[Samba] samba creating keytabs... ( possible bug, can someone confirm this )

L.P.H. van Belle belle at bazuin.nl
Tue Feb 7 07:32:08 UTC 2017


Hm instresting way. 

Whats the difference in createing the HTTP/spn with net ads or samba tool 
( besides de found bug ) 

I'll go try this out. 
You remember the "squid" spn/upn problem, this solved it also. 
The squid kerberos group plugin now correctly detects the HTTP spn. 

Thanks for trying out. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: zaterdag 4 februari 2017 14:24
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba creating keytabs... ( possible bug, can
> someone confirm this )
> 
> On Sat, 4 Feb 2017 12:30:29 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Wed, 1 Feb 2017 14:43:52 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >
> > > Hai,
> > >
> > >
> > >
> > > I noticed something strange in the keytab file on my member server.
> > >
> >
> > I can confirm this, but it gets stranger ;-)
> >
> OK, I think I have found a workaround ;-)
> 
> Remove the 'http' SPNs from the computers AD object
> 
> Then (on the client) run this:
> 
> net ads keytab add HTTP -k
> 
> klist -ket
> 
> .................
>    2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc)
>    2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc)
>    2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5)
>    2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5)
>    2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-
> sha1-96)
>    2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-
> sha1-96)
>    2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-
> sha1-96)
>    2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-
> sha1-96)
>    2 04/02/17 12:44:48
> HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac)
>    2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac)
> 
> and in the computers AD object:
> 
> servicePrincipalName: HOST/DEVCLIENT
> servicePrincipalName: HOST/devclient.samdom.example.com
> servicePrincipalName: nfs/devclient
> servicePrincipalName: nfs/devclient.samdom.example.com
> servicePrincipalName: HTTP/devclient
> servicePrincipalName: HTTP/devclient.samdom.example.com
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list