[Samba] added spn and exported keytab not match
Mike Lykov
combr at samges.ru
Thu Nov 30 07:11:27 UTC 2017
Hello All.
I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.
I am add user with RSAT and add SPN for it with samba-tool (like
https://wiki.samba.org/index.php/Generating_Keytabs):
--------------------
root at ad41:/# samba-tool spn list proxy
proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
servicePrincipalName:
HTTP/proxy.S****.ru at DC.S****.RU
host/proxy.S****.ru at DC.S****.RU
------------------
But I cannot export exactly this SPN, in exported file I have other record:
------------------------
samba-tool domain exportkeytab /root/squid.keytab
--principal=HTTP/proxy.S****.ru at DC.S****.RU
ERROR(runtime): uncaught exception - Key table entry not found
---------------------------
samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root at ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 proxy at DC.S****.RU (des-cbc-crc)
1 proxy at DC.S****.RU (des-cbc-md5)
1 proxy at DC.S****.RU (arcfour-hmac)
This keytab don't have record needed for using at proxy server
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t
/etc/squid/squid.keytab
kinit: Keytab contains no suitable keys for
HTTP/proxy.S****.ru at DC.S****.RU while getting initial credentials
----------------
Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example
https://lists.samba.org/archive/samba-technical/2016-April/113598.html
From what samba version it work correctly?
I try to create keytab from proxy server with ktutil:
-----------
[root at proxy squid]# ktutil
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
des-cbc-crc
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
des-cbc-md5
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
arcfour-hmac
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: wkt /etc/squid/squid.keytab
------------------
[root at proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
1 11/30/17 10:52:15 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-crc)
1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-md5)
1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (arcfour-hmac)
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t
/etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.ru at DC.S****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.ru at DC.S****.RU' not found in Kerberos
database while getting initial credentials
I cannot guess why, anybody knows kerberos too good, please?
--
Administrator
More information about the samba
mailing list