samba4 & WindowsDesktopSSO

Andrew Bartlett abartlet at
Tue Oct 8 20:41:33 MDT 2013

On Wed, 2013-10-02 at 16:28 +0200, miquel wrote:
> we are trying to integrating openam WindowsDesktopSSO module with samba4 
> kerberos.
> we are creating keytab on samba4 DC following this steps:
> samba-tool user create --random-password http-server-hp
> samba-tool spn add HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL 
> http-server-hp
> samba-tool domain exportkeytab /root/as1_2.keytab 
> --principal=HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
> samba-tool domain exportkeytab /root/as1_2.keytab 
> --principal=HOST/server-hp.testdomain.local at TESTDOMAIN.LOCAL
> But we need to change openam source code to configure Krb5LoginModule 
> with "isInitiator=false" parameter.
> 10.1.0-Xpress/openam/openam-authentication/openam-auth-windowsdesktopsso/src/main/java/com/sun/identity/authentication/modules/windowsdesktopsso/
>              } else {
>                  hashmap.put("storeKey", "true");
>                  hashmap.put("useKeyTab", "true");
> +               hashmap.put("isInitiator", "false");
>                  hashmap.put("keyTab", keytab);
>                  hashmap.put("doNotPrompt", "true");
>                  hashmap.put("refreshKrb5Config", refreshConf);
>              }
> Without "isInitiator" parameter can't login and openam show "Client not 
> found in Kerberos database" error.
> Is it correct ?

We should behave the same as Windows, but it is correct to say that a
service is generally not an initiator, if using the http/server-hp at REALM
principal form.  The initiator form is http-server-hp at REALM.

In general, services accepting tickets shouldn't be initiators, they
don't need to get their own ticket to accept a ticket, and this also
makes it more reliable (no need for KDC at startup). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Catalyst IT         

More information about the samba-technical mailing list