[Samba] SAMBA Kerberos misunderstanding
Bradley Schatz
blschatz at gmail.com
Thu Feb 22 05:59:00 GMT 2007
Thanks Mark,
I did the following:
net ads keytab ADD HTTP/foundry.example.local
It placed the following in my keytab:
klist -k:
<snip>
2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
<snip>
The following appears to have done the right thing:
net ads keytab ADD HTTP
klist -k
<snip>
2 HTTP/foundry.example.local at EXAMPLE.LOCAL
2 HTTP/foundry.example.local at EXAMPLE.LOCAL
<snip>
However, I am still no closer than I started:
kinit -k -t /etc/krb5.keytab HTTP/foundry.example.local
kinit(v5): Client not found in Kerberos database while getting initial
credentials
Any ideas?
Thanks,
PS: Interestingly I get the following from css_adkadmin:
root at foundry:~ # /usr/bin/css_adkadmin -p Administrator -q "getacct foundry"
dn: CN=foundry,CN=Computers,DC=example,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: foundry
distinguishedName: CN=foundry,CN=Computers,DC=example,DC=local
instanceType: 4
whenCreated: 20070219133910.0Z
whenChanged: 20070222054545.0Z
uSNCreated: 385123
uSNChanged: 409706
name: foundry
objectGUID: 0x9f6bbada88e8c8448d666efef54cf896
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 128165968399043318
localPolicyFlags: 0
pwdLastSet: 128163659510654397
primaryGroupID: 515
objectSid: 0x0105000000000005150000003a271cc8822081797cafeaa3db040000
accountExpires: 9223372036854775807
logonCount: 242
sAMAccountName: foundry$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 3.0.22
dNSHostName: foundry.example.local
userPrincipalName: HOST/foundry at EXAMPLE.LOCAL
servicePrincipalName: HTTP/FOUNDRY.EXAMPLE.LOCAL/foundry.example.local
servicePrincipalName: HTTP/FOUNDRY.EXAMPLE.LOCAL/foundry
servicePrincipalName: HTTP/foundry.example.local
servicePrincipalName: HTTP/foundry
servicePrincipalName: CIFS/foundry.example.local
servicePrincipalName: CIFS/foundry
servicePrincipalName: HOST/foundry.example.local
servicePrincipalName: HOST/foundry
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=local
isCriticalSystemObject: FALSE
msDS-KeyVersionNumber: 2
On 2/21/07, Mark Proehl <M.Proehl at science-computing.de> wrote:
>
> Hi,
>
> On Wed, Feb 21, 2007 at 06:41:42PM +1000, Bradley Schatz wrote:
> > Hi Mark,
> >
> > For some background, I am actually trying to set up a http kerberos
> service
> > so that I can use mod_auth_krb in apache2.
> >
> > Would net ads join createupn=http/foundry.example.local do the trick?
>
> no. That command only creates a user principal name for the machine
> account. So that you could obtain kerberos tickets as
> http/foundry.example.local,
> i.e. you could become the identity of http/foundry.example.local.
>
> If you want to kerberize apache, you need to create a service
> principal on the active directory controller:
> HTTP/foundry.example.local (note: HTTP is uppercase). And you need to
> create a keytab file for apache.
>
> This can be done by samba via
>
> net ads keytab ADD HTTP/foundry.example.com
>
> This would add some HTTP entries to /etc/krb5.keytab. Typically apache
> is not running as root, so it cannot read /etc/krb5.keytab. Therefore
> you should move the HTTP entries to a separate keytab file wich apache
> can read. This could be done by ktutil or by setting the environment
> variable "KRB5_KTNAME".
>
>
> >
> > I am on 3.0.22, which does not support this syntax. Any work-arounds?
>
> "createupn" was a new feature in 3.0.23a...
>
> - Mark
>
>
>
> >
> > On 2/21/07, Mark Proehl <M.Proehl at science-computing.de> wrote:
> > >
> > >Hi,
> > >
> > >try
> > >
> > > net ads join createupn=host/foundry.example.local
> > >
> > >- Mark
> > >
> > >On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote:
> > >> I suspect I might be grossly misunderstanding kerberos and AD here,
> but
> > >I
> > >> cant seem to grok the following.
> > >>
> > >> net ads join integrates my linux samba server (named foundry) into an
> AD
> > >> domain and all works fine. The samba server is using the kerberos
> > >keytab.
> > >>
> > >> root at foundry:~ # kinit -k -t /etc/krb5.keytab foundry$
> > >> root at foundry:~ # kinit -k -t /etc/krb5.keytab
> host/foundry.example.local
> > >> kinit(v5): Client not found in Kerberos database while getting
> initial
> > >> credentials
> > >>
> > >> Why can't kinit find the service host/foundry.example.local in the AD
> > >> Kerberos database? It seems to be in the local linux server keylist:
> > >>
> > >> root at foundry:~ # klist -k
> > >> Keytab name: FILE:/etc/krb5.keytab
> > >> KVNO Principal
> > >> ----
> > >>
> >
> >--------------------------------------------------------------------------
> > >> 2 host/foundry.example.local at EXAMPLE.LOCAL
> > >> 2 host/foundry.example.local at EXAMPLE.LOCAL
> > >> .... cut ...
> > >>
> > >> What am I missing here?
> > >>
> > >> Thanks,
> > >>
> > >> Bradley
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
>
> --
>
> Mit freundlichen Grüßen,
>
> Mark Pröhl
>
> _______________________________________________creating IT solutions
>
> Mark Proehl phone +49(0)7071 9457-591
> Senior Solutions Engineer fax +49(0)7071 9457-411
> CAx Professional Services
>
> science + computing ag m.proehl at science-computing.de
> Hagellocher Weg 71-75 samba at science-computing.de
> D-72070 Tuebingen, Germany www.science-computing.de
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list