Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] net ads keytab add has no visible effects
2,308 views
Skip to first unread message
Max Ober via samba
Feb 26, 2017, 5:40:04 AM2/26/17
to
Hi!
I think I ran into the same Problem.
What I tried so far:
1)
* Adopt SPNs on the DC with samba-tool spn
* Create keytab on Member with net ads keytab create
* Result:
** klist and net ads keytab list on Member match
** samba-tool spn list on DC doesn't
2)
* Clear SPNs from Member via net ads keytab flush
* Result:
** net ads keytab list on Member is empty
** samba-tool spn list on DC is empty too
3)
* Create SPNs from Member via net ads keytab add
* Create keytab on Member with net ads keytab create
* Result:
** keytab and net ads list are matching on Member
** samba-tool spn list on DC is empty
4) ? Solution ?
* Flush SPNs from Member (net ads keytab flush)
* Adopt SPNs on DC (samba-tool spn)
* Create Keytab on member (net ads keytab create)
* Result:
** keytab, net ads list and samba-tool spn list are matching
Versions:
DC: samba 4.5.4 on Arch Linux
Member: samba 4.4.8 on FreeBSD
Is there any incompatibility, am I doing something wrong or is this a bug?
Regards,
Max
> Hai,
>
> You can do the following.
>
> Login on the DC as root.
> Kinit Administrator
>
> samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$
> (optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ )
>
> Now on the member.
> mv /etc/krb5.keytab /etc/krb5.keytab.backup
>
> net ads keytab create -Uadministrator
> if that does not work, this is a bit dirty but it works also.
> net ads join -Uadministrator
> And yes a "re-join again", strange but it gives a different keytab,
> it does not change anything in the currect setup/settings.
> But i does recreate you keytab file.
>
>
> And check the keytab again for the new entries.
> klist -ke /etc/krb5.keytab
>
> Restart samba/winbind
>
> This works fine for me. ( samba 4.5.3 )
>
> And this is a must have in you smb.conf
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Maciej
Piechotka
>> via samba
>> Verzonden: donderdag 19 januari 2017 21:14
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] net ads keytab add has no visible effects
>>
>> When I issue command 'net ads keytab add HTTP' I got a message
>> 'Processing principals to add...' but nothing else happens - no change
>> in keytab, net ads keytab list output, no errors in log etc.
>>
>> [Global]
>> netbios name = HOSTNAME
>> workgroup = DOMAIN
>> realm = DOMAIN
>> server string = %h Gentoo DT
>> security = ads
>> auth methods = sam winbind
>> encrypt passwords = yes
>> kerberos method = system keytab
>>
>> preferred master = no
>> dns proxy = no
>> wins support = no
>>
>> inherit acls = Yes
>> map acl inherit = Yes
>> acl group control = yes
>>
>> load printers = no
>> debug level = 3
>> use sendfile = no
>>
>> log level = 10
>>
>> strict allocate = yes
>>
>> acl allow execute always = True
>> username map = /etc/samba/usermap.txt
>>
>>
>> [libdefaults]
>> default_realm = DOMAIN
>> clockskew = 300
>> ticket_lifetime = 3d
>> renew_lifetime = 7d
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [realms]
>> DOMAIN = {
>> default_domain = DOMAIN
>> auth_to_local =
>> RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
>> }
>>
>> [domain_realm]
>> .kerberos.server = DOMAIN
>> .domain = DOMAIN
>> domain = DOMAIN
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 1d
>> renew_lifetime = 1d
>> forwardable = true
>> proxiable = false
>> retain_after_close = false
>> minimum_uid = 0
>> debug = false
>> }
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> Any idea what may be wrong?
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I think I ran into the same Problem.
What I tried so far:
1)
* Adopt SPNs on the DC with samba-tool spn
* Create keytab on Member with net ads keytab create
* Result:
** klist and net ads keytab list on Member match
** samba-tool spn list on DC doesn't
2)
* Clear SPNs from Member via net ads keytab flush
* Result:
** net ads keytab list on Member is empty
** samba-tool spn list on DC is empty too
3)
* Create SPNs from Member via net ads keytab add
* Create keytab on Member with net ads keytab create
* Result:
** keytab and net ads list are matching on Member
** samba-tool spn list on DC is empty
4) ? Solution ?
* Flush SPNs from Member (net ads keytab flush)
* Adopt SPNs on DC (samba-tool spn)
* Create Keytab on member (net ads keytab create)
* Result:
** keytab, net ads list and samba-tool spn list are matching
Versions:
DC: samba 4.5.4 on Arch Linux
Member: samba 4.4.8 on FreeBSD
Is there any incompatibility, am I doing something wrong or is this a bug?
