[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 7 07:32:08 UTC 2017
Hm instresting way.
Whats the difference in createing the HTTP/spn with net ads or samba tool
( besides de found bug )
I'll go try this out.
You remember the "squid" spn/upn problem, this solved it also.
The squid kerberos group plugin now correctly detects the HTTP spn.
Thanks for trying out.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: zaterdag 4 februari 2017 14:24
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba creating keytabs... ( possible bug, can
> someone confirm this )
>
> On Sat, 4 Feb 2017 12:30:29 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Wed, 1 Feb 2017 14:43:52 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >
> > > Hai,
> > >
> > >
> > >
> > > I noticed something strange in the keytab file on my member server.
> > >
> >
> > I can confirm this, but it gets stranger ;-)
> >
> OK, I think I have found a workaround ;-)
>
> Remove the 'http' SPNs from the computers AD object
>
> Then (on the client) run this:
>
> net ads keytab add HTTP -k
>
> klist -ket
>
> .................
> 2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc)
> 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc)
> 2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5)
> 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5)
> 2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-
> sha1-96)
> 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-
> sha1-96)
> 2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-
> sha1-96)
> 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-
> sha1-96)
> 2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac)
> 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac)
>
> and in the computers AD object:
>
> servicePrincipalName: HOST/DEVCLIENT
> servicePrincipalName: HOST/devclient.samdom.example.com
> servicePrincipalName: nfs/devclient
> servicePrincipalName: nfs/devclient.samdom.example.com
> servicePrincipalName: HTTP/devclient
> servicePrincipalName: HTTP/devclient.samdom.example.com
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list