[Samba] Obtaining TGT using service principal name
abartlet at samba.org
Mon Feb 3 17:22:35 MST 2014
On Mon, 2014-02-03 at 13:27 -0500, Bobby Kirchgessner wrote:
> I have been trying to setup Samba4 as a DC using kerberos for
> authentication. I have successfully provisioned the domain, and was able to
> join my domain using my windows machine as well as kinit to obtain a ticket
> for my administrator user from my servers.
> I have hit a wall trying to setup a server to authenticate a SPN using a
> keytab. I can join the domain and kinit as my administrator user, using
> "net ads join -Uadministrator" and "kinit administrator" but I cannot get a
> TGT using the SPN with kinit.
> I used the following commands to create a user and add an SPN to it:
> samba-tool user create cifs-server
> samba-tool spn add cifs/server.my.domain.local
> samba-tool domain exportkeytab /root/server0.keytab
> ktutil succesfully lists the entry for the cifs/server.my.domain.local
> After moving the keytab (and renaming it) to server.my.domain.local, I try
> to gain a TGT using the command: kinit -k -t /etc/krb5.keytab
> This returns an "Client (cifs/server.my.domain.local) unknown." error. If I
> export the principal for the server$ or cifs-server, I can successfully
> authenticate and obtain an entry in klist.
> Is there something I am missing to obtain a TGT using a keytab?
Can you explain a little more why you are trying to do this? That might
help us understand your broader issue. Typically Samba is your CIFS
server, and joins the domain using 'net ads join', as you have done, and
then uses the values from secrets.tdb to handle kerberos.
The specific issue here is that you have to kinit as the account name,
not the SPN, so cifs-server. You can export it under that name as well
if you need to.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba