samba4 keytab management

Matthieu Patou mat at samba.org
Sun Aug 29 23:09:37 MDT 2010 


srikumar108 at aol.com wrote:

>> the samaccountname of this user is ssh right ? (the one you created 
>with net user) 
>> have you tried that with kinit ssh at REALM you are able to get a ticket 
>>
>Samba is running on samba.mynet.com, samdomain MYNET, realm MYNET.COM. 
>sshd is running on same host.
>
>First I did:
>
># net user add ssh
># net password set samba4test
># ldbedit -H sam.ldb cn=ssh <add serviceprincipalname>
>
>Here's the resulting user:
>
># ldbedit -H sam.ldb cn=ssh
>
># record 1
>dn: CN=ssh,CN=Users,DC=mynet,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: ssh
>instanceType: 4
>whenCreated: 20100830011947.0Z
>uSNCreated: 5136
>name: ssh
>objectGUID: 7924267d-c73f-4988-aaf8-c85daf51a7b3
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>primaryGroupID: 513
>objectSid: S-1-5-21-3850869255-3736822605-807023173-1133
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: ssh
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=com
>servicePrincipalName: host/samba.mynet.com at MYNET.COM
>pwdLastSet: 129276052140000000
>whenChanged: 20100830012654.0Z
>uSNChanged: 5145
>distinguishedName: CN=ssh,CN=Users,DC=mynet,DC=com
>
># Referral
>ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
>
># returned 2 records
># 1 entries
># 1 referrals
>
>Keytab created with the command:
># ktpass  --out /tmp/krb5.keytab --princ host/samba.mynet.com at MYNET.COM 
>--pass 'samba4test'
>
>Output from the relevant part of  ktpass:
># ldbsearch -H ldap://samba.mynet.com 
>'(|(samaccountname=host/samba.mynet.com at MYNET.COM)(serviceprincipalname=h
>ost/samba.mynet.com at MYNET.COM))' msds-keyversionnumber -k 1 -N
># record 1
>dn: CN=ssh,CN=Users,DC=mynet,DC=com
>msDS-KeyVersionNumber: 3
>
># Referral
>ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
>
># returned 2 records
># 1 entries
># 1 referrals
>
>Output of ktutil:
># ktutil
>ktutil:  rkt krb5.keytab
>ktutil:  l
>slot KVNO Principal
>---- ---- 
>---------------------------------------------------------------------
>   1    3       host/samba.mynet.com at MYNET.COM
>ktutil:  q
>
># cp krb5.keytab /etc
>
># kinit ssh
>Password for ssh at MYNET.COM:
>kinit: Clients credentials have been revoked while getting initial 
>credentials
>
No perfect but did you notice that the account is either expired or locked. Try to find why (if needed set a new pass with kpasswd).

Then try ash gssapi and send the samba -d 4 log file.

Matthieu Patou
Samba team

More information about the samba-technical mailing list