[Samba] KDC and samba4

Andrew Dumaresq dumaresq at gmail.com
Mon Apr 18 18:49:21 MDT 2011 

Got it and it seems to work exactly as it should!

Thanks!


On 4/17/2011 8:55 AM, Matthieu Patou wrote:
> On 17/04/2011 04:13, Andrew Dumaresq wrote:
>> Hi,
>>
>> I'm using  GIT pull from a few days ago.
>>
>> I am trying to get ssh working with kerberos when samba is the KDC.  
>> I am having trouble getting my machine keytabs to work.  Here's some 
>> of the problems I have:
>>
>> 1)
>> root at morannon:~# samba-tool export keytab /tmp/test.keytab
>> added interface ip=192.168.1.11 nmask=255.255.255.0
>> added interface ip=127.0.0.1 nmask=255.0.0.0
>> added interface ip=192.168.1.11 nmask=255.255.255.0
>> added interface ip=127.0.0.1 nmask=255.0.0.0
>> ldb_wrap open of secrets.ldb
>> root at morannon:~# klist -k -t /tmp/test.keytab
>> Keytab name: WRFILE:/tmp/test.keytab
>> KVNO Timestamp         Principal
>> ---- ----------------- 
>> --------------------------------------------------------
>>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 dumareja at DUMARESQ.LOCAL
>>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>>    2 04/16/11 20:04:19 dumaresq at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 emma at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 julia at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>>    3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>>    4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 Administrator at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 dns-morannon at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
>>    1 04/16/11 20:04:19 krbtgt at DUMARESQ.LOCAL
>> root at morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL'
>> ldb_wrap open of secrets.ldb
>> ERROR: search returned 0 records, expected 1
>> root at morannon:~# samba-tool machinepw 'MORANNON$'
>> ldb_wrap open of secrets.ldb
>> ERROR: search returned 0 records, expected 1
>>
> There was a bug, the command would only succeed when you are in the 
> path where the secrets.ldb file is.
> I pushed a fix in autobuild for this, normally it should land in the 
> master tree of Samba soon.
>
>>
>> 2)  (This is likely related to my previous problem)
>> I extracted the host keytab from Samba (using ktpass.sh with no 
>> password) and put the extract info in /etc/krb5.keytab
> Strange, normally you should provide a password or --password *
>>  klist -k
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>    1 host/morannon.dumaresq.local at DUMARESQ.LOCAL
>>
>> but when I try to use that to to run kinit I get this:
>>  kinit -k
>> kinit: Client 'host/morannon.dumaresq.local at DUMARESQ.LOCAL' not found 
>> in Kerberos database while getting initial credentials
> Not sure that it's a bug or if it's normal but I noticed that you 
> can't get a TGT ticket when you use a keytab with just a 
> servicePrincipalName, you should be able thought to get for the SPN in 
> the keytab.
>
> Matthieu.
>

More information about the samba mailing list