Hi All ,
I am a newbie for posting on windows forums/lists so pardon me for being at
wrong place.
This is not a question related to Windows device drivers or windows
kernel but more related to MS implementation of kerberos.
I tried asking by query on some other technet forums but looks like,
those are dormant ones.
I heard, there are many MS people also subscribed to this list.
So, Any redirections are deeply appreciated to some appropriate resources.
We have an issue with generating a valid keytab for windows based
services which can be used on unix based machines to decrypt AP-REQ.
Following is our setup :
- Windows XP cifs client
- Windows 2003 KDC and domain controller 64 bit
- Windows XP cifs server 64 bit.
- Linux FC7 machine with MIT kerberos 1.6.3
We have the admin privileges for all the machines mentioned above.
What we are trying to do ?
-
We request a kerberized traffic from cifs client to cifs server
which we want to route through linux box. -
We want to do some processing with the AP-REQ. Evidently for
which we need to authenticate the client in AP_REQ on linux machine. -
Now to authenticate the client in AP-REQ on linux machine we
propose to use GSSAPI calls using corresponding service keytab.
The problem :
-
Our understanding is, all windows based services are registered
under corresponding computer name with their corresponding SPN. -
This registration occurs whenever the machine joins the domain. So
basically , whenever the server is up and running and is in domain
all its services are registered with windows domain controller and
are mapped to its computer name. -
The exchange of long term keys for service between service and KDC
occurs at the same time. -
We understand the definition of ktpass is "To generate keytab for
UNIX based services " but with no other option to generate a keytab,
we run ktpass for this windows based service which creates a new
long term service key for the service which is not communicated back
to service.
When I use this keytab on linux machine through GSSAPI calls to
decrypt the AP-REQ , I get KRB5KRB_AP_ERR_BAD_INTEGRITY.
which is obvious since key used by KDC to encrypt the ticket for
service is different(Its the old key ) than what is in keytab.
Questions :
-
Is there a way to bring KDC and service in sync in terms of the
service key being used ? To be more precise , If I change the
service key for a service at KDC Is there a way to communicate
this back to service so that the service starts using this new key
for all further requests ? -
We understand ktpass is a tool to generate a keytab for unix based
services. Do we have any similar tool for windows based services ? -
Since windows based service SPN’s are registered under computer name
at the time of logon It can be mapped to some other user as well without
creating a duplicate SPN. Is it possible for a service to run under
a user account and obtain a service key in windows ? -
We understand “man in the middle” is not possible with kerberos but
when we own all components of traffic ( KDC , server , client , DC
with admin privileges ) should’t I be allowed to extract a service key
for the given SPN from KDC without disturbing the existing setup ?
Any help is deeply appreciated.
Thanks & Regards
Nikhil