Regards,
Max
> Hai,
>
> You can do the following.
>
> Login on the DC as root.
> Kinit Administrator
>
> samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$
> (optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ )
>
> Now on the member.
> mv /etc/krb5.keytab /etc/krb5.keytab.backup
>
> net ads keytab create -Uadministrator
> if that does not work, this is a bit dirty but it works also.
> net ads join -Uadministrator
> And yes a "re-join again", strange but it gives a different keytab,
> it does not change anything in the currect setup/settings.
> But i does recreate you keytab file.
>
>
> And check the keytab again for the new entries.
> klist -ke /etc/krb5.keytab
>
> Restart samba/winbind
>
> This works fine for me. ( samba 4.5.3 )
>
> And this is a must have in you smb.conf
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Maciej
Piechotka
>> via samba
>> Verzonden: donderdag 19 januari 2017 21:14
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] net ads keytab add has no visible effects
>>
>> When I issue command 'net ads keytab add HTTP' I got a message
>> 'Processing principals to add...' but nothing else happens - no change
>> in keytab, net ads keytab list output, no errors in log etc.
>>
>> [Global]
>> netbios name = HOSTNAME
>> workgroup = DOMAIN
>> realm = DOMAIN
>> server string = %h Gentoo DT
>> security = ads
>> auth methods = sam winbind
>> encrypt passwords = yes
>> kerberos method = system keytab
>>
>> preferred master = no
>> dns proxy = no
>> wins support = no
>>
>> inherit acls = Yes
>> map acl inherit = Yes
>> acl group control = yes
>>
>> load printers = no
>> debug level = 3
>> use sendfile = no
>>
>> log level = 10
>>
>> strict allocate = yes
>>
>> acl allow execute always = True
>> username map = /etc/samba/usermap.txt
>>
>>
>> [libdefaults]
>> default_realm = DOMAIN
>> clockskew = 300
>> ticket_lifetime = 3d
>> renew_lifetime = 7d
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [realms]
>> DOMAIN = {
>> default_domain = DOMAIN
>> auth_to_local =
>> RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
>> }
>>
>> [domain_realm]
>> .kerberos.server = DOMAIN
>> .domain = DOMAIN
>> domain = DOMAIN
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 1d
>> renew_lifetime = 1d
>> forwardable = true
>> proxiable = false
>> retain_after_close = false
>> minimum_uid = 0
>> debug = false
>> }
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> Any idea what may be wrong?
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Feb 26, 2017, 6:30:03 AM2/26/17
to
On Sun, 26 Feb 2017 01:52:46 +0100
Max Ober via samba <sa...@lists.samba.org> wrote:
> Hi!
>
> I think I ran into the same Problem.
>
Can you post the smb.conf from the Unix Domain Member, plus what you
Max Ober via samba <sa...@lists.samba.org> wrote:
> Hi!
>
> I think I ran into the same Problem.
>
get in the keytab and what you expect.
Rowland
Rowland Penny via samba
Feb 26, 2017, 8:40:03 AM2/26/17
to
On Sun, 26 Feb 2017 13:16:58 +0100
Maximilian Ober <n094...@students.meduniwien.ac.at> wrote:
>
> 1) Keytab after adding spn on DC with samba-tool
> [locadm@dc ~]$ sudo samba-tool spn add NFS/member.ad-domain.mober.at
> member$ $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
> 2 des-cbc-crc nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-md5 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 aes128-cts-hmac-sha1-96 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-crc nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-md5 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 aes128-cts-hmac-sha1-96 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 aes256-cts-hmac-sha1-96 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 arcfour-hmac-md5 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 arcfour-hmac-md5 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 aes256-cts-hmac-sha1-96 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
>
> Okay ... looks like this time it worked as expected in the first try.
You sure about that ?
You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
with 'nfs'.
This could just be down to using 'net to create the keytab, try
'samba-tool domain exportkeytab /etc/krb5.keytab' instead
> To try something:
>
> 2) Adding an SPN on Member with net ads keytab
> $ sudo net ads keytab add nfs/nas.site-...@AD-DOMAIN.MOBER.AT
> -U Administrator $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
>
> And there seems something missing again.
Not sure there is anything missing, you first use 'net' to add an SPN
and everything seems okay, you then use samba-tool to list the SPNs for
the Unix domain member. Perhaps if you ran 'samba-tool spn list
--help' and read the second line, which says this:
List spns of a given user.
