[Samba] samba-tool domain exportkeytab fails silently

Andrew Bartlett abartlet at samba.org
Sun Jul 4 22:13:50 UTC 2021 

On Sun, 2021-07-04 at 22:53 +0200, Kees van Vloten via samba wrote:
> Hi Samba-team,
> 
> I am using samba 4.14 from Louis' repo and Debian Buster.
> 
> I have created some service accounts for apache with a SPN on each.
> When I do:
> 
> samba-tool domain exportkeytab 
> --principal=HTTP/host1.example.com at EXAMPLE.COM
> /path/host1_apache.keytab
> 
> It creates the keytab with the principal.
> When I do:
> 
> samba-tool domain exportkeytab 
> --principal=HTTP/host2.example.com at EXAMPLE.COM
> /path/host2_apache.keytab
> 
> It does not create any file and returns with rc=0
> 
> Both principals are created on a dedicated service (user) account
> (i.e. 
> not on the computer account) with:
> 
> samba-tool spn add HTTP/host1.example.com at EXAMPLE.COM
> svc_host1_apache
> samba-tool spn add HTTP/host2.example.com at EXAMPLE.COM
> svc_host2_apache
> 

The issue is the @EXAMPLE.COM, we should block the creation of such
entries as this creates an SPN of host2.example.com@
EXAMPLE.COM at EXAMPLE.COM which isn't what you want.

Patches welcome :-)

> I ran the exportkeytab command with '-d 8' and then the difference
> in 
> behaviour is visible:
> 
> samba-tool domain exportkeytab -d 8 
> --principal=HTTP/host1.example.com at EXAMPLE.COM
> /path/host1_apache.keytab
> 
> ...
> 
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> schema_fsmo_init: we are master[yes] updates allowed[no]
> gendb_search_v: DC=example,DC=com NULL -> 1
> gendb_search_v: DC=example,DC=com NULL -> 1
> Export one principal to /path/host1_apache.keytab
> gendb_search_v: DC=example,DC=com NULL -> 1
> sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
> ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for 
> (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (18) and 
> version (2)
> sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
> ../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab
> entries
> ../../lib/krb5_wrap/krb5_samba.c:1592: Saving entry with kvno [2] 
> enctype [18] for principal: HTTP/host1.example.com at EXAMPLE.COM.
> ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for 
> (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (23) and 
> version (2)
> 
> 
> samba-tool domain exportkeytab -d 8 
> --principal=HTTP/host2.example.com at EXAMPLE.COM
> /path/host2_apache.keytab
> 
> ...
> 
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> schema_fsmo_init: we are master[yes] updates allowed[no]
> gendb_search_v: DC=example,DC=com NULL -> 1
> gendb_search_v: DC=example,DC=com NULL -> 1
> Export one principal to /path/host2_apache.keytab
> gendb_search_v: DC=example,DC=com NULL -> 1
> 
> Both hosts have a computer-account. But since this is a principal on
> a 
> user account, I would expect that to be irrelevant.
> However the only difference I can come up with to explain this
> behaviour 
> is that host1 has actually done a domain-join while host2 did not.
> 
> This leaves me with the questions:
> - Why doesn't  exportkeytab display any error nor returns a rc != 0
> when 
> it fails?

That is a reasonable request, originally the tool was built to export
all entries, and then a filter was added.  That nothing matches the
filter is an additional error case that should be checked for.

> - Why is exporttab failing in the first place?

Because of two many @s in the the SPN.

> - Apache has its own service (user) account and does not need the 
> domain-join to authenticate users to its web-pages, or does it?

This is the normal arrangement.  Ensure the password on the account is
strong.  Otherwise, Samba can have the SPN added to it's own account
and manage the keytab.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list