[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 7 11:23:07 UTC 2017
I'll explain a bit more maybe its easier to bughunt this way.
My goal what i want to try is to create a keytab file with the correct entries.
So i tried the following.
Join the member to the domain.
This created the default keytab with :
host/hostname at REALM
host/hostname.FQDN at REALM
( 5 x for every ecryption type, so 15 entries )
Now once created, im adding ( with samba-tool ) the nfs/ and HTTP/ to HOSTNAME$
I backup the keytab file.
And now run : 'net ads create keytab' again or net ads join.
And klist -ke /etc/krb5.keytab
Now look in the AD at the SPN entries.
The samba-tool honors the caps in principal name:
samba-tool domain exportkeytab --principal=HTTP/
my workaround now, which works.
Join samba. ( gets the default )
Add the spn to HOSTNAME$ with samba-tool
Extract the spn with samba tool
Copy to the needed server, merge the default with the new spn.
I was thinking samba would update the keytab file when its getting a spn added.
Im missing the option : net ads keytab update to update the keytab file after changing the AD.
:-) that would be nice and very handy, save a lot of copy and past things.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> Verzonden: dinsdag 7 februari 2017 9:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba creating keytabs... ( possible bug, can
> someone confirm this )
> On Tue, 7 Feb 2017 08:32:08 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > Hm instresting way.
> > Whats the difference in createing the HTTP/spn with net ads or samba
> > tool ( besides de found bug )
> I don't know what the difference is, but the bug seems to be in 'net
> ads create keytab'. When you create the SPN with samba-tool, it
> creates the keytab correctly, but when you run the 'net' command to
> create the new keytab it adds the 'HTTP' lines again, but with
> lowercase 'http'.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba