[Samba] KDC and samba4

Matthieu Patou mat at samba.org
Sun Apr 17 06:55:49 MDT 2011 

On 17/04/2011 04:13, Andrew Dumaresq wrote:
> Hi,
>
> I'm using  GIT pull from a few days ago.
>
> I am trying to get ssh working with kerberos when samba is the KDC.  I 
> am having trouble getting my machine keytabs to work.  Here's some of 
> the problems I have:
>
> 1)
> root at morannon:~# samba-tool export keytab /tmp/test.keytab
> added interface ip=192.168.1.11 nmask=255.255.255.0
> added interface ip=127.0.0.1 nmask=255.0.0.0
> added interface ip=192.168.1.11 nmask=255.255.255.0
> added interface ip=127.0.0.1 nmask=255.0.0.0
> ldb_wrap open of secrets.ldb
> root at morannon:~# klist -k -t /tmp/test.keytab
> Keytab name: WRFILE:/tmp/test.keytab
> KVNO Timestamp         Principal
> ---- ----------------- 
> --------------------------------------------------------
>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
> root at morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL'
> ldb_wrap open of secrets.ldb
> ERROR: search returned 0 records, expected 1
> root at morannon:~# samba-tool machinepw 'MORANNON$'
> ldb_wrap open of secrets.ldb
> ERROR: search returned 0 records, expected 1
>
There was a bug, the command would only succeed when you are in the path 
where the secrets.ldb file is.
I pushed a fix in autobuild for this, normally it should land in the 
master tree of Samba soon.

>
> 2)  (This is likely related to my previous problem)
> I extracted the host keytab from Samba (using ktpass.sh with no 
> password) and put the extract info in /etc/krb5.keytab
Strange, normally you should provide a password or --password *
>  klist -k
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 host/morannon.dumaresq.local at DUMARESQ.LOCAL
>
> but when I try to use that to to run kinit I get this:
>  kinit -k
> kinit: Client 'host/morannon.dumaresq.local at DUMARESQ.LOCAL' not found 
> in Kerberos database while getting initial credentials
Not sure that it's a bug or if it's normal but I noticed that you can't 
get a TGT ticket when you use a keytab with just a servicePrincipalName, 
you should be able thought to get for the SPN in the keytab.

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba mailing list