[Samba] creating Kerberos host principals for multiple hostnames, multihomed server

Fri Mar 6 05:44:29 MST 2015

On 06/03/15 09:07, L.P.H. van Belle wrote:
> Hai, 
> 
>> Those machines need a working Kerberos login via multiple hostnames
>> (each hostname has its own IP address and DNS is set up correctly.)
> looks to me a bit overkill, but you wil have your reasons this a setup like this.. 
> 
> so.. you can try this..  
> 
> asumming this :
> REALM=MY.REALM.TLD
> DNSDOMAIN=my.domain.tld 
> and a serviceaccount the spn's. 
> 
> You can also use the existing "hostname" 
> but for these extra spns I use a extra "service_account" 
> 
> 1) create "serviceaccount" for "HOSTNAME"  :  serviceaccount_name
> 
> 2) create the spns for the service accounts 
> samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or original hostname ) 
> samba-tool spn add host/hostname.DNSDOMAIN at REALM serviceaccount_name ( or original hostname ) 
> 
> samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or original hostname )  
> samba-tool spn add host/hostname2.DNSDOMAIN at REALM serviceaccount_name ( or original hostname )
> 
> samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or original hostname ) 
> samba-tool spn add host/hostname3.DNSDOMAIN at REALM serviceaccount_name ( or original hostname ) .. etc.
V>
> 
> now export the keytabs . .
> samba-tool domain exportkeytab /tmp/hostnames-extra.keytab --principal=host/hostname.DNSDOMAIN 
> samba-tool domain exportkeytab /tmp/hostnames2-extra.keytab --principal=host/hostname2.DNSDOMAIN
> samba-tool domain exportkeytab /tmp/hostnames3-extra.keytab --principal=host/hostname3.DNSDOMAIN   .. etc. 
> 
> check the keytab file: 
> klist -e -k /tmp/hostnames-extra.keytab
> klist -e -k /tmp/hostnames2-extra.keytab
> klist -e -k /tmp/hostnames3-extra.keytab
> 
> you should see all the hostnames, if correct make all keytab files in 1 file. 
> 
> type : ktutil
> ktutil : 
> 
> read the all the keytab files in ktutil 
> rkt  /tmp/hostnames-extra.keytab
> look : list ( use help to get to know ktutil ) 
> 
> write the new keytab file. 
> wkt /tmp/new.keytab  
> 
> and quit ktutil.
> 
> check the new one.. 
> klist -e -k /tmp/new.keytab
> 
> and you can add also the existing keytab file to it. 
> then you have 1 keytab file for all hostnames. 
> 
> if you also have different domainnames, make sure you dont forget the krb5.conf. 
> like .. 
> [realms]
> REALM = {
>   kdc = samba-dc1.REALM
>   admin_server = samba-dc1.REALM
> } 
> 
> 
> [domain_realm]
>  .DNSDOMAIN = REALM
>   DNSDOMAIN = REALM
>  .DNSDOMAIN2 = REALM
>   DNSDOMAIN2 = REALM
> 
> etc.. 
> 
> 
> good luck now you know how. 
> 

Thank you very much! That helped me get all the keytabs correct and was
a very useful exercise.

It did not help with the pam_krb5  login however.
Then I discovered this:

All this was not necessary to begin with.

In order to be able to log into the host via pam_krb5 via multiple
hostnames, no additional principals are necessary.
Only the DNS has to be set up as follows:

n001.my.dnsdomain.tld 10 A 192.168.100.1
m001.my.dnsdomain.tld 10 A 192.168.101.1
i001.my.dnsdomain.tld 10 A 192.168.102.1

1.100.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld
1.101.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld
1.102.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld

No I can ssh into n001 m001 and i001 which are all the same machine
without a password prompt.

Perhaps there is a possibility to set up pam_krb5 in a way that can
handle the reverse lookup according to the hostname/ip address that was
used to initiate the login - but I did not find any and for my setup
this is enough. ("hostname -A" returns all three hostnames, by the way...)

Many thanks again!

John