[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Rowland Penny
rpenny at samba.org
Mon Jan 31 12:06:34 UTC 2022
On Mon, 2022-01-31 at 14:55 +0300, Alex wrote:
> > > One last thing. I decided to try to use a system keytab
> > > (/etc/krb5.keytab) instead of a specially generated user keytab
> > > (like
> > > above) like Rowland advised recently, and I can't get it to work:
> > > [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d
> > > -k
> > > /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
> > You could use /etc/krb5.keytab, but you would have to add the
> > required
> > principal to it. I also have never run the above command, it just
> > works
> > for myself:
>
> I forgot to list keys from the system keytab, sorry. Here they are:
> [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm-
> corp.abisoft.spb.ru
> 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc)
> 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5)
> 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-
> 96)
> 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-
> 96)
> 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac)
>
> So, the principal is there.
>
> > adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt
> > Ticket cache: FILE:/tmp/nslcd.tkt
> > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM
>
> How did you obtain the ticket in the cache?
Try reading this:
https://wiki.samba.org/index.php/Nslcd
I have it working in a VM, running Debian 11
If you are trying to add the 'host/fqdn' principal to a keytab, then
there isn't much point, it is in the standard /etc/krb5.keytab
Rowland
More information about the samba
mailing list