The location of the Apache error logs is specified in the Apache configuration file under the ErrorLog directive. The default value is, depending on your Apache version, one of the following:. The command shows all the service principal tickets contained in the keytab file so you can verify that the correct service principal names appear. COM appear in the list. It is normal to see multiple entries for the same name. Because you cannot store credentials for more than one principal in a Kerberos credentials cache at a time, you must maintain two or more credential caches by using the KRB5CCNAME environment variable and then switch to the cache that you want to use.
Klist can be used on the current user to verify that they receive a service ticket for HTTP. Authentication problems can be difficult to diagnose. First, check all the configuration parameters, including the validity of the keytab file. Second, review the common problems in the following table.
The Kerberos standard requires that system clocks be no more than 5 minutes apart. Make sure that the system clocks on the Active Directory domain controller, the Linux or Unix web server, and the client are synchronized.
If the Kerberos ticket was obtained on the client or the user correctly entered his credentials during the Basic Authentication prompt, it might be because authentication worked but the authorization failed. If the client user is logged on a domain different from the domain of the web server, one of two things will happen:.
If the KrbMethodK5Passwd directive is set to onor was not specified and thus defaults to onthe user will be prompted for credentials. Internet Explorer tries to obtain Kerberos tickets only for websites that are in the Local Intranet zone. The service principal name of the website is mapped to more than one object in the Active Directory. Although this problem is rare, it is difficult to diagnose because the error messages are vague.
The problem can occur after the ktpass utility was used repeatedly to generate a Kerberos keytab file for the web server. To check for this problem, log on your Active Directory domain controller and open the Event Viewer. The text of the event will be similar to the message below:. The line that starts the daemon can vary by operating system. The change might result in compatibility issues with other modules of Apache that use Kerberos.You use the klist tool to display the entries in the local credentials cache and key table.
The klist tool displays the entries in the local credentials cache and key table. After you modify the credentials cache with the kinit tool or modify the keytab with the ktab tool, the only way to verify the changes is to view the contents of the credentials cache or keytab using the klist tool.
Specifies the credential cache name or the keytab name. File-based cache or keytab's prefix is FILE:. The kinit documentation lists these default values.
The following are the options for credential cache entries: -f Show credential flags. List the keytab entries. The following are the options for keytab entries: -t Show keytab entry timestamps.SSSD is failing to read keytab file, and whenever I tries to login remotely I keep getting unable to verify Principal name in logs file.
I am able to verify principal name from keytab file using kinit command. Has this configuration worked in the past but is no longer working? Your klist -k output is shorter than I would have expected, did you join the domain using the 'net join' method? Hello, first thanks for your reply.
This is completely new configuration on a recently build server, and similar configuration is working on rest of the servers. I have only ever used the 'net join' method to join servers to the domain for AD auth, but have seen the method you linked to in earlier SSSD documentation.
The fact that you look to be copying the keytab over from the Windows server, have you confirmed the basic permissions and SELinux context are correct for the keytab file on the Linux server? I am interested to know what your working servers keytab looks like. On the working server, can you get output of 'klist -k' and attempt 'net getdomainsid' and let me know if they look different to this server?
My comment regarding klist was because I would generally expect to see three different entries when configuring the server for AD auth:. Regarding output of klist -k is small, for every computer object that I create on AD, I assign Service principal name in this format.
And I specify same format in sssd. It is usefull if your account limited to this container only. I will test on a test server, I think "net join" command will be easy way to implement, when compared creating keytab file on AD and uploading it to linux box. Comments 7. Hello, SSSD is failing to read keytab file, and whenever I tries to login remotely I keep getting unable to verify Principal name in logs file.
Community Member 28 points. Log in to join the conversation. Guru points. This is how I create a keytab file How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux What do you mean "klist -k output is shorter than I would have expected"??
Hello, Issue is fixed, selinux was enabled, I disabled, it works fine. COM just one more question, so whenever you run "net join" command to add computer in AD, is there way to specify directory location for this computer object to be created?
US Community Member 50 points.A keytab is a file containing pairs of Kerberos principals and encrypted keys which are derived from the Kerberos password.
You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs. Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos, without requiring human interaction or access to password stored in a plain-text file. The script is then able to use the acquired credentials to access files stored on a remote system.
You can create keytab files on any computer that has a Kerberos client installed. Keytab files are not bound to the systems on which they were created; you can create a keytab file on one computer and copy it for use on other computers. If the keytab created in Heimdal does not work, it is possible you will need an aescts entry.
In that case, you will need to find a computer with MIT Kerberos, and use that method instead. Replace username with your username, mykeytab with the name of your keytab file, and myscript with the name of your script.
With MIT Kerberos, to list the contents of a keytab file, use klist replace mykeytab with the name of your keytab file :.
The output contains two columns listing version numbers and principal names. If multiple keys for a principal exist, the one with the highest version number will be used. If you no longer need a keytab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with the ktutil command.
You can also use this procedure to remove old versions of a key. An example using MIT Kerberos follows:. Replace mykeytab with the name of your keytab file, username with your username, and version with the appropriate version number. If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.
Replace mykeytab- number with the name of each keytab file. The final merged keytab would be krb5. The keytab file is independent of the computer it's created on, its filename, and its location in the file system.
Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function.
The keytab file is a binary fileso be sure to transfer it in a way that does not corrupt it. If possible, use SCP or another secure method to transfer the keytab between computers. This will set the transfer type to binary so the keytab file will not be corrupted.
This is document aumh in the Knowledge Base. Last modified on Skip to: content search login. Knowledge Base Search. Log in. Options Help Chat with a consultant. Include archived documents. Use a keytab On this page:.
Anyone with read permission on a keytab file can use all the keys in the file. To prevent misuse, restrict access permissions for any keytab files you create. For instructions, see Manage file permissions on Unix-like systems. To use the instructions and examples on this page, you need access to a Kerberos client, on either your personal workstation or an IU research supercomputer. When following the examples on this page, enter the commands exactly as they are shown.Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways.
Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications.
Keytabs are named using the format type : value. Usually type is FILE and value is the absolute pathname of the file. The other possible value for type is MEMORYwhich indicates a temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp indicating when the entry was written to the keytaba principal name, a key version number, an encryption type, and the encryption key itself.
A keytab can be displayed using the klist command with the -k option. Keytabs can be created or appended to by extracting keys from the KDC database using the kadmin ktadd command.
Keytabs can be manipulated using the ktutil and k5srvutil commands. The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference:.
The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications.
The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference:.
Release: 1. Contents previous next index Search feedback.The klist command displays the contents of a Kerberos credentials cache or key table. If you do not specify a name indicating a cache name or keytab name, klist displays the credentials in the default credentials cache or keytab file as appropriate.
Purpose Displays the contents of a Kerberos credentials cache or key table. Syntax klist [[ -c ] [ -f ] [ -e ] [ -s ] [ -a ] [ -n ]] [ -k [ -t ] [ -K ]] [ name ] Description The klist command displays the contents of a Kerberos credentials cache or key table. Flags Flags Description Item Description -a Displays all tickets in the credentials cache, including expired tickets.
Expired tickets are not listed if this flag is not specified. This flag is valid only when listing a credentials cache. This is the default if neither the -c nor the -k flag is specified. This flag is mutually exclusive with the -k flag. The default credentials cache or key table is used if you do not specify a filename. This flag is mutually exclusive with the -c flag. This flag is valid only when listing a key table. The default without the -n is host name.
This command is used in conjunction with the -a flag. Displays all tickets in the credentials cache, including expired tickets. Lists the tickets in a credentials cache. Displays the encryption type for the session key and the ticket. Specifies the name of the credentials cache or key table.
Lists the entries in a key table. Displays the encryption key value for each key table entry. Displays the numerical internet address instead of the host name. Suppresses command output but sets the exit status to 0 if a valid ticket-granting ticket is found in the credentials cache.
Displays timestamps for key table entries.As well as storing user accounts and their passwords, the Kerberos servers KDCs store accounts and keys similar to passwords for systems. Those accounts and keys are used as part of the authentication process to verify which user is connecting to a network service. These accounts are generally called service principals. Every network service to which a user may authenticate needs to have a service principal with a corresponding key. The network service has to have a copy of that key on the system so that it can verify a user's identity.
That key is stored in a specially formatted file called a keytab. One keytab file can store multiple keys, either multiple keys for the same service principal or even keys for several different service principals. On a UNIX system, you can view the contents of a keytab with the klist -k command. Applications that need to authenticate to network services on an automated basis also need to have service principals and keys in a keytab. For example, any process that writes into a protected directory in AFS needs to have a service principal that it can use to authenticate to AFS.
Due to how Kerberos works, a network service needs to have a separate key for every type of encryption that it supports. We currently support bit AES encryption the strongest and most modern, but not universally supported yettriple-DES, and for legacy compatibility, which will be phased out DES.
Most service principals will therefore have three keys, one for each type of encryption. Kerberos automatically selects the strongest key supported by both the client and server, so normally you don't have to worry about this implementation detail. To recap, a service principal is an account, an identity, stored in Kerberos for a particular application.
klist (1) - Linux Man Pages
That service principal has one or more keys, similar to passwords. Those keys are stored on the server on which the service runs in a file called a keytab, which you can view with the klist -k command. There are two basic types of service principals in use at Stanford. The first set are called the "host-based" service principals, meaning that they're tied to a network service running on a particular host.
Principals of this type will always have a name like:. The most commonly used service types are:. That principal is also used to verify local logins to the console, for example if it exists.
klist (1) - Linux Man Pages
Host-based principals should not be shared and should not be reused. Each host providing a service should have a separate host-based principal for that service, and if that host is replaced by another with a new name, a new host-based principal should be obtained. Specifically, even if a set of web servers are part of a pool that uses WebAuth to serve one site, each server should have a separate host-based WebAuth principal and not share the same one.