[Samba] Samba4 kinit issue with principal and keytab file

Olivier BILHAUT obilhaut at fondation-misericorde.fr
Mon Feb 16 08:07:27 MST 2015 

 

Hi Rowland, 

Thanks for your help again. I understand the
difference between the UPN (User Principal Name) and the SPN (Service
Principal Name). 

But in your second exemple, you never mention the
SPN, neither in the keytab export or in the kinit command. 

Does that
means that there is no kinit possible using the SPN? 

So I am worried
of what is the benefice of adding a SPN to a user instead of using the
UPN directly ? 

So the same question more clearly : how do you use the
SPN and why? 

Thanks, 
--

Olivier 

> Yes, you are mixing up user
principal names with service principal 
> names, your user has a user
principal name of 'kerbuser at MYDOMAIN.LOCAL'
> 
> If we create the user,
add an spn and export the keytab as per the wiki:
> 
> samba-tool user
create --random-password http-dc01
> samba-tool spn add
HTTP/dc01.home.lan http-dc01
> samba-tool domain exportkeytab
/etc/httpd.keytab 
> --principal=HTTP/dc01.example.com at EXAMPLE.COM
> 
>
Then examine the keytab:
> 
> ktutil
> ktutil: rkt /etc/httpd.keytab
>
ktutil: l
> slot KVNO Principal
> ---- ---- 
>
---------------------------------------------------------------------
>
1 1 HTTP/dc01.example.com at EXAMPLE.COM
> 2 1
HTTP/dc01.example.com at EXAMPLE.COM
> 3 1
HTTP/dc01.example.com at EXAMPLE.COM
> ktutil: q
> 
> You can see that
there is only the spn in the keytab and if you try 'kinit'
> 
> kinit -k
-t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01
> kinit: Generic
preauthentication failure while getting initial credentials
> 
> now if
you export another keytab but this time use the upn as the principal:
>

> samba-tool domain exportkeytab /etc/http-dc01.keytab 
>
--principal=http-dc01 at EXAMPLE.COM
> 
> and if you examine this keytab:
>

> ktutil
> ktutil: rkt /etc/http-dc01.keytab
> ktutil: l
> slot KVNO
Principal
> ---- ---- 
>
---------------------------------------------------------------------
>
1 1 http-dc01 at EXAMPLE.COM
> 2 1 http-dc01 at EXAMPLE.COM
> 3 1
http-dc01 at EXAMPLE.COM
> ktutil: q
> 
> and try kinit again:
> 
> kinit
-k -t /etc/http-dc01.keytab -c /tmp/http-dc01.krb5cc http-dc01
> 
> and
look in /tmp you will find the krb5 cache:
> 
> http-dc01.krb5cc
> 
>
Rowland

More information about the samba mailing list