Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Understanding kerberos principals in samba4
336 views
Skip to first unread message
Quinn Plattel
Jul 13, 2012, 9:20:02 AM7/13/12
to
Hi,
When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:
Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the server's /etc/krb5.keytab file? I have tried adding this
principal to the /etc/krb5.keytab file using ktutil, but this error still
pops up. I noticed that you can export a principal into a keytab file
using "samba-tool domain exportkeytab" but how do you add the principal to
the domain? Will adding the missing principal using "samba-tool spn" solve
problems like these?
According to https://help.ubuntu.com/community/SingleSignOn , you add a
host to the kerberos realm by doing these two commands on the kerberos
server:
kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
~/client.keytab --principal=host/client.example.com" but what is the
equivalent of "kadmin: addprinc -randkey host/client.example.com @
EXAMPLE.COM" under samba4 ???
br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:
Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the server's /etc/krb5.keytab file? I have tried adding this
principal to the /etc/krb5.keytab file using ktutil, but this error still
pops up. I noticed that you can export a principal into a keytab file
using "samba-tool domain exportkeytab" but how do you add the principal to
the domain? Will adding the missing principal using "samba-tool spn" solve
problems like these?
According to https://help.ubuntu.com/community/SingleSignOn , you add a
host to the kerberos realm by doing these two commands on the kerberos
server:
kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
~/client.keytab --principal=host/client.example.com" but what is the
equivalent of "kadmin: addprinc -randkey host/client.example.com @
EXAMPLE.COM" under samba4 ???
br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Jul 13, 2012, 7:30:02 PM7/13/12
to
On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote:
> Hi,
>
> When I have a service on a client that tries to use kerberos and I get
> errors such as these in the log.samba file:
>
> Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
> entry found in hdb
>
> Does this mean that the kerberos authentication system is looking for the
> principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
That would be in the domain. hdb is a reference to our sam.ldb in this
> Hi,
>
> When I have a service on a client that tries to use kerberos and I get
> errors such as these in the log.samba file:
>
> Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
> entry found in hdb
>
> Does this mean that the kerberos authentication system is looking for the
> principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
case.
> or in the server's /etc/krb5.keytab file? I have tried adding this
> principal to the /etc/krb5.keytab file using ktutil, but this error still
> pops up. I noticed that you can export a principal into a keytab file
> using "samba-tool domain exportkeytab" but how do you add the principal to
> the domain? Will adding the missing principal using "samba-tool spn" solve
> problems like these?
> According to https://help.ubuntu.com/community/SingleSignOn , you add a
> host to the kerberos realm by doing these two commands on the kerberos
> server:
>
> kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
> kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
>
> I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
> EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
> ~/client.keytab --principal=host/client.example.com" but what is the
> equivalent of "kadmin: addprinc -randkey host/client.example.com @
> EXAMPLE.COM" under samba4 ???
adding a user, adding an spn, setting a random password and then using
the exportkeytab command you mentioned.
However, joining the machine using Samba would be more likely what you
want, ie run 'net ads join' on the client, and look into the keytab
options in the smb.conf for how to have Samba maintain a system keytab
for your other services.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Quinn Plattel
Jul 16, 2012, 6:20:02 AM7/16/12
to
Hi,
Thanks for the info. I am now trying two ways to get, for example, the
nslcd service to work with samba4 kerberos.
Note: Spaces around "@" are intentional and exist only on the list.
Method 1: The non-integration-with-samba method
==================================================================
server:/root# samba-tool user add nslcd-service --random-password
server:/root# samba-tool spn add HOST/ubuntu-test.mydomain.net nslcd-service
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
Method 2: The samba4 integration method
==================================================================
server:/root# samba-tool spn delete
HOST/ubuntu-test.mydomain.netnslcd-service # Make sure HOST/
ubuntu-test.mydomain.net does not exist already
server:/root# samba-tool user delete nslcd-service
ubuntu-test:/root# nano /etc/samba/smb.conf # Change/add the following
lines:
workgroup = MYDOMAIN
realm = mydomain.net
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
security = ads
ubuntu-test:/root# rm /etc/krb5.keytab # Delete any existing keytabs so
there is no confusion
ubuntu-test:/root# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYDOMAIN
Joined 'UBUNTU-TEST' to realm 'mydomain.net'
DNS Update for ubuntu-test.mydomain.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!
log.samba shows this during ads join:
-----------------------------------------------------------------
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47888for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator @
MYDOMAIN.NET
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47831for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:30 starttime: unset endtime:
2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:37803for ldap/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:38998for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET [renewable, