[Samba] Obtaining TGT using service principal name
Bobby Kirchgessner
asuranzala at gmail.com
Mon Feb 3 11:27:57 MST 2014
I have been trying to setup Samba4 as a DC using kerberos for
authentication. I have successfully provisioned the domain, and was able to
join my domain using my windows machine as well as kinit to obtain a ticket
for my administrator user from my servers.
I have hit a wall trying to setup a server to authenticate a SPN using a
keytab. I can join the domain and kinit as my administrator user, using
"net ads join -Uadministrator" and "kinit administrator" but I cannot get a
TGT using the SPN with kinit.
I used the following commands to create a user and add an SPN to it:
samba-tool user create cifs-server
samba-tool spn add cifs/server.my.domain.local
samba-tool domain exportkeytab /root/server0.keytab
--principal=cifs/server.my.domain.local
ktutil succesfully lists the entry for the cifs/server.my.domain.local
principal.
After moving the keytab (and renaming it) to server.my.domain.local, I try
to gain a TGT using the command: kinit -k -t /etc/krb5.keytab
cifs/server.my.domain.local
This returns an "Client (cifs/server.my.domain.local) unknown." error. If I
export the principal for the server$ or cifs-server, I can successfully
authenticate and obtain an entry in klist.
Is there something I am missing to obtain a TGT using a keytab?
Thank you for your help.
More information about the samba
mailing list