samba4 & WindowsDesktopSSO

[miquel]

thanks Andrew.  So, SPN samba4 behavior is different than the Windows AD ?

Only for curiosity:
Samba4 log without "/isInitiator=false" in openam conf:/

Kerberos: AS-REQ testuser at TESTDOMAIN.LOCAL from ipv4:10.0.96.14:35889 
for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
   Kerberos: Looking for PKINIT pa-data -- testuser at TESTDOMAIN.LOCAL
   Kerberos: Looking for ENC-TS pa-data -- testuser at TESTDOMAIN.LOCAL
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
testuser at TESTDOMAIN.LOCAL
   Kerberos: AS-REQ testuser at TESTDOMAIN.LOCAL from ipv4:10.0.96.14:35904 
for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
   Kerberos: Looking for PKINIT pa-data -- testuser at TESTDOMAIN.LOCAL
   Kerberos: Looking for ENC-TS pa-data -- testuser at TESTDOMAIN.LOCAL
   Kerberos: ENC-TS Pre-authentication succeeded -- 
testuser at TESTDOMAIN.LOCAL using aes256-cts-hmac-sha1-96
   Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from 
ipv4:10.0.96.14:35915 for 
HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL [canonicalize, renewable]
   Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from 
ipv4:10.0.96.14:35916 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL 
[renewable, forwarded]
   Kerberos: TGS-REQ testuser at TESTDOMAIN.LOCAL from 
ipv4:10.0.96.14:35917 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL 
[renewable, forwarded]
   Kerberos: AS-REQ HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL 
from ipv4:10.0.96.14:35918 for krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
   Kerberos: UNKNOWN -- 
HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL: no such entry found in hdb


I found a note in java kerberos sample:
/Note: isInitiator=false is specified here so that the application acts 
as a pure server side program that will never try to authenticate itself 
to the KDC. This is useful when it cannot communicate directly with the 
KDC. //
//
//

/



El 09/10/13 04:41, Andrew Bartlett escribió:
> On Wed, 2013-10-02 at 16:28 +0200, miquel wrote:
>> we are trying to integrating openam WindowsDesktopSSO module with samba4
>> kerberos.
>>
>> we are creating keytab on samba4 DC following this steps:
>>
>> samba-tool user create --random-password http-server-hp
>> samba-tool spn add HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>> http-server-hp
>> samba-tool domain exportkeytab /root/as1_2.keytab
>> --principal=HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>> samba-tool domain exportkeytab /root/as1_2.keytab
>> --principal=HOST/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>>
>>
>> But we need to change openam source code to configure Krb5LoginModule
>> with "isInitiator=false" parameter.
>>
>>
>> 10.1.0-Xpress/openam/openam-authentication/openam-auth-windowsdesktopsso/src/main/java/com/sun/identity/authentication/modules/windowsdesktopsso/WindowsDesktopSSOConfig.java:
>>
>>               } else {
>>                   hashmap.put("storeKey", "true");
>>                   hashmap.put("useKeyTab", "true");
>> +               hashmap.put("isInitiator", "false");
>>                   hashmap.put("keyTab", keytab);
>>                   hashmap.put("doNotPrompt", "true");
>>                   hashmap.put("refreshKrb5Config", refreshConf);
>>               }
>>
>>
>> Without "isInitiator" parameter can't login and openam show "Client not
>> found in Kerberos database" error.
>>
>> Is it correct ?
> We should behave the same as Windows, but it is correct to say that a
> service is generally not an initiator, if using the http/server-hp at REALM
> principal form.  The initiator form is http-server-hp at REALM.
>
> In general, services accepting tickets shouldn't be initiators, they
> don't need to get their own ticket to accept a ticket, and this also
> makes it more reliable (no need for KDC at startup).
>
> Andrew Bartlett
>
>