[Samba] Cannot create keytab for Apache Kerberos auth: Client SPN_RECORD not found in Kerberos database while getting initial credentials
Lorenzo Milesi
lorenzo.milesi at yetopen.com
Fri Jul 16 14:13:31 UTC 2021
Hi.
I'm trying to configure nginx (or apache) with kerberos authentication but I'm unable to generate an usable keytab file.
Env:
# samba-tool domain info 127.1
Forest : ad.internal.contoso.com
Domain : ad.internal.contoso.com
Netbios domain : MYAD
DC name : dc1.ad.internal.contoso.com
DC netbios name : DC1
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
# samba -V
Version 4.14.6-Debian
# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.INTERNAL.CONTOSO.COM
dns_lookup_kdc = true
dns_lookup_realm = false
Following [1] and other guides I ended up with the following commands:
# samba-tool user create --random-password webauth
# samba-tool user setexpiry webauth --noexpiry
# samba-tool spn add HTTP/test2021.domain.com webauth
# samba-tool spn add HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM webauth
# samba-tool spn list webauth
webauth
User CN=webauth,CN=Users,DC=ad,DC=internal,DC=contoso,DC=com has the following servicePrincipalName:
HTTP/test2021.domain.com
HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM
I didn't setup DNS because test2021.domain.com is a public host and has A and PTR records.
Then I add cyphers with:
# net ads enctypes set webauth
'webauth' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
# samba-tool domain exportkeytab /tmp/abc.keyttab --principal=HTTP/test2021.domain.com
(executing the command adding the Kerberos realm suffix produces the same keytab file, and same result below)
# klist -kte /tmp/abc.keyttab
Keytab name: FILE:/tmp/abc.keyttab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (arcfour-hmac)
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes256-cts-hmac-sha1-96)
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes128-cts-hmac-sha1-96)
Without even moving the keytab to the webserver, if I try to use it locally on the DC I get:
# kinit -5 -V -k -t /tmp/abc.keyttab HTTP/test2021.domain.com
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM
Using keytab: /tmp/abc.keyttab
kinit: Client 'HTTP/test2021.ufficyo.com at AD.INTERNAL.CONTOSO.COM' not found in Kerberos database while getting initial credentials
Same result on the webserver.
Other guides suggest to add SPN also for host/test2021.domain.com and merge both keys into a single keytab using ktutil, I tried but I got the same result.
Most of the guides I found generate the SPN from a Windows machine, I fear I'm doing something wrong using the corresponding commands on Linux.
What am I doing wrong?
Thanks
[1] https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
--
Lorenzo Milesi - lorenzo.milesi at yetopen.com
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the samba
mailing list