[Samba] Samba4 kinit issue with principal and keytab file
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 12 03:57:09 MST 2015
Hai,
you can find all info you need for a SSO setup on this site.
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4
and yes, this stats its for zarafa, but the basics for the setup are very clear here.
Just have a look, all things you need to know are there.
For me it works perfect, for zarafa and other sites.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: obilhaut at fondation-misericorde.fr
>[mailto:samba-bounces at lists.samba.org] Namens Olivier BILHAUT
>Verzonden: donderdag 12 februari 2015 11:33
>Aan: samba
>Onderwerp: [Samba] Samba4 kinit issue with principal and keytab file
>
>
>
>Hi All !
>
>Using Samba Version 4.1.12, updated from source from
>4.0beta1
>
>I've created a user, let say kerbuser, for a web server to
>authenticate with kerberos and provide SSO to the end-users.
>
>In my
>example, my domain is MYDOMAIN.LOCAL, the apache server is
>webserver.mydomain.local and the AD user is kerbuser
>
>I've added a
>principal on the user and exported everything in a keytab so the result
>of a ktutil list is the following :
>
> 1 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 2 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 3 2
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 4 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 5 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
> 6 1
>HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>
> 7 1
>kerbuser at MYDOMAIN.LOCAL
> 8 1 kerbuser at MYDOMAIN.LOCAL
> 9 1
>kerbuser at MYDOMAIN.LOCAL
>
>The machine name is webserver and it resolve
>successfully the machine name webserver.mydomain.local via DNS.
>
>I can
>successfully kinit with the user :
>
>kinit -V -k -t /root/my.keytab
>kerbuser at MYDOMAIN.LOCAL
>
>Using default cache: /tmp/krb5cc_0
>Using
>principal: kerbuser at MYDOMAIN.LOCAL
>Using keytab:
>/root/my.keytab
>Authenticated to Kerberos v5
>
>But using the principal
>fail :
>
>kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL
>
>
>Using default cache: /tmp/krb5cc_0
>Using principal:
>HTTP/webserver.MYDOMAIN.LOCAL
>Using keytab: /root/my.keytab
>kinit:
>Client not found in Kerberos database while getting initial credentials
>
>
>Is there a problem with the REALM somewhere, or I make a mistake using
>the principal...?
>
>I can't figure it out...
>
>Thanks in advance.
>
>
>--
>
>Olivier
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list