[Samba] KDC and samba4
Andrew Dumaresq
dumaresq at gmail.com
Sat Apr 16 18:13:47 MDT 2011
Hi,
I'm using GIT pull from a few days ago.
I am trying to get ssh working with kerberos when samba is the KDC. I
am having trouble getting my machine keytabs to work. Here's some of
the problems I have:
1)
root at morannon:~# samba-tool export keytab /tmp/test.keytab
added interface ip=192.168.1.11 nmask=255.255.255.0
added interface ip=127.0.0.1 nmask=255.0.0.0
added interface ip=192.168.1.11 nmask=255.255.255.0
added interface ip=127.0.0.1 nmask=255.0.0.0
ldb_wrap open of secrets.ldb
root at morannon:~# klist -k -t /tmp/test.keytab
Keytab name: WRFILE:/tmp/test.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
root at morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL'
ldb_wrap open of secrets.ldb
ERROR: search returned 0 records, expected 1
root at morannon:~# samba-tool machinepw 'MORANNON$'
ldb_wrap open of secrets.ldb
ERROR: search returned 0 records, expected 1
2) (This is likely related to my previous problem)
I extracted the host keytab from Samba (using ktpass.sh with no
password) and put the extract info in /etc/krb5.keytab
klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/morannon.dumaresq.local at DUMARESQ.LOCAL
but when I try to use that to to run kinit I get this:
kinit -k
kinit: Client 'host/morannon.dumaresq.local at DUMARESQ.LOCAL' not found in
Kerberos database while getting initial credentials
I've tried both capital and not capital HOST, I've tried every
combination of FQDNs and such none of it seems to help.
as a result I can't use ssh to connect using kerberos.
Just make sure I didn't have a DNS issue or something like that I
shutdown samba and installed a "standard" kdc I was able to get
everything working just fine. This obviously breaks samba quite badly
and I as far as I can tell samba4 can't use external kerberos.
Any ideas?
Thanks
More information about the samba
mailing list