[Samba] Samba 4 krb5.keytab confusion

Gémes Géza geza at kzsdabas.hu
Sun Jan 8 23:38:30 MST 2012 

2012-01-08 10:13 keltezéssel, steve írta:
> Hi
> I have Samba 4 installed and working. I recently changed FQDN to dns
> name hh3.hh3.site. It works OK and e.g. on a windows 7 box which
> joined the domain, users can logon. But I have a mess in the keytab:
>
> klist -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 HH3$@HH3.HH1.SITE
>    2 HH3$@HH3.HH1.SITE
>    2 HH3$@HH3.HH1.SITE
>    2 host/HH3 at HH3.HH1.SITE
>    2 host/HH3 at HH3.HH1.SITE
>    2 host/HH3 at HH3.HH1.SITE
>    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 host/hh3 at HH3.HH1.SITE
>    2 host/hh3 at HH3.HH1.SITE
>    2 host/hh3 at HH3.HH1.SITE
>    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
>    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
>    2 HH3$@HH3.SITE
>    2 HH3$@HH3.SITE
>    2 HH3$@HH3.SITE
>    2 host/HH3 at HH3.SITE
>    2 host/HH3 at HH3.SITE
>    2 host/HH3 at HH3.SITE
>    2 host/hh3.hh3.site at HH3.SITE
>    2 host/hh3.hh3.site at HH3.SITE
>    2 host/hh3.hh3.site at HH3.SITE
>    2 host/HH3.HH3.SITE at HH3.SITE
>    2 host/HH3.HH3.SITE at HH3.SITE
>    2 host/HH3.HH3.SITE at HH3.SITE
>    2 host/HH3.hh3.site at HH3.SITE
>    2 host/HH3.hh3.site at HH3.SITE
>    2 host/HH3.hh3.site at HH3.SITE
>    2 host/hh3.HH3.SITE at HH3.SITE
>    2 host/hh3.HH3.SITE at HH3.SITE
>    2 host/hh3.HH3.SITE at HH3.SITE
>    2 host/hh3 at HH3.SITE
>    2 host/hh3 at HH3.SITE
>    2 host/hh3 at HH3.SITE
>    2 cifs/hh3.hh3.site at HH3.SITE
>    2 cifs/hh3.hh3.site at HH3.SITE
>    2 cifs/hh3.hh3.site at HH3.SITE
>    2 cifs/HH3.HH3.SITE at HH3.SITE
>    2 cifs/HH3.HH3.SITE at HH3.SITE
>    2 cifs/HH3.HH3.SITE at HH3.SITE
>    2 cifs/HH3.hh3.site at HH3.SITE
>    2 cifs/HH3.hh3.site at HH3.SITE
>    2 cifs/HH3.hh3.site at HH3.SITE
>    2 cifs/hh3.HH3.SITE at HH3.SITE
>    2 cifs/hh3.HH3.SITE at HH3.SITE
>    2 cifs/hh3.HH3.SITE at HH3.SITE
>    1 steve4 at HH3.SITE
>    1 steve4 at HH3.SITE
>    1 steve4 at HH3.SITE
>    2 steve5 at HH3.SITE
>    2 steve5 at HH3.SITE
>    2 steve5 at HH3.SITE
>    1 lynn2 at HH3.SITE
>    1 lynn2 at HH3.SITE
>    1 lynn2 at HH3.SITE
>
> This all seems OK:
>
> Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for
> STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime:
> 2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till:
> 2012-01-15T09:35:01
>
> Kerberos: TGS-REQ steve4 at HH3.SITE from ipv4:192.168.1.2:46577 for
> host/steve-pc.hh3.site at HH3.SITE [canonicalize, renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime:
> 2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till:
> 2012-01-15T09:35:06
>
> Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0
> auth_check_password_send: Checking password for unmapped user
> []\[]@[STEVE-PC]
> auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC]
>
>
> But I also get this:
>
> Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for
> steve-pc$\@HH3.SITE at HH3.SITE [canonicalize, request-anonymous,
> renewable, forwardable]
> Kerberos: Bad request for constrained delegation
> Kerberos: constrained delegation from steve-pc$@HH3.SITE
> (steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to
> steve-pc$\@HH3.SITE at HH3.SITE not allowed
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588
>
> Which I think is due to the keytab
>
> smb.conf contains:
>
> [global]
>     server role = domain controller
>     workgroup = CACTUS
>     realm = hh3.site
>     netbios name = HH3
>     passdb backend = samba4
>     template shell = /bin/bash
>
> So, 2 very newbie questions:
>
> 1. Is there anyway I can tidy up the keytab to see if removes that error?
> 2. In the above example, steve-pc is a windows 7 client which is
> joined to the domain called CACTUS. Why doesn't steve-pc$ appear in
> the keytab listing?
>
> Thanks
> Steve.
>
>
>
>
>
Hi,

/etc/krb5.keytab is a keytab you've created (e.g. with samba-tool domain
exportkeytab /etc/krb5.keytab) it is not used by Samba4 in any way. If
you need a keytab for any service you run (e.g. nfs) I would suggest to
extract a keytab only for the principal you've created for that service.
E.g.:

samba-tool user create whateverserviceusername --random-password
samba-tool spn add previouslyusedusername servicename/hostname
samba-tool domain exportkeytab --principal=servicename/hostname
/path/to/the/keytab

Regards

Geza

More information about the samba mailing list