[Samba] Samba4 kinit issue with principal and keytab file

Rowland Penny rowlandpenny at googlemail.com
Thu Feb 12 04:07:08 MST 2015


On 12/02/15 10:33, Olivier BILHAUT wrote:
>   
>
> Hi All !
>
> Using Samba Version 4.1.12, updated from source from
> 4.0beta1
>
> I've created a user, let say kerbuser, for a web server to
> authenticate with kerberos and provide SSO to the end-users.
>
> In my
> example, my domain is MYDOMAIN.LOCAL, the apache server is
> webserver.mydomain.local and the AD user is kerbuser
>
> I've added a
> principal on the user and exported everything in a keytab so the result
> of a ktutil list is the following :
>
>   1 2
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>   2 2
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>   3 2
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>   4 1
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>   5 1
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>   6 1
> HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL
>
>   7 1
> kerbuser at MYDOMAIN.LOCAL
>   8 1 kerbuser at MYDOMAIN.LOCAL
>   9 1
> kerbuser at MYDOMAIN.LOCAL
>
> The machine name is webserver and it resolve
> successfully the machine name webserver.mydomain.local via DNS.
>
> I can
> successfully kinit with the user :
>
> kinit -V -k -t /root/my.keytab
> kerbuser at MYDOMAIN.LOCAL
>
> Using default cache: /tmp/krb5cc_0
> Using
> principal: kerbuser at MYDOMAIN.LOCAL
> Using keytab:
> /root/my.keytab
> Authenticated to Kerberos v5
>
> But using the principal
> fail :
>
> kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL
>
>
> Using default cache: /tmp/krb5cc_0
> Using principal:
> HTTP/webserver.MYDOMAIN.LOCAL
> Using keytab: /root/my.keytab
> kinit:
> Client not found in Kerberos database while getting initial credentials
>
>
> Is there a problem with the REALM somewhere, or I make a mistake using
> the principal...?
>
> I can't figure it out...
>
> Thanks in advance.
>
>
> --
>
> Olivier

Hi, have you read the wiki page: 
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD

Rowland



More information about the samba mailing list