[Samba] net ads keytab add has no visible effects

Rowland Penny rpenny at samba.org
Sun Feb 26 13:27:09 UTC 2017 

On Sun, 26 Feb 2017 13:16:58 +0100
Maximilian Ober <n0942544 at students.meduniwien.ac.at> wrote:


> 
> 1) Keytab after adding spn on DC with samba-tool
> [locadm at dc ~]$ sudo samba-tool spn add NFS/member.ad-domain.mober.at
> member$ $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:

>  2  des-cbc-crc              nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT   
>  2  des-cbc-md5              nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT   
>  2  aes128-cts-hmac-sha1-96  nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT   
>  2  des-cbc-crc              nfs/MEMBER at AD-DOMAIN.MOBER.AT                       
>  2  des-cbc-md5              nfs/MEMBER at AD-DOMAIN.MOBER.AT                       
>  2  aes128-cts-hmac-sha1-96  nfs/MEMBER at AD-DOMAIN.MOBER.AT                       
>  2  aes256-cts-hmac-sha1-96  nfs/MEMBER at AD-DOMAIN.MOBER.AT                       
>  2  arcfour-hmac-md5         nfs/MEMBER at AD-DOMAIN.MOBER.AT                       
>  2  arcfour-hmac-md5         nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT   
>  2  aes256-cts-hmac-sha1-96  nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT

> 
> Okay ... looks like this time it worked as expected in the first try.

You sure about that ?
You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
with 'nfs'.
This could just be down to using 'net to create the keytab, try
'samba-tool domain exportkeytab /etc/krb5.keytab' instead

> To try something:
> 
> 2) Adding an SPN on Member with net ads keytab
> $ sudo net ads keytab add nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT
> -U Administrator $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
> 

> And there seems something missing again.

Not sure there is anything missing, you first use 'net' to add an SPN
and everything seems okay, you then use samba-tool to list the SPNs for
the Unix domain member. Perhaps if you ran 'samba-tool spn list
--help' and read the second line, which says this:

List spns of a given user.

It might give you a hint ;-)

A computer account in AD is also a user

I am fairly sure if you were to examine the computers object in AD, you
will not find the SPN 'nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT'

Rowland

More information about the samba mailing list