[Samba] creating Kerberos host principals for multiple hostnames, multihomed server

[John Wyzer]

Hi!

I maintain Linux servers that are members of a Samba4 Domain.
User authentication / login via ssh works fine with Kerberos.

But: only via one hostname.

Those machines need a working Kerberos login via multiple hostnames
(each hostname has its own IP address and DNS is set up correctly.)

"net ads keytab list" of course gives me the main hostname that was in
use when joining the domain (host/my-s...@MY.REALM.COM).

With "net ads keytab add" I can only add service principals without
specifying the FQDN of the desired principal.

Is there a way for me to add a "host/my-se...@MY.REALM.COM" principal
to the machines' keytab?

I'm very much out of ideas and have searched all the mailing lists'
archives to no avail :-(

Best regards and many thanks for any help!

John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[L.P.H. van Belle]

Hai,

>Those machines need a working Kerberos login via multiple hostnames
>(each hostname has its own IP address and DNS is set up correctly.)

looks to me a bit overkill, but you wil have your reasons this a setup like this..

so.. you can try this..

asumming this :
REALM=MY.REALM.TLD
DNSDOMAIN=my.domain.tld
and a serviceaccount the spn's.

You can also use the existing "hostname"
but for these extra spns I use a extra "service_account"

1) create "serviceaccount" for "HOSTNAME" : serviceaccount_name

2) create the spns for the service accounts
samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or original hostname )
samba-tool spn add host/hostname.DNSDOMAIN@REALM serviceaccount_name ( or original hostname )

samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or original hostname )
samba-tool spn add host/hostname2.DNSDOMAIN@REALM serviceaccount_name ( or original hostname )

samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or original hostname )
samba-tool spn add host/hostname3.DNSDOMAIN@REALM serviceaccount_name ( or original hostname ) .. etc.


now export the keytabs . .
samba-tool domain exportkeytab /tmp/hostnames-extra.keytab --principal=host/hostname.DNSDOMAIN
samba-tool domain exportkeytab /tmp/hostnames2-extra.keytab --principal=host/hostname2.DNSDOMAIN
samba-tool domain exportkeytab /tmp/hostnames3-extra.keytab --principal=host/hostname3.DNSDOMAIN .. etc.

check the keytab file:
klist -e -k /tmp/hostnames-extra.keytab
klist -e -k /tmp/hostnames2-extra.keytab
klist -e -k /tmp/hostnames3-extra.keytab

you should see all the hostnames, if correct make all keytab files in 1 file.

type : ktutil
ktutil :

read the all the keytab files in ktutil
rkt /tmp/hostnames-extra.keytab
look : list ( use help to get to know ktutil )

write the new keytab file.
wkt /tmp/new.keytab

and quit ktutil.

check the new one..
klist -e -k /tmp/new.keytab

and you can add also the existing keytab file to it.
then you have 1 keytab file for all hostnames.

if you also have different domainnames, make sure you dont forget the krb5.conf.
like ..
[realms]
REALM = {
kdc = samba-dc1.REALM
admin_server = samba-dc1.REALM
}


[domain_realm]
.DNSDOMAIN = REALM
DNSDOMAIN = REALM
.DNSDOMAIN2 = REALM
DNSDOMAIN2 = REALM

etc..


good luck now you know how.

Greetz,

Louis






>-----Oorspronkelijk bericht-----
>Van: john....@gmx.de [mailto:samba-...@lists.samba.org]
>Namens John Wyzer
>Verzonden: donderdag 5 maart 2015 23:38
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] creating Kerberos host principals for
>multiple hostnames, multihomed server

[John Wyzer]

On 06/03/15 09:07, L.P.H. van Belle wrote:
> Hai,
>
>> Those machines need a working Kerberos login via multiple hostnames
>> (each hostname has its own IP address and DNS is set up correctly.)
> looks to me a bit overkill, but you wil have your reasons this a setup like this..
>
> so.. you can try this..
>
> asumming this :
> REALM=MY.REALM.TLD
> DNSDOMAIN=my.domain.tld
> and a serviceaccount the spn's.
>
> You can also use the existing "hostname"
> but for these extra spns I use a extra "service_account"
>
> 1) create "serviceaccount" for "HOSTNAME" : serviceaccount_name
>
> 2) create the spns for the service accounts
> samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or original hostname )
> samba-tool spn add host/hostname.DNSDOMAIN@REALM serviceaccount_name ( or original hostname )
>
> samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or original hostname )
> samba-tool spn add host/hostname2.DNSDOMAIN@REALM serviceaccount_name ( or original hostname )
>
> samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or original hostname )
> samba-tool spn add host/hostname3.DNSDOMAIN@REALM serviceaccount_name ( or original hostname ) .. etc.

V>

Thank you very much! That helped me get all the keytabs correct and was
a very useful exercise.

It did not help with the pam_krb5 login however.
Then I discovered this:

All this was not necessary to begin with.

In order to be able to log into the host via pam_krb5 via multiple
hostnames, no additional principals are necessary.
Only the DNS has to be set up as follows:

n001.my.dnsdomain.tld 10 A 192.168.100.1
m001.my.dnsdomain.tld 10 A 192.168.101.1
i001.my.dnsdomain.tld 10 A 192.168.102.1

1.100.168.192.in-addr.arpa 10 ptr n001.my.dnsdomain.tld
1.101.168.192.in-addr.arpa 10 ptr n001.my.dnsdomain.tld
1.102.168.192.in-addr.arpa 10 ptr n001.my.dnsdomain.tld

No I can ssh into n001 m001 and i001 which are all the same machine
without a password prompt.

Perhaps there is a possibility to set up pam_krb5 in a way that can
handle the reverse lookup according to the hostname/ip address that was
used to initiate the login - but I did not find any and for my setup
this is enough. ("hostname -A" returns all three hostnames, by the way...)

Many thanks again!