[Samba] Orphan SPN

Rowland Penny rpenny at samba.org
Wed Nov 24 22:16:46 UTC 2021


On Thu, 2021-11-25 at 00:36 +0300, Oljas Kuzembaev via samba wrote:
> On 25.11.2021 0:27, Rowland Penny via samba wrote:
> > Then by the look of it, the SPN doesn't exist in AD, is there a
> > keytab
> > ? if so, delete it and then recreate it.
> 
> That`s what I thought! But:
> 
> root at home:~ # samba-tool spn delete cifs/oml.su
> ERROR: Service principal cifs/oml.su not affected

That is a very bad way of saying the SPN doesn't exist.

> 
> root at home:~ # samba-tool domain exportkeytab orphan.keytab 
> --principal=cifs/oml.su
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registeredcmd_domain_export_keytab
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Export one principal to orphan.keytab

I think you have found a bug, I just tried a similar command and got
the same message, but no keytab, I also didn't get the following lines.
 
> Unsupported keytype ignored - type 3
> Unsupported keytype ignored - type 1
> ../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for 
> (cifs/oml.su at OML.SU) with encryption type (18) and version (3)
> ../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab
> entries
> ../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for 
> (cifs/oml.su at OML.SU) with encryption type (17) and version (3)
> ../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab
> entries
> ../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for 
> (cifs/oml.su at OML.SU) with encryption type (23) and version (3)
> 
> root at home:~ # ktutil -k orphan.keytab list
> orphan.keytab:
> 
> Vno  Type                     Principal           Aliases
>    3  aes256-cts-hmac-sha1-96  cifs/oml.su at OML.SU
>    3  aes128-cts-hmac-sha1-96  cifs/oml.su at OML.SU
>    3  arcfour-hmac-md5         cifs/oml.su at OML.SU

Bit lost now, you are on freebsd and are seemingly getting a keytab
created for a non existant SPN, I am being told that a keytab is being
created for a non existing SPN: 

Export one principal to /tmp/orphan.keytab

However, the keytab is not created, I am on Raspbian running Samba
4.15.1

The Linux bug is reporting success when it shouldn't
The freebsd bug seems to be twofold, it is as above, but it also seems
to be creating the keytab.

Perhaps Andrew would like to jump in here.

Rowland





More information about the samba mailing list