[Samba] Generating Keytab for Service Principal
Armin K.
elkrejzi at gmail.com
Thu Dec 14 18:39:33 UTC 2023
Hello everyone. I am stuck on this for what seems to be days. Not sure
what am I doing wrong.
I am following the guide located at
https://wiki.samba.org/index.php/Generating_Keytabs
I am running commands on the domain controller. smb.conf shown below.
Now, I am trying to get Keycloak to perform SPNEGO authentication
using SPN, and I have used the following commands to create a LDAP
BIND DN, add a service principal to it, and tried - but failed
repeatedly - to generate a keytab file as well.
$ sudo samba-tool user add keycloak str0ngP4ssw0rd
$ sudo samba-tool user setexpiry --noexpiry keycloak
$ sudo samba-tool spn add HTTP/login.samdom.net at home.samdom.net keycloak
$ sudo samba-tool spn add HTTP/keycloak at home.samdom.net keycloak
Output below:
User 'keycloak' added successfully
Expiry for user 'keycloak' disabled.
$ sudo samba-tool user show keycloak
mentions the service principals
---
servicePrincipalName: HTTP/login.samdom.net at home.samdom.net
servicePrincipalName: HTTP/keycloak at home.samdom.net
userAccountControl: 66048
---
(as a side note, I have also added userAccountControl, which,
according to the decoder means "normal account" and "don't expire
password")
Now, the moment of truth
$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=HTTP/login.samdom.net at home.samdom.net
Export one principal to keycloak.keytab
]$ ls keycloak.keytab
ls: cannot access 'keycloak.keytab': No such file or directory
While it says that it exported the keytab, no file exists anywhere. I
can export keytab for the keycloak user created above, and output is
slightly different
$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=keycloak at home.samdom.net
Export one principal to keycloak.keytab
sudo klist -kt keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET
2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET
2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET
I am also able to export keytab for service principals belonging to
SERVER$ computer
$ sudo samba-tool computer show SERVER$
---
servicePrincipalName: HOST/server.home.samdom.net/home.samdom.net
---
$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=HOST/server.home.samdom.net/home.samdom.net
Export one principal to keycloak.keytab
$ sudo klist -kt keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET
1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET
1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET
I am baffled why I can't export any principal for the created keycloak
user. As a side note, I have also tried creating keycloak user as a
computer named KEYCLOAK$, but I still could not export the SPN.
I am running samba version 4.19.3 on ArchLinux ARM on Raspberry PI 4,
aarch64 build.
Does anyone have any idea how to generate the keytab file for my SPNs?
Thank you very much.
### Begin smb.conf
[global]
interfaces = 127.0.0.1 192.168.0.2
netbios name = SERVER
realm = HOME.SAMDOM.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = HOME
idmap_ldb:use rfc2307 = yes
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = /etc/samba/tls/key.pem
tls certfile = /etc/samba/tls/cert.pem
tls cafile = /etc/samba/tls/ca.pem
#log level = 3
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind nss info = rfc2307
winbind offline logon = true
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
usershare path = /var/lib/samba/usershares
usershare max shares = 100
usershare prefix allow list = /srv/share
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/home.samdom.net/scripts
read only = No
### End smb.conf
More information about the samba
mailing list