[Samba] Obtaining TGT using service principal name

Bobby Kirchgessner asuranzala at gmail.com
Mon Feb 3 19:27:37 MST 2014

Dear Andrew,

Thanks for your reply, and hopefully you can help resolve my confusion.

I am using Samba4 on a virtual machine to handle my DNS/DC, with a FreeNAS
server providing CIFS mounts to users on my network. I would like to handle
permissions based on the DC users database, so I followed the guide here:
http://doc.freenas.org/index.php/Directory_Services. In order to avoid
storing my DC administrator password in the FreeNAS database, I opted to
setup a keytab. The FreeNAS guide lists these commands for doing so:

ktpass.exe -out hostname.keytab host/hostname at DOMAINNAME -ptype
KRB5_NT_PRINCIPAL -mapuser DOMAIN\username -pass userpass
setspn -A host/hostname at DOMAINNAME DOMAIN\username

After some research, I used the commands which I thought were analogous to
the previous ones (which I guess were for the MIT kerberos toolset on
samba-tool user create cifs-server
samba-tool spn add host/server.my.domain.local
samba-tool domain exportkeytab /root/server0.keytab

Using the exported keytab, but FreeNAS tries to kinit as
host/server.my.domain.local, and gives the Client
(host/server.my.domain.local) not found error. I thought that kinit had to
be used with either machine or user principals (which I guess you cleared
up for me), but FreeNAS tried to kinit as the SPN listed in the keytab,
which confused me.

After posting to the list serv, I search through the service scripts, and
it appears that FreeNAS iterates over all entries after running ktutil on
the keytab, and tries to kinit. I guess it is expecting at least one user
principle to be in the keytab along with the SPN principals.

Since I figured out that I need my user principle in the keytab, my
remaining question is: how do I get the SPNs to get TGTs on my server?
According to the FreeNAS developer I contacted, his klist looks like this:

Issued           Expires        Principal
Jan 31 04:53:13  >>>Expired<<<
Jan 31 04:53:27  >>>Expired<<<
 cifs/my.fully.qualified.hostname at ALL.CAPS.DOMAINNAME
Jan 31 04:53:28  >>>Expired<<<
 ldap/my.fully.qualified.hostname at ALL.CAPS.DOMAINNAME

If I authenticate as cifs-server, I get the krbtgt entry, but I do not get
entries for cifs/ldap. I am also unable to "net ads join" unless
authenticated as my administrator user. What am I missing?

Thank you for your help.

On Mon, Feb 3, 2014 at 7:22 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2014-02-03 at 13:27 -0500, Bobby Kirchgessner wrote:
> > I have been trying to setup Samba4 as a DC using kerberos for
> > authentication. I have successfully provisioned the domain, and was able
> to
> > join my domain using my windows machine as well as kinit to obtain a
> ticket
> > for my administrator user from my servers.
> >
> > I have hit a wall trying to setup a server to authenticate a SPN using a
> > keytab. I can join the domain and kinit as my administrator user, using
> > "net ads join -Uadministrator" and "kinit administrator" but I cannot
> get a
> > TGT using the SPN with kinit.
> >
> > I used the following commands to create a user and add an SPN to it:
> > samba-tool user create cifs-server
> > samba-tool spn add cifs/server.my.domain.local
> > samba-tool domain exportkeytab /root/server0.keytab
> > --principal=cifs/server.my.domain.local
> >
> > ktutil succesfully lists the entry for the cifs/server.my.domain.local
> > principal.
> >
> > After moving the keytab (and renaming it) to server.my.domain.local, I
> try
> > to gain a TGT using the command: kinit -k -t /etc/krb5.keytab
> > cifs/server.my.domain.local
> >
> > This returns an "Client (cifs/server.my.domain.local) unknown." error.
> If I
> > export the principal for the server$ or cifs-server, I can successfully
> > authenticate and obtain an entry in klist.
> >
> > Is there something I am missing to obtain a TGT using a keytab?
> Can you explain a little more why you are trying to do this?  That might
> help us understand your broader issue.  Typically Samba is your CIFS
> server, and joins the domain using 'net ads join', as you have done, and
> then uses the values from secrets.tdb to handle kerberos.
> The specific issue here is that you have to kinit as the account name,
> not the SPN, so cifs-server.  You can export it under that name as well
> if you need to.
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba

More information about the samba mailing list