[Samba] Understanding kerberos principals in samba4
Quinn Plattel
qiet72 at gmail.com
Mon Jul 16 04:10:00 MDT 2012
Hi,
Thanks for the info. I am now trying two ways to get, for example, the
nslcd service to work with samba4 kerberos.
Note: Spaces around "@" are intentional and exist only on the list.
Method 1: The non-integration-with-samba method
==================================================================
server:/root# samba-tool user add nslcd-service --random-password
server:/root# samba-tool spn add HOST/ubuntu-test.mydomain.net nslcd-service
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
Method 2: The samba4 integration method
==================================================================
server:/root# samba-tool spn delete
HOST/ubuntu-test.mydomain.netnslcd-service # Make sure HOST/
ubuntu-test.mydomain.net does not exist already
server:/root# samba-tool user delete nslcd-service
ubuntu-test:/root# nano /etc/samba/smb.conf # Change/add the following
lines:
workgroup = MYDOMAIN
realm = mydomain.net
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
security = ads
ubuntu-test:/root# rm /etc/krb5.keytab # Delete any existing keytabs so
there is no confusion
ubuntu-test:/root# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYDOMAIN
Joined 'UBUNTU-TEST' to realm 'mydomain.net'
DNS Update for ubuntu-test.mydomain.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!
log.samba shows this during ads join:
-----------------------------------------------------------------
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47888for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator @
MYDOMAIN.NET
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47831for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:30 starttime: unset endtime:
2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:37803for ldap/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:38998for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET [renewable, forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:54978for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- UBUNTU-TEST$ @
MYDOMAIN.NET
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:34088for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- UBUNTU-TEST$ @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:31 starttime: unset endtime:
2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:60077for dns/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:31 starttime:
2012-07-16T11:10:31 endtime: 2012-07-16T21:10:31 renew till:
2012-07-17T11:10:27
-----------------------------------------------------------------
ubuntu-test:/root# file /etc/krb5.keytab
/etc/krb5.keytab: ERROR: cannot open `/etc/krb5.keytab' (No such file or
directory)
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
As you can see, no matter if a /etc/krb5.keytab exists or not and no matter
if I add "HOST/ubuntu-test.mydomain.net" to the domain either via
"samba-tool spn add" or via the client's "net ads join", kerberos
authentication fails with "no such entry found in hdb".
Anyways, I found a workaround. I noticed during "net ads join" that
kerberos authentication was succeeding using "UBUNTU$@MYDOMAIN.NET", so
using method 2, I added the following:
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=UBUNTU-TEST\$
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
On the client, in /etc/default/nslcd, add the line:
K5START_PRINCIPAL="`hostname | tr [:lower:] [:upper:]`$"
then at least nslcd service seems to work. I would be interested in
knowing if using <hostname in uppercase>$ is better than HOST/<hostname>.
mydomain.net .
br,
Quinn
On Sat, Jul 14, 2012 at 1:27 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote:
> > Hi,
> >
> > When I have a service on a client that tries to use kerberos and I get
> > errors such as these in the log.samba file:
> >
> > Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no
> such
> > entry found in hdb
> >
> > Does this mean that the kerberos authentication system is looking for the
> > principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's
> domain
>
> That would be in the domain. hdb is a reference to our sam.ldb in this
> case.
>
> > or in the server's /etc/krb5.keytab file? I have tried adding this
> > principal to the /etc/krb5.keytab file using ktutil, but this error still
> > pops up. I noticed that you can export a principal into a keytab file
> > using "samba-tool domain exportkeytab" but how do you add the principal
> to
> > the domain? Will adding the missing principal using "samba-tool spn"
> solve
> > problems like these?
>
> Yes.
>
> > According to https://help.ubuntu.com/community/SingleSignOn , you add a
> > host to the kerberos realm by doing these two commands on the kerberos
> > server:
> >
> > kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
> > kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
> >
> > I am guessing that "kadmin: ktadd -k ~/client.keytab
> host/client.example.com@
> > EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
> > ~/client.keytab --principal=host/client.example.com" but what is the
> > equivalent of "kadmin: addprinc -randkey host/client.example.com @
> > EXAMPLE.COM" under samba4 ???
>
> If the client doesn't wish to have any Samba integration it would be
> adding a user, adding an spn, setting a random password and then using
> the exportkeytab command you mentioned.
>
> However, joining the machine using Samba would be more likely what you
> want, ie run 'net ads join' on the client, and look into the keytab
> options in the smb.conf for how to have Samba maintain a system keytab
> for your other services.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
More information about the samba
mailing list