It might give you a hint ;-)
A computer account in AD is also a user
I am fairly sure if you were to examine the computers object in AD, you
will not find the SPN 'nfs/nas.site-...@AD-DOMAIN.MOBER.AT'
Maximilian Ober <n094...@students.meduniwien.ac.at> wrote:
>
> 1) Keytab after adding spn on DC with samba-tool
> [locadm@dc ~]$ sudo samba-tool spn add NFS/member.ad-domain.mober.at
> member$ $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
> 2 des-cbc-crc nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-md5 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 aes128-cts-hmac-sha1-96 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-crc nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 des-cbc-md5 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 aes128-cts-hmac-sha1-96 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 aes256-cts-hmac-sha1-96 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 arcfour-hmac-md5 nfs/MEM...@AD-DOMAIN.MOBER.AT
> 2 arcfour-hmac-md5 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
> 2 aes256-cts-hmac-sha1-96 nfs/member.ad-do...@AD-DOMAIN.MOBER.AT
>
> Okay ... looks like this time it worked as expected in the first try.
You sure about that ?
You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
with 'nfs'.
This could just be down to using 'net to create the keytab, try
'samba-tool domain exportkeytab /etc/krb5.keytab' instead
> To try something:
>
> 2) Adding an SPN on Member with net ads keytab
> $ sudo net ads keytab add nfs/nas.site-...@AD-DOMAIN.MOBER.AT
> -U Administrator $ sudo net ads keytab create -k -U Administrator
> $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
>
> And there seems something missing again.
Not sure there is anything missing, you first use 'net' to add an SPN
and everything seems okay, you then use samba-tool to list the SPNs for
the Unix domain member. Perhaps if you ran 'samba-tool spn list
--help' and read the second line, which says this:
List spns of a given user.
It might give you a hint ;-)
A computer account in AD is also a user
I am fairly sure if you were to examine the computers object in AD, you
will not find the SPN 'nfs/nas.site-...@AD-DOMAIN.MOBER.AT'
Max Ober via samba
Feb 26, 2017, 11:20:03 AM2/26/17
to
> > Okay ... looks like this time it worked as expected in the first try.
>
> You sure about that ?
> You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
> with 'nfs'.
> This could just be down to using 'net to create the keytab, try
> 'samba-tool domain exportkeytab /etc/krb5.keytab' instead
Since AD comes from the Win-World I thought SPNs might not be case-sensitive
>
> You sure about that ?
> You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
> with 'nfs'.
> This could just be down to using 'net to create the keytab, try
> 'samba-tool domain exportkeytab /etc/krb5.keytab' instead
and this shouldn't be a problem.
> > And there seems something missing again.
>
> Not sure there is anything missing, you first use 'net' to add an SPN
> and everything seems okay, you then use samba-tool to list the SPNs for
> the Unix domain member. Perhaps if you ran 'samba-tool spn list
> --help' and read the second line, which says this:
>
> List spns of a given user.
>
> It might give you a hint ;-)
>
> A computer account in AD is also a user
>
> I am fairly sure if you were to examine the computers object in AD, you
> will not find the SPN 'nfs/nas.site-...@AD-DOMAIN.MOBER.AT'
I thought the user member$ represents the computer account of the machine
member? And therefore samba-tool spn list member$ should list all SPNs of that
computer?
And I also thought "net ads" lets me do some stuff while working on the member
that I otherwise would do with samba-tool on the dc. So for my understanding
it should make no difference whether I use "net ads keytab add" on the member
to add an spn or use "samba-tool spn add" on the dc to do the same thing? Both
should end up adding an SPN to the computer account, what I should be able to
check with samba-tool spn list?
/Max
Rowland Penny via samba
Feb 26, 2017, 12:30:02 PM2/26/17
to
On Sun, 26 Feb 2017 17:13:28 +0100
Max Ober <m...@mober.at> wrote:
>
> Since AD comes from the Win-World I thought SPNs might not be
> case-sensitive and this shouldn't be a problem.
Possibly not on Windows but, Unix is case sensitive.
Max Ober <m...@mober.at> wrote:
>
> Since AD comes from the Win-World I thought SPNs might not be
> case-sensitive and this shouldn't be a problem.
> Sorry, but I can't follow.
> I thought the user member$ represents the computer account of the
> machine member? And therefore samba-tool spn list member$ should list
> all SPNs of that computer?
> And I also thought "net ads" lets me do some stuff while working on
> the member that I otherwise would do with samba-tool on the dc. So
> for my understanding it should make no difference whether I use "net
> ads keytab add" on the member to add an spn or use "samba-tool spn
> add" on the dc to do the same thing? Both should end up adding an SPN
> to the computer account,
> what I should be able to check with samba-tool spn list?
this is the search it does:
res = sam.search(
expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])
The SPN you add to the keytab is not one of 'member$' SPNs, hence it
isn't shown by samba-tool.
If you want to know what is a keytab, use ktutil.
Rowland
Rowland
0 new messages