samba4 keytab management

Matthieu Patou mat at samba.org
Mon Aug 30 08:16:49 MDT 2010 

  On 30/08/2010 06:10, srikumar108 at aol.com wrote:
>> the samaccountname of this user is ssh right ? (the one you created 
> with net user)Â
>> have you tried that with kinit ssh at REALM you are able to get a ticket 
>>
> Samba is running on samba.mynet.com, samdomain MYNET, realm MYNET.COM. 
> sshd is running on same host.
>
> First I did:
>
> # net user add ssh
> # net password set samba4test
> # ldbedit -H sam.ldb cn=ssh <add serviceprincipalname>
>
> Here's the resulting user:
>
> # ldbedit -H sam.ldb cn=ssh
>
> # record 1
> dn: CN=ssh,CN=Users,DC=mynet,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: ssh
> instanceType: 4
> whenCreated: 20100830011947.0Z
> uSNCreated: 5136
> name: ssh
> objectGUID: 7924267d-c73f-4988-aaf8-c85daf51a7b3
> userAccountControl: 546
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-3850869255-3736822605-807023173-1133
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: ssh
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=com
> servicePrincipalName: host/samba.mynet.com at MYNET.COM
> pwdLastSet: 129276052140000000
> whenChanged: 20100830012654.0Z
> uSNChanged: 5145
> distinguishedName: CN=ssh,CN=Users,DC=mynet,DC=com
>
> # Referral
> ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
>
> # returned 2 records
> # 1 entries
> # 1 referrals
>
> Keytab created with the command:
> # ktpass  --out /tmp/krb5.keytab --princ 
> host/samba.mynet.com at MYNET.COM --pass 'samba4test'
>
> Output from the relevant part of  ktpass:
> # ldbsearch -H ldap://samba.mynet.com 
> '(|(samaccountname=host/samba.mynet.com at MYNET.COM)(serviceprincipalname=h
> ost/samba.mynet.com at MYNET.COM))' msds-keyversionnumber -k 1 -N
> # record 1
> dn: CN=ssh,CN=Users,DC=mynet,DC=com
> msDS-KeyVersionNumber: 3
>
> # Referral
> ref: ldap://mynet.com/CN=Configuration,DC=mynet,DC=com
>
> # returned 2 records
> # 1 entries
> # 1 referrals
>
> Output of ktutil:
> # ktutil
> ktutil:  rkt krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- 
> ---------------------------------------------------------------------
>   1    3       host/samba.mynet.com at MYNET.COM
> ktutil:  q
>
> # cp krb5.keytab /etc
>
> # kinit ssh
> Password for ssh at MYNET.COM:
> kinit: Clients credentials have been revoked while getting initial 
> credentials
>
> Is there any other info I should provide?
>
> Thanks!
Btw I for my own needs just rechecked the keytab generated by ktpass.sh 
is working correctly but configuration can be touchy !

For your information I always use  the "*" password mode as I'm not sure 
that the escaping of chars can have a pb on password with symbols.

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list