[Samba] added spn and exported keytab not match

[Mike Lykov]

Hello All.

I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.

I am add user with RSAT and add SPN for it with samba-tool (like 
https://wiki.samba.org/index.php/Generating_Keytabs):
--------------------
root at ad41:/# samba-tool spn list proxy
proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following 
servicePrincipalName:
          HTTP/proxy.S****.ru at DC.S****.RU
          host/proxy.S****.ru at DC.S****.RU
------------------

But I cannot export exactly this SPN, in exported file I have other record:

------------------------
samba-tool domain exportkeytab /root/squid.keytab 
--principal=HTTP/proxy.S****.ru at DC.S****.RU
ERROR(runtime): uncaught exception - Key table entry not found
---------------------------

samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root at ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 proxy at DC.S****.RU (des-cbc-crc)
    1 proxy at DC.S****.RU (des-cbc-md5)
    1 proxy at DC.S****.RU (arcfour-hmac)

This keytab don't have record needed for using at proxy server

------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t 
/etc/squid/squid.keytab
kinit: Keytab contains no suitable keys for 
HTTP/proxy.S****.ru at DC.S****.RU while getting initial credentials
----------------

Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example
https://lists.samba.org/archive/samba-technical/2016-April/113598.html

 From what samba version it work correctly?

I try to create keytab from proxy server with ktutil:
-----------
[root at proxy squid]# ktutil
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
des-cbc-crc
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
des-cbc-md5
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
arcfour-hmac
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  wkt /etc/squid/squid.keytab
------------------
[root at proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- -----------------
    1 11/30/17 10:52:15 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-crc)
    1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-md5)
    1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (arcfour-hmac)
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t 
/etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.ru at DC.S****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.ru at DC.S****.RU' not found in Kerberos 
database while getting initial credentials

I cannot guess why, anybody knows kerberos too good, please?

-- 
Administrator