[Samba] kinit with SPN fail
banda bassotti
bandabasotti at gmail.com
Thu Jun 11 04:10:27 UTC 2020
Hi, i think i found a bug, using "strace -f -s512 / usr / sbin / samba -i
-d 10 " to view ldap queries
in the old version of samba (4.5.1) the following queries are made:
(&(objectClass=user)(userPrincipalName=zookeeper/node1.pro.lan at PRO.LAN))
(&(objectClass=user)(samAccountName=zookeeper/node1.pro.lan))
(&(servicePrincipalName=zookeeper/node1.pro.lan)(objectClass=user))
and not in the new version (4.11.9) :
(&(userPrincipalName=zookeeper/ap42.test.lan at TEST.LAN)(objectClass=user))
(&(samAccountName=zookeeper/ap42.test.lan)(objectClass=user))"
Kerberos: UNKNOWN -- zookeeper/ap42.test.lan at TEST.LAN: no such entry found
in hdb
please forward to the developer :) thank you.
Il giorno mer 10 giu 2020 alle ore 21:01 banda bassotti <
bandabasotti at gmail.com> ha scritto:
> The production will be updated as soon as possible, back to the kinit it
> seems to me that we are going around the problem :) I will do tests, in the
> next few days I will make up for it unless there are some hints.
>
> thanks.
>
> Il giorno mer 10 giu 2020 alle ore 20:46 Rowland penny via samba <
> samba at lists.samba.org> ha scritto:
>
>> On 10/06/2020 19:25, banda bassotti via samba wrote:
>> > Hi Rowland, yes I'm configuring apache kafka / zookeeper, I need
>> Kerberos
>> > authentication for the test environment and I don't have AD :)
>> How can you be using samba-tool and not have AD ?
>> >
>> > I'v two environment, the first (production), samba 4.5.1 work as
>> intended:
>>
>> But the intended use of Samba 4.5.1 is not to work, it is EOL :-D
>>
>> If I read the zookeeper page correctly, you should be adding the SPN to
>> the hosts object, not to a user.
>>
>> Something like:
>>
>> samba-tool spn add zookeeper/zookeeper1.example.com zookeeper1\$
>>
>> samba-tool domain exportkeytab /tmp/zookeeper.keytab
>> --principal=zookeeper/zookeeper1.example.com
>>
>> Rowland
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list