[Samba] SAMBA Kerberos misunderstanding

Mark Proehl M.Proehl at science-computing.de
Wed Feb 21 10:31:24 GMT 2007 

Hi,

On Wed, Feb 21, 2007 at 06:41:42PM +1000, Bradley Schatz wrote:
> Hi Mark,
> 
> For some background, I am actually trying to set up a http kerberos service
> so that I can use mod_auth_krb in apache2.
> 
> Would net ads join createupn=http/foundry.example.local do the trick?

no. That command only creates a user principal name for the machine
account. So that you could obtain kerberos tickets as http/foundry.example.local, 
i.e. you could become the identity of http/foundry.example.local.

If you want to kerberize apache, you need to create a service
principal on the active directory controller:
HTTP/foundry.example.local (note: HTTP is uppercase).  And you need to
create a keytab file for apache.

This can be done by samba via

   net ads keytab ADD HTTP/foundry.example.com

This would add some HTTP entries to /etc/krb5.keytab. Typically apache
is not running as root, so it cannot read /etc/krb5.keytab. Therefore
you should move the HTTP entries to a separate keytab file wich apache
can read. This could be done by ktutil or by setting the environment
variable "KRB5_KTNAME".


> 
> I am on 3.0.22, which does not support this syntax. Any work-arounds?

"createupn"  was a new feature in 3.0.23a... 

- Mark



> 
> On 2/21/07, Mark Proehl <M.Proehl at science-computing.de> wrote:
> >
> >Hi,
> >
> >try
> >
> >  net ads join createupn=host/foundry.example.local
> >
> >- Mark
> >
> >On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote:
> >> I suspect I might be grossly misunderstanding kerberos and AD here, but
> >I
> >> cant seem to grok the following.
> >>
> >> net ads join integrates my linux samba server (named foundry) into an AD
> >> domain and all works fine. The samba server is using the kerberos
> >keytab.
> >>
> >> root at foundry:~ # kinit -k -t /etc/krb5.keytab foundry$
> >> root at foundry:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local
> >> kinit(v5): Client not found in Kerberos database while getting initial
> >> credentials
> >>
> >> Why can't kinit find the service host/foundry.example.local in the AD
> >> Kerberos database? It seems to be in the local linux server keylist:
> >>
> >> root at foundry:~ # klist -k
> >> Keytab name: FILE:/etc/krb5.keytab
> >> KVNO Principal
> >> ----
> >>
> >--------------------------------------------------------------------------
> >>   2 host/foundry.example.local at EXAMPLE.LOCAL
> >>   2 host/foundry.example.local at EXAMPLE.LOCAL
> >> .... cut ...
> >>
> >> What am I missing here?
> >>
> >> Thanks,
> >>
> >> Bradley
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 

Mit freundlichen Grüßen,

Mark Pröhl

_______________________________________________creating IT solutions

Mark Proehl                              phone   +49(0)7071 9457-591
Senior Solutions Engineer                fax     +49(0)7071 9457-411
CAx Professional Services

science + computing ag                 m.proehl at science-computing.de
Hagellocher Weg 71-75                     samba at science-computing.de
D-72070 Tuebingen, Germany                  www.science-computing.de

More information about the samba mailing list