[Samba] creating Kerberos host principals for multiple hostnames, multihomed server

L.P.H. van Belle belle at bazuin.nl
Fri Mar 6 01:07:51 MST 2015 

Hai, 

>Those machines need a working Kerberos login via multiple hostnames
>(each hostname has its own IP address and DNS is set up correctly.)
looks to me a bit overkill, but you wil have your reasons this a setup like this.. 

so.. you can try this..  

asumming this :
REALM=MY.REALM.TLD
DNSDOMAIN=my.domain.tld 
and a serviceaccount the spn's. 

You can also use the existing "hostname" 
but for these extra spns I use a extra "service_account" 

1) create "serviceaccount" for "HOSTNAME"  :  serviceaccount_name

2) create the spns for the service accounts 
samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or original hostname ) 
samba-tool spn add host/hostname.DNSDOMAIN at REALM serviceaccount_name ( or original hostname ) 

samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or original hostname )  
samba-tool spn add host/hostname2.DNSDOMAIN at REALM serviceaccount_name ( or original hostname )

samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or original hostname ) 
samba-tool spn add host/hostname3.DNSDOMAIN at REALM serviceaccount_name ( or original hostname ) .. etc.


now export the keytabs . .
samba-tool domain exportkeytab /tmp/hostnames-extra.keytab --principal=host/hostname.DNSDOMAIN 
samba-tool domain exportkeytab /tmp/hostnames2-extra.keytab --principal=host/hostname2.DNSDOMAIN
samba-tool domain exportkeytab /tmp/hostnames3-extra.keytab --principal=host/hostname3.DNSDOMAIN   .. etc. 

check the keytab file: 
klist -e -k /tmp/hostnames-extra.keytab
klist -e -k /tmp/hostnames2-extra.keytab
klist -e -k /tmp/hostnames3-extra.keytab

you should see all the hostnames, if correct make all keytab files in 1 file. 

type : ktutil
ktutil : 

read the all the keytab files in ktutil 
rkt  /tmp/hostnames-extra.keytab
look : list ( use help to get to know ktutil ) 

write the new keytab file. 
wkt /tmp/new.keytab  

and quit ktutil.

check the new one.. 
klist -e -k /tmp/new.keytab

and you can add also the existing keytab file to it. 
then you have 1 keytab file for all hostnames. 

if you also have different domainnames, make sure you dont forget the krb5.conf. 
like .. 
[realms]
REALM = {
  kdc = samba-dc1.REALM
  admin_server = samba-dc1.REALM
} 


[domain_realm]
 .DNSDOMAIN = REALM
  DNSDOMAIN = REALM
 .DNSDOMAIN2 = REALM
  DNSDOMAIN2 = REALM

etc.. 


good luck now you know how. 

Greetz, 

Louis






>-----Oorspronkelijk bericht-----
>Van: john.wyzer at gmx.de [mailto:samba-bounces at lists.samba.org] 
>Namens John Wyzer
>Verzonden: donderdag 5 maart 2015 23:38
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] creating Kerberos host principals for 
>multiple hostnames, multihomed server
>
>Hi!
>
>I maintain Linux servers that are members of a Samba4 Domain.
>User authentication / login via ssh works fine with Kerberos.
>
>But: only via one hostname.
>
>Those machines need a working Kerberos login via multiple hostnames
>(each hostname has its own IP address and DNS is set up correctly.)
>
>"net ads keytab list" of course gives me the main hostname that was in
>use when joining the domain (host/my-server at MY.REALM.COM).
>
>With "net ads keytab add" I can only add service principals without
>specifying the FQDN of the desired principal.
>
>Is there a way for me to add a "host/my-server2 at MY.REALM.COM" principal
>to the machines' keytab?
>
>I'm very much out of ideas and have searched all the mailing lists'
>archives to no avail :-(
>
>Best regards and many thanks for any help!
>
>John
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list