[Samba] Samba4 kinit issue with principal and keytab file

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 13 08:48:26 MST 2015 

On 13/02/15 15:09, Olivier BILHAUT wrote:
>   
>
> Hi Rowland,
>
> Hi looks like the "-c" option is optional.
>
> My
> problem is not really the kerberos cache file, but the "principal"
> linked to the user kerbuser.
>
> The principal is
> HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
>
> I would like to use kinit
> and give this principal as parameter. something like :
>
>> kinit -k -t
> /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
>
> But no
> success with such a command.
>
> Any idea?
>
> --
>
> Olivier
>
>   

Yes, you are mixing up user principal names with service principal 
names, your user has a user principal name of 'kerbuser at MYDOMAIN.LOCAL'

If we create the user, add an spn and export the keytab as per the wiki:

samba-tool user create --random-password http-dc01
samba-tool spn add HTTP/dc01.home.lan http-dc01
samba-tool domain exportkeytab /etc/httpd.keytab 
--principal=HTTP/dc01.example.com at EXAMPLE.COM

Then examine the keytab:

ktutil
ktutil:  rkt /etc/httpd.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
    1    1              HTTP/dc01.example.com at EXAMPLE.COM
    2    1              HTTP/dc01.example.com at EXAMPLE.COM
    3    1              HTTP/dc01.example.com at EXAMPLE.COM
ktutil:  q

You can see that there is only the spn in the keytab and if you try 'kinit'

kinit -k -t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01
kinit: Generic preauthentication failure while getting initial credentials

now if you export another keytab but this time use the upn as the principal:

samba-tool domain exportkeytab /etc/http-dc01.keytab 
--principal=http-dc01 at EXAMPLE.COM

and if you examine this keytab:

ktutil
ktutil:  rkt /etc/http-dc01.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
    1    1                       http-dc01 at EXAMPLE.COM
    2    1                       http-dc01 at EXAMPLE.COM
    3    1                       http-dc01 at EXAMPLE.COM
ktutil:  q

and try kinit again:

kinit -k -t /etc/http-dc01.keytab -c /tmp/http-dc01.krb5cc http-dc01

and look in /tmp you will find the krb5 cache:

http-dc01.krb5cc

Rowland

More information about the samba mailing list