samba4 keytab management
srikumar108 at aol.com
srikumar108 at aol.com
Sun Aug 29 20:10:42 MDT 2010
> the samaccountname of this user is ssh right ? (the one you created
with net user)
> have you tried that with kinit ssh at REALM you are able to get a ticket
?
Samba is running on samba.mynet.com, samdomain MYNET, realm MYNET.COM.
sshd is running on same host.
First I did:
# net user add ssh
# net password set samba4test
# ldbedit -H sam.ldb cn=ssh <add serviceprincipalname>
Here's the resulting user:
# ldbedit -H sam.ldb cn=ssh
# record 1
dn: CN=ssh,CN=Users,DC=mynet,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ssh
instanceType: 4
whenCreated: 20100830011947.0Z
uSNCreated: 5136
name: ssh
objectGUID: 7924267d-c73f-4988-aaf8-c85daf51a7b3
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3850869255-3736822605-807023173-1133
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ssh
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=com
servicePrincipalName: host/samba.mynet.com at MYNET.COM
pwdLastSet: 129276052140000000
whenChanged: 20100830012654.0Z
uSNChanged: 5145
distinguishedName: CN=ssh,CN=Users,DC=mynet,DC=com
# Referral
ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
# returned 2 records
# 1 entries
# 1 referrals
Keytab created with the command:
# ktpass --out /tmp/krb5.keytab --princ host/samba.mynet.com at MYNET.COM
--pass 'samba4test'
Output from the relevant part of ktpass:
# ldbsearch -H ldap://samba.mynet.com
'(|(samaccountname=host/samba.mynet.com at MYNET.COM)(serviceprincipalname=h
ost/samba.mynet.com at MYNET.COM))' msds-keyversionnumber -k 1 -N
# record 1
dn: CN=ssh,CN=Users,DC=mynet,DC=com
msDS-KeyVersionNumber: 3
# Referral
ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
# returned 2 records
# 1 entries
# 1 referrals
Output of ktutil:
# ktutil
ktutil: rkt krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 host/samba.mynet.com at MYNET.COM
ktutil: q
# cp krb5.keytab /etc
# kinit ssh
Password for ssh at MYNET.COM:
kinit: Clients credentials have been revoked while getting initial
credentials
Is there any other info I should provide?
Thanks!
More information about the samba-technical
mailing list