[Samba] Problem with keytab: "Client not found in Kerberos database"
Brian Candler
b.candler at pobox.com
Tue Dec 20 10:56:35 UTC 2016
I finally found it, thanks to a clue from
https://wiki.archlinux.org/index.php/Active_Directory_Integration
This works:
kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'
These don't work:
kinit -k -t /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
kinit -k -t /etc/krb5.keytab host/wrn-radtest
That is: the keytab contains three different principals:
root at wrn-radtest:~# net ads keytab list
Vno Type Principal
2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
I can get a TGT for any of them, and by default kinit chooses the
first. But the LDAP server won't talk to me unless I choose the
'WRN-RADTEST$' principal.
Now I just need to work out how to get freeradius to choose the right
principal - but at worst I should be able to make a new keytab which
doesn't have the other two.
Regards,
Brian.
More information about the samba
mailing list