[Samba] Is there a listprincs equivalent?

Lars Hanke debian at lhanke.de
Wed Mar 4 16:30:10 MST 2015 

Am 04.03.2015 um 23:26 schrieb Rowland Penny:
> On 04/03/15 22:08, Lars Hanke wrote:
>> I joined a machine. net ads testjoin says OK. The join exported a
>> keytab, which among others contains MACHINE$@REALM. However, trying
>> k5start I get "Client not found in Kerberos database". Also  kinit -t
>> /etc/krb5.keytab MACHINE\$@REALM claims that the client was not found.
>> But then, how did it come into the keytab?
>>
>> Is there a tool to list the principals in AD?
>
> samba-tool spn list <computer_name>$
> will list spn's for a machine

Strange. It was actually missing. Another round of net ads leave, net 
ads join then finally had it. KVNO in /etc/krb5.keytab changed from 2 to 1!

However, according to the keytab I should have (klist -k /etc/krb5.keytab):

host/machine.samdom.example.com at SAMDOM.EXAMPLE.COM
host/machine at SAMDOM.EXAMPLE.COM
host/MACHINE$@SAMDOM.EXAMPLE.COM

This is also reflected by the AD DC:

samba-tool spn list machine$
machine$
User CN=machine,CN=Computers,DC=samdom,DC=example,DC=com has the 
following servicePrincipalName:
          HOST/MACHINE
          HOST/machine.samdom.example.com


Using K5START_PRINCIPAL="MACHINE\$@SAMDOM.EXAMPLE.COM" works fine with 
kstart/nslcd, whence the default host/machine.samdom.example.com does 
not. This is also reflected by manual testing:

root at machine:~# kinit -t /etc/krb5.keytab MACHINE\$@SAMDOM.EXAMPLE.COM
keytab specified, forcing -k
root at machine:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MACHINE$@SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
05.03.2015 00:10:41  05.03.2015 10:10:41 
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
         renew until 06.03.2015 00:10:41
root at machine:~# kinit -t /etc/krb5.keytab 
host/machine.samdom.example.com at SAMDOM.EXAMPLE.COM
keytab specified, forcing -k
kinit: Client 'host/machine.samdom.example.com at SAMDOM.EXAMPLE.COM' not 
found in Kerberos database while getting initial credentials
root at machine:~#

This doesn't change for uppercase HOST/ prefix or using just the 
hostname instead FQDN. Apart from me not understanding why, this worries 
me, since the machine is going to be a CUPS server and the CUPS 
documentation states:

CUPS implements Kerberos over HTTP using GSSAPI and the service name "host".

Looks to me, like it's not going to work. But it's now too late. 
However, any comments to clarify my confusion?

Regards,
  - lars.

More information about the samba mailing list