samba4 keytab management
mat at samba.org
Sun Aug 29 13:30:11 MDT 2010
On 29/08/2010 19:28, srikumar108 at aol.com wrote:
> Hi Matthieu,
> First of all it was not my intention to be rude, and I do appreciate
> your help. I tried the steps you outlined. I did the following: on the
> host running samba4:
> # kinit administrator
> # net user ssh
> # net password set ssh <longstring>
> # ldbedit -H sam.ldb cn=ssh [ and add 'serviceprincipalname:
> host/<fqdn>@REALM' ]
> # ktpass --out /etc/krb5.keytab --princ host/<fqdn>@REALM --pass
I'm not 100% sure that you need to specify the @REALM but it shouldn't
> The command finishes without error and a keytab with 'host/xyz at REALM'
> is created. But, when I try to ssh to the samba4 box, I get prompted
> for password,, and even typing the correct password does not let me
> in. I do get a ticket on the host that looks like 'host/xyz at REALM' but
> it does no good. The error message from sshd is "Wrong principal". In
> fact until I remove the keytab, no form of authentication works, not
> even local login!
Well there is a simple way to check that your keytab is correct:
kinit -k -t the-keytab ssh (you need to recreate a keytab for the
ssh at REALM principal).
If klist gives you a ticket then it means that it's ok if not then well
you'll have to search ... starting samba with -d 5 will gives you some
clues about which principal openssh is trying to validate.
> Clearly, ktpass is creating something that no program on the samba4
> box likes :-) BTW, I have joined a Mac to the samba4 domain, and
> samba3 on the mac automatically created a keytab with the correct
> entry. I can ssh into the mac with GSSAPI without any problem.
On host with samba3 net ads keytab is the easiest way to do.
> Please let me know if I can give you more information.
> -----Original Message-----
> From: Matthieu Patou <mat at samba.org>
> To: srikumar108 at aol.com
> Cc: samba-technical at lists.samba.org
> Sent: Sun, Aug 29, 2010 6:22 am
> Subject: Re: samba4 keytab management
>> Well it works on my workstation so be sure of your assertions ... :-)
> First it's not very polite and then it's not true.Â
>> Â So please do try the ktpass.sh solution that I proposed because it
Samba Team http://samba.org
More information about the samba-technical