[Samba] samba creating keytabs... ( possible bug, can someone confirm this )

L.P.H. van Belle belle at bazuin.nl
Tue Feb 7 11:23:07 UTC 2017 

Hai Rowland, 

I'll explain a bit more maybe its easier to bughunt this way. 

My goal what i want to try is to create a keytab file with the correct entries. 

So i tried the following. 
Join the member to the domain. 
This created the default keytab with :

host/hostname at REALM
host/hostname.FQDN at REALM
HOSTNAME$@REALM 
( 5 x for every ecryption type, so 15 entries ) 

Now once created, im adding ( with samba-tool ) the nfs/ and HTTP/ to HOSTNAME$ 

I backup the keytab file. 
And now run : 'net  ads create keytab' again or net ads join.
And klist -ke /etc/krb5.keytab 

Now look in the AD at the SPN entries. 

The samba-tool honors the caps in principal name: 
samba-tool domain exportkeytab --principal=HTTP/

my workaround now, which works. 
Join samba. ( gets the default ) 
Add the spn to HOSTNAME$ with samba-tool 
Extract the spn with samba tool 
Copy to the needed server, merge the default with the new spn. 

I was thinking samba would update the keytab file when its getting a spn added. 
Im missing the option : net ads keytab update  to update the keytab file after changing the AD. 

:-) that would be nice and very handy, save a lot of copy and past things. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: dinsdag 7 februari 2017 9:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba creating keytabs... ( possible bug, can
> someone confirm this )
> 
> On Tue, 7 Feb 2017 08:32:08 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hm instresting way.
> >
> > Whats the difference in createing the HTTP/spn with net ads or samba
> > tool ( besides de found bug )
> 
> I don't know what the difference is, but the bug seems to be in 'net
> ads create keytab'. When you create the SPN with samba-tool, it
> creates the keytab correctly, but when you run the 'net' command to
> create the new keytab it adds the 'HTTP' lines again, but with
> lowercase 'http'.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list