[Samba] Problem with keytab: "Client not found in Kerberos database"
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 20 11:19:52 UTC 2016
Hai,
Maybe something like this in freeradius but im not 100% sure here.
Im also working on my freeradius skills here, its hard.. :-/ ( for me .. )
I used this site:
http://deployingradius.com/documents/configuration/active_directory.html
for the basics and start with a working set.
Now im trying to get rid of ntlm_auth and switch to ldaps or kerberos.
This is what i found, dont know if thats exact what your looking for.
( module )
krb5 {
keytab = /etc/freeradius/keytab
service_principal = radius/radius.example.com
}
authenticate {
Auth-Type PAP {
krb5
}
Auth-Type Kerberos {
krb5
}
}
For my squid server i needed the correct SPN also.
For that ive added these to the environment file to load.
KRB5_KTNAME=/etc/squid/keytab.PROXY
export KRB5_KTNAME
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
And the SPN which squid needs ( the only one ) is in keytab.PROXY
The CA root cert merged in /etc/ssl/certs/ca-certificates.crt to make sure my ldaps work ok.
I hope this helps you a bit.
And if you got it working i would be very nice to post it here for when i working on freeradius again.
;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Brian Candler via
> samba
> Verzonden: dinsdag 20 december 2016 11:57
> Aan: samba
> Onderwerp: Re: [Samba] Problem with keytab: "Client not found in Kerberos
> database"
>
> I finally found it, thanks to a clue from
> https://wiki.archlinux.org/index.php/Active_Directory_Integration
>
> This works:
>
> kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'
>
> These don't work:
>
> kinit -k -t /etc/krb5.keytab
> kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
> kinit -k -t /etc/krb5.keytab host/wrn-radtest
>
> That is: the keytab contains three different principals:
>
> root at wrn-radtest:~# net ads keytab list
> Vno Type Principal
> 2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
> 2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
> 2 aes128-cts-hmac-sha1-96 host/wrn-
> radtest.ad.example.net at AD.EXAMPLE.NET
> 2 aes256-cts-hmac-sha1-96 host/wrn-
> radtest.ad.example.net at AD.EXAMPLE.NET
> 2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
> 2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
> 2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
> 2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
> 2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
> 2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
> 2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
> 2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
> 2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
> 2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
> 2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
>
> I can get a TGT for any of them, and by default kinit chooses the
> first. But the LDAP server won't talk to me unless I choose the
> 'WRN-RADTEST$' principal.
>
> Now I just need to work out how to get freeradius to choose the right
> principal - but at worst I should be able to make a new keytab which
> doesn't have the other two.
>
> Regards,
>
> Brian.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list