other with actual host name, for testing purpose. If only one entry, no matter which one, the result was the same):

Registered ServicePrincipalNames for
CN=xxxx,CN=Users,DC=corp,DC=company,DC=com:
gssapitest/host1:2001
gssapitest/host1.corp.company.com:2001

Now I start the server this way:

gss-server -port 2001 gssapitest

and start the client from another terminal this way:

gss-client -port 2001 -user xxxx -pass xxxxpassword host1.corp.company.com
gssapitest "abcd"

The error shows on the server side:

GSS-API error accepting context: Unspecified GSS failure. Minor code may
provide more information
GSS-API error accepting context: Wrong principal in request

What could be the likely cause of this? I'd like to know if the step I outlined about are all necessary. and which one are not needed at all or are incorrect.

(Note: I have tried to log in to the Linux with both a local user account and a domain account in CORP.COMPANY.COM, the result shows the same error. also the nslookup shows correct IP to host mapping for the linux machine).

2
linuxwindowsactive-directorykerberosgssapi

2 Answers

1
votes

I would not include the port number when using setspn; I'd expect gssapitest not gssapitest:2001. In addition, use gssapitest@host as the service name in the call to gss-client; 

gss-client -user xxx -pass xxx -port 2001 hostname gssapitest@hostname "test message"

You can use krb5 tracing to get much better logging about what's going on:

export KRB5_TRACE=/tmp/trace.client # and run client

Similar for the server.

0
votes

I did some test runs, and in my case, the problem seems to be this: I made changes to my mapped user, i.e., gssapitest (In "Active Directory Users and Computers", I unchecked "Use DES encryption types for this account" under "Account" tab for this user) after running "ktpass" and merged the output file to the krb5.keytab in the Linux machine. To fix this problem, I checked the "Use DES encryptiuon types for this account" again from inside the Active Directory, then go to the Linux machine, run "kdestroy" before starting my server and client programs. Then it worked. If anyone is having similar problems, you may want to look into this possible cause. Thanks.