[Samba] GSSAPI authentication issue with samba as AD DC.
Hiroo Ono (小野寛生)
hiroo.ono+freebsd at gmail.com
Sun May 17 00:09:13 UTC 2020
Hello,
I am running samba 4.11.8 as Active Directory DC and a member server.
I wanted to authenticate cyrus-imapd by GSSAPI, and found this
mailhttps://lists.samba.org/archive/samba-technical/2013-April/091429.html
I tried to run the cyrus-imap server on a member server, which has
successfuly 'net ads join'ed and authenticate user with winbindd
without problems.
I followed the method written in the above mail, but the samba DC (KDC?)
does not respond to TGS request.
I created a user and an SPN as in the mail above,
# samba-tool user create --random-password imap-nowhere
# samba-tool spn add
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
using samba-tool, I could verifiy the SPN exists.
# samba-tool spn list imap-nowhere
I generated keytab on the domain member machine (which I want to make as an
imap server) as below:
# KRB5_KTNAME=/var/imap/krb5.keytab net ads keytab add imap -U administrator
This is from Samba Wikihttps://wiki.samba.org/index.php/Generating_Keytabs
Checking with ktutil, I verified that the key
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET
was in the keytab.
# ktutil -k /var/imap/krb5.keytab list
I verified that cyrus-imap reads the keytab, and accept GSSAPI authentication.
But, when I try to authenticate with GSSAPI, it fails.
I captured the Kerberos5 communication between member and DC with wireshark.
Part of the dump of TGS-REQ packets from member to DC was:
* req-body
realm: OIKUMENE.UKEHI.NET
* sname
name-type: KRB5-NT-PRINCIPAL
* sname-string
SNameString: imap
SNameString: nowhere.oikumene.ukehi.net
The authentication step from member to DC seems OK.
But, DC returns:
KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
where valid TGS-REP is expected.
Here, I am stacked. What can I do to make DC return TGS-REP and make
GSSAPI authentication succeed?
More information about the samba
mailing list