samba4 & WindowsDesktopSSO
miquel
miquel at scytl.com
Wed Oct 9 02:22:26 MDT 2013
thanks Andrew. So, SPN samba4 behavior is different than the Windows AD ?
Only for curiosity:
Samba4 log without "/isInitiator=false" in openam conf:/
Kerberos: AS-REQ testuser at TESTDOMAIN.LOCAL from ipv4:10.0.96.14:35889
for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
Kerberos: Looking for PKINIT pa-data -- testuser at TESTDOMAIN.LOCAL
Kerberos: Looking for ENC-TS pa-data -- testuser at TESTDOMAIN.LOCAL
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
testuser at TESTDOMAIN.LOCAL
Kerberos: AS-REQ testuser at TESTDOMAIN.LOCAL from ipv4:10.0.96.14:35904
for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
Kerberos: Looking for PKINIT pa-data -- testuser at TESTDOMAIN.LOCAL
Kerberos: Looking for ENC-TS pa-data -- testuser at TESTDOMAIN.LOCAL
Kerberos: ENC-TS Pre-authentication succeeded --
testuser at TESTDOMAIN.LOCAL using aes256-cts-hmac-sha1-96
Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from
ipv4:10.0.96.14:35915 for
HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL [canonicalize, renewable]
Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from
ipv4:10.0.96.14:35916 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
[renewable, forwarded]
Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from
ipv4:10.0.96.14:35917 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
[renewable, forwarded]
Kerberos: AS-REQ HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
from ipv4:10.0.96.14:35918 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
Kerberos: UNKNOWN --
HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL: no such entry found in hdb
I found a note in java kerberos sample:
/Note: isInitiator=false is specified here so that the application acts
as a pure server side program that will never try to authenticate itself
to the KDC. This is useful when it cannot communicate directly with the
KDC. //
//
//
/
El 09/10/13 04:41, Andrew Bartlett escribió:
> On Wed, 2013-10-02 at 16:28 +0200, miquel wrote:
>> we are trying to integrating openam WindowsDesktopSSO module with samba4
>> kerberos.
>>
>> we are creating keytab on samba4 DC following this steps:
>>
>> samba-tool user create --random-password http-server-hp
>> samba-tool spn add HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>> http-server-hp
>> samba-tool domain exportkeytab /root/as1_2.keytab
>> --principal=HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>> samba-tool domain exportkeytab /root/as1_2.keytab
>> --principal=HOST/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>>
>>
>> But we need to change openam source code to configure Krb5LoginModule
>> with "isInitiator=false" parameter.
>>
>>
>> 10.1.0-Xpress/openam/openam-authentication/openam-auth-windowsdesktopsso/src/main/java/com/sun/identity/authentication/modules/windowsdesktopsso/WindowsDesktopSSOConfig.java:
>>
>> } else {
>> hashmap.put("storeKey", "true");
>> hashmap.put("useKeyTab", "true");
>> + hashmap.put("isInitiator", "false");
>> hashmap.put("keyTab", keytab);
>> hashmap.put("doNotPrompt", "true");
>> hashmap.put("refreshKrb5Config", refreshConf);
>> }
>>
>>
>> Without "isInitiator" parameter can't login and openam show "Client not
>> found in Kerberos database" error.
>>
>> Is it correct ?
> We should behave the same as Windows, but it is correct to say that a
> service is generally not an initiator, if using the http/server-hp at REALM
> principal form. The initiator form is http-server-hp at REALM.
>
> In general, services accepting tickets shouldn't be initiators, they
> don't need to get their own ticket to accept a ticket, and this also
> makes it more reliable (no need for KDC at startup).
>
> Andrew Bartlett
>
>
More information about the samba-technical
mailing list