[Samba] samba-tool domain exportkeytab fails silently

Rowland Penny rpenny at samba.org
Mon Jul 5 09:58:37 UTC 2021 

On Mon, 2021-07-05 at 11:32 +0200, Kees van Vloten wrote:
> 
> > 
> Mistyping something is not likely since I use Ansible for everything.
> A 
> possibility is a code change that makes things fail. The host1 spn
> has 
> been there for some time, whereas the host2 service-account and spn
> are new.
> This is an excerpt of the code
> 
> - name: "service_account_manage.yml - create service account"
>    command: "samba-tool user create {{ service_account }} \
>              --userou='{{ g_all_samba_dc.locate.service_accounts }}'
> \
>              --random-password \
>              --username={{
> g_all_samba_dc.ldap.ansible_admin_user.name }} \
>              --password='{{ 
> g_all_samba_dc.ldap.ansible_admin_user.password }}'"
> 
> 
> - name: "service_account_manage_spn.yml - create new service
> principal"
>    command: "samba-tool spn add {{ principal_name }}/{{ fqdn }}@{{ 
> all_samba_dc.realm }} {{ service_account }}"
> 
> - name: "service_account_manage_spn.yml - create keytab in cache"
>    command: "samba-tool domain exportkeytab -d 8 --principal={{ 
> principal_name }}/{{ fqdn }}@{{ all_samba_dc.realm }} \
>              {{ c_server_domain_samba_dc_user.cache }}/{{ 
> service_account }}_{{ principal_name }}.keytab"
> 
> I will remove the @{{ all_samba_dc.realm }} as Andrew suggested in
> the 
> other mail.
> 
> A samba-tool show user on both accounts shows very similar output:
> 
> dn: CN=svc_host1_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_host1_apache
> instanceType: 4
> whenCreated: 20210517162819.0Z
> uSNCreated: 4560
> name: svc_host1_apache
> objectGUID: d9d34aa1-8f75-4019-ac0f-2306768a945c
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1164
> sAMAccountName: svc_host1_apache
> sAMAccountType: 805306368
> userPrincipalName: svc_host1_apache at example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 132657424999463080
> userAccountControl: 512
> msDS-SupportedEncryptionTypes: 16
> accountExpires: 0
> servicePrincipalName: HTTP/host1.example.com at EXAMPLE.COM
> whenChanged: 20210620184321.0Z
> uSNChanged: 5154
> lastLogon: 132688599123876860
> logonCount: 16
> lastLogonTimestamp: 132685880428809030
> distinguishedName: CN=svc_host1_apache,OU=Service 
> Accounts,OU=Users,DC=example,DC=com
> 
> 
> dn: CN=svc_host2_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_host2_apache
> instanceType: 4
> whenCreated: 20210704150128.0Z
> uSNCreated: 5562
> name: svc_host2_apache
> objectGUID: 59393395-79a7-42bf-91e9-00fbfbfd1aba
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1230
> sAMAccountName: svc_host2_apache
> sAMAccountType: 805306368
> userPrincipalName: svc_host2_apache at example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 132698844889558010
> userAccountControl: 512
> msDS-SupportedEncryptionTypes: 16
> accountExpires: 0
> servicePrincipalName: HTTP/host2.example.com at EXAMPLE.COM
> whenChanged: 20210704150200.0Z
> uSNChanged: 5567
> lastLogon: 0
> logonCount: 0
> distinguishedName: CN=svc_host2_apache,OU=Service 
> Accounts,OU=Users,DC=example,DC=com
> 
> The only difference is that host1 had (ldap-) logons against the
> account.
> 
> Is there a way I can check the contents kerberos database?
> 
> - Kees
> 

Andrew might be right (he usually is), but I created a couple of users
and added the SPN's to them and I could export both keytabs.
You can read the contents of a keytab with ktutil:

ktutil
ktutil:  rkt /tmp/rpidc1_apache.keytab 
ktutil:  l
slot KVNO Principal
---- ---- -----------------------------------------------------------
----------
   1    2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM
   3    2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM

Rowland

More information about the samba mailing list