[Samba] Samba4 PDC keytab creation for NFSv4 not working
Rowland Penny
rowlandpenny at googlemail.com
Tue Nov 4 05:11:41 MST 2014
On 04/11/14 11:09, Henrik Dige Semark wrote:
> According to /samba-tool spn list JOTUNHEIM$/ I have the following SPN's
>
> # samba-tool spn list JOTUNHEIM$
> jotunheim$
> User CN=JOTUNHEIM,OU=Domain Controllers,DC=yggdrasil,DC=bittoo,DC=net
> has the following servicePrincipalName:
> HOST/jotunheim.yggdrasil.bittoo.net
> HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
> ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
> GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> ldap/jotunheim.yggdrasil.bittoo.net
> HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> HOST/JOTUNHEIM
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
>
> ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
> ldap/JOTUNHEIM
> RestrictedKrbHost/JOTUNHEIM
> RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
> Mobil: +45 26331701
>
> On 2014-11-04 12:03, Rowland Penny wrote:
>> On 04/11/14 10:01, Henrik Dige Semark wrote:
>>> Hey Steve,
>>>
>>> If I run your command I get the same python error as before.
>>>
>>> # samba-tool domain exportkeytab /etc/krb5.keytab
>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> ERROR(runtime): uncaught exception - Key table entry not found
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>>> line 103, in run
>>> net.export_keytab(keytab=keytab, principal=principal)
>>>
>>> Med Venlig Hilsen / Best Regards
>>> Henrik Dige Semark
>>> Mobil: +45 26331701
>>>
>>> On 2014-11-03 18:12, steve wrote:
>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>
>> Hi, do you actually have an SPN
>> 'nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET' in AD ?
>>
>> Rowland
>>
>
Hi, I don't think that you read Steve's blog, see here:
http://linuxcostablanca.blogspot.co.uk/p/samba-4.html
You need a user!
samba-tool user add nfs-user --random-password
samba-tool user setexpiry --noexpiry nfs-user
samba-tool spn add nfs/jotunheim.static.yggdrasil.bittoo.net nfs-user
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=nfs/jotunheim.static.yggdrasil.bittoo.net
Hopefully, when you run ktutil, you will get the following result
ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
2 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
3 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
ktutil: q
Rowland
More information about the samba
mailing list