[Samba] Understanding kerberos principals in samba4
Quinn Plattel
qiet72 at gmail.com
Fri Jul 13 07:12:20 MDT 2012
Hi,
When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:
Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the server's /etc/krb5.keytab file? I have tried adding this
principal to the /etc/krb5.keytab file using ktutil, but this error still
pops up. I noticed that you can export a principal into a keytab file
using "samba-tool domain exportkeytab" but how do you add the principal to
the domain? Will adding the missing principal using "samba-tool spn" solve
problems like these?
According to https://help.ubuntu.com/community/SingleSignOn , you add a
host to the kerberos realm by doing these two commands on the kerberos
server:
kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
~/client.keytab --principal=host/client.example.com" but what is the
equivalent of "kadmin: addprinc -randkey host/client.example.com @
EXAMPLE.COM" under samba4 ???
br,
Quinn
More information about the samba
mailing list