samba4 keytab management
srikumar108 at aol.com
srikumar108 at aol.com
Sun Aug 29 00:24:02 MDT 2010
Hi:
I am trying to get ssh/GSSAPI working on the samba dc. Samba already
seems to create a HOSTNAME at REALM entry upon provisioning. And when I
try to ssh from another host,, I get a host/hostname at REALM ticket from
the samba server, but because I do not have a matching entry in the
keytab on the host running samba4, ssh server prompts for a password.
Could you please detail the step for creating a keytab entry of the
form host/hostname at REALM, where <hostname> is the samba4 server's fqdn?
I tried your suggestion:
# net user add ssh
# ldbedit -H sam.ldb (to add "serviceprincipalname: host/hostname at REALM)
Then run ktpass.sh (which I guess is the counterpart to windows
ktpass.exe). But this script is completely broken. The very first thing
I noticed is the following in something that claims to be bash script:
function usage {
blah blah
}
That's never going to fly in bash. Anyway, after correcting it, I tried
./ktpass.sh --out /tmp/host.keytab --princ host/<fqdn_hostname>@REALM
--pass '*'
And it gets stuck at the following command which returns nothing:
/usr/local/samba/bin/ldbsearch -H ldap:/</hostname>
(|(samaccountname=host/<hostname>@REALM)(serviceprincipalname=host/hostna
me at REALM)) msds-keyversionnumber -k 1 -N
Because there is no entry called "msds-keyversionnumber" . In fact,
"ldapsearch" reveals no entry for "msds-keyversionnumber" anywhere!
This is as far as I got.
However, looking at secrets.ldb, I already have the entry
-------------------------------------------------------------------------
-----
dn: flatname=MYDOM,cn=Primary Domains
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-3850869255-3736822605-807023173
privateKeytab: secrets.keytab
realm: MYDOM.COM
saltPrincipal: host/hostname at .MYDOM.COM
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
samAccountName: HOSTNAME$
secureChannelType: 6
objectGUID: fb8e32ec-c15c-4ff4-aafe-d184e5915fec
whenCreated: 20100811203918.0Z
uSNCreated: 7
name: MYDOM
flatname: MYDOM
whenChanged: 20100829012243.0Z
msDS-KeyVersionNumber: 7
secret: xyz
priorSecret:: xyz
priorWhenChanged: 20100829012243.0Z
uSNChanged: 61
distinguishedName: flatname=MYDOM,cn=Primary Domains
-------------------------------------------------------------------------
-----
So, it seems I already have what I need, but how to get it intoi a
keytab that the ssh server can read? I tried copying secrets.keytab to
/etc/krb5.keytab, I tried adding krb5keytab: /etc/krb5.keytab, but
nothing works. My previous question about how to create a NEW principal
and associated keytab entry on the samba dc also stands.
I really appreciate any help you can give me, because I am totallly
stumped.
-----Original Message-----
From: Matthieu Patou <mat at samba.org>
To: samba-technical at lists.samba.org
Sent: Fri, Aug 27, 2010 6:15 pm
Subject: Re: samba4 keytab management
Hello,
> How do I get this done? I am trying to get ssh working with GSSAPI.
Reading previous messages here, I added a krb5Keytab attribute
> to the host/xyz at REALM entry in secrets.ldb. This created a
/etc/krb5.keytab file. However the principal listed there is in the
form:
>
> HOST at REALM, rather than host/hostname at REALM.
What are you trying to do exactly ? have ssh + GSSAPI on the s4 server
or on another server ?
For the samba4 dc you don't need a krb5keytab nor a
serviceprincipalname as Samba is able to figure out that if you need a
ticket for principal host/xyz at REALM that he can manage to do it with
"just" the principal xyz at REALM.
So you basically need to have a keytab with a host/xyz at REALM entry.
The best in fact is to create a technical account and add a
serviceprincipalname like host/xyz at REALM.
Then use ktpass.sh in scripting/bin to generate the keytab.
More information about the samba-technical
mailing list