question about service principals (samba4)

Thu Sep 23 10:48:53 MDT 2010

On 09/22/2010 08:27 PM, Andrew Bartlett wrote:
> On Wed, 2010-09-22 at 19:33 -0400, Aaron Solochek wrote:
>> On 09/22/2010 07:25 PM, Andrew Bartlett wrote:
>>> On Wed, 2010-09-22 at 13:53 -0400, Aaron Solochek wrote:
>>>> On 09/21/2010 07:39 PM, Andrew Bartlett wrote:
>>>>> On Tue, 2010-09-21 at 16:58 -0400, Aaron Solochek wrote:
>>>>>> I can see in ldap that computer objects have service principals 
>>>>>> associated with them, however, I can't seem to use them.
>>>>>> 
>>>>>> I did a dump of the keys on the server with a net export keytab,
>>>>>> and it didn't populate that keytab with the service principals as
>>>>>> I'd hoped. Thinking that the service principals might be aliases
>>>>>> for the actual machine account principal, I tried renaming the key
>>>>>> FOO$ to host/foo in that keytab and then tried authenticating with
>>>>>> it, but it told me host/foo was not found in the database.
>>>>>> 
>>>>>> My past experience with kerberos is all with heimdal and MIT krb,
>>>>>> so I don't know in what ways I should expect things to be different
>>>>>> with windows or samba KDC, but I do assume there is some way to get
>>>>>> host/foo and nfs/foo keys so I can start deploying some kerberized
>>>>>> services.  I was hoping the servicePrincipalName entries did some
>>>>>> sort of magic for me, but failing that, I suppose I need to create
>>>>>> completely separate accounts for each service principal I want.
>>>>>> 
>>>>>> Also, what is the canonical way to extract a keytab containing
>>>>>> only keys I specify?
>>>>> 
>>>>> I hope to add extensions to our keytab management code to
>>>>> automatically populate a keytab soon.  My idea is to allow
>>>>> servicePrincipalName to be specified in the secrets.ldb entries.
>>>>> 
>>>> 
>>>> But what about the service principals in the kdc?  Right now it seems
>>>> that the kdc is not aware of them.
>>> 
>>> You need to add servicePrincipalName entries on the records of the
>>> account you wish to have these alases for.
>> 
>> Those already exist, but I'm not able to see them when I do a keytab dump.
>> My real issue is that I need a keytab with host/foo and nfs/foo keys in it.
>> so far the only keys I've been able to get are FOO$ principals.
> 
> Indeed, but that command is designed to dump out one key per entry in the DB,
> but not to show alias names.  (it is for wireshark decryption).
> 
>>> 
>>>> Are they eventually going to be automatically generated based on the 
>>>> servicePrincipalNames on demand or something similar so they don't
>>>> actually exist as individual objects in ldap?
>>> 
>>> host/dnsname is automatically generated, as is cifs/ and a number of
>>> other entries.  ldap/ and others need to be added - when we are a DC, we
>>> add those based a template file.  This file can be expanded if required
>>> (it takes substitutions so that it follows DNS hostname updates)
>>> 
>> 
>> Something is broken for me then.  If I 'kinit FOO$' I get a password error 
>> (since it's a randomly generated key), but if I 'kinit host/foo' I get the
>> error that host/foo at REALM is not found in the database.
> 
> An error from the client, or from the server?   In any case, I'm not sure if
> we allow kinit on SPNs.
> 

Ok, well I did manage to get the host/foo keys by writing a shell script to
filter the net export keytab file down to what I wanted, then using ktutil from
heimdal to rename the FOO$ to host/foo, and gssapi key exchange for ssh now works.

For the nfs/foo service principals I repeated the above, only this time creating
a temporary keytab and renaming FOO$ to nfs/foo, then using the ktutil from MIT
krb5 to merge the two keytabs so I end up with 1 containing all the keys I care
about.

However, I seem to be running into the same issue here -- that the kdc isn't
finding my service principals.  I have verified that nfs/foo is a
servicePrincipalName in ldap, but when I try an nfs mount I see this in the logs
on the client:

rpc.gssd[29806]: Success getting keytab entry for 'nfs/foo at DOMAIN'
rpc.gssd[29806]: WARNING: Client 'nfs/foo at DOMAIN' not found in Kerberos database
while getting initial ticket for principal 'nfs/foo at DOMAIN' using keytab
'WRFILE:/etc/krb5.keytab'
rpc.gssd[29806]: ERROR: No credentials found for connection to server bar

I don't see anything in logs on the server, but I'm not sure where to look other
than samba.log.

-Aaron