[Samba] Samba4 kinit issue with principal and keytab file

L.P.H. van Belle belle at bazuin.nl
Thu Feb 12 03:57:09 MST 2015


Hai,

you can find all info you need for a SSO setup on this site.

https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 
and yes, this stats its for zarafa, but the basics for the setup are very clear here. 
Just have a look, all things you need to know are there. 

For me it works perfect, for zarafa and other sites.

Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: obilhaut at fondation-misericorde.fr 
>[mailto:samba-bounces at lists.samba.org] Namens Olivier BILHAUT
>Verzonden: donderdag 12 februari 2015 11:33
>Aan: samba
>Onderwerp: [Samba] Samba4 kinit issue with principal and keytab file
>
> 
>
>Hi All ! 
>
>Using Samba Version 4.1.12, updated from source from
>4.0beta1 
>
>I've created a user, let say kerbuser, for a web server to
>authenticate with kerberos and provide SSO to the end-users. 
>
>In my
>example, my domain is MYDOMAIN.LOCAL, the apache server is
>webserver.mydomain.local and the AD user is kerbuser 
>
>I've added a
>principal on the user and exported everything in a keytab so the result
>of a ktutil list is the following : 
>
> 1 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 2 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 3 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 4 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 5 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 6 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 
>
> 7 1
>kerbuser at MYDOMAIN.LOCAL
> 8 1 kerbuser at MYDOMAIN.LOCAL
> 9 1
>kerbuser at MYDOMAIN.LOCAL 
>
>The machine name is webserver and it resolve
>successfully the machine name webserver.mydomain.local via DNS. 
>
>I can
>successfully kinit with the user : 
>
>kinit -V -k -t /root/my.keytab
>kerbuser at MYDOMAIN.LOCAL 
>
>Using default cache: /tmp/krb5cc_0
>Using
>principal: kerbuser at MYDOMAIN.LOCAL
>Using keytab:
>/root/my.keytab
>Authenticated to Kerberos v5
>
>But using the principal
>fail : 
>
>kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL
>
>
>Using default cache: /tmp/krb5cc_0
>Using principal:
>HTTP/webserver.MYDOMAIN.LOCAL
>Using keytab: /root/my.keytab
>kinit:
>Client not found in Kerberos database while getting initial credentials
>
>
>Is there a problem with the REALM somewhere, or I make a mistake using
>the principal...? 
>
>I can't figure it out... 
>
>Thanks in advance.
>
>
>--
>
>Olivier 
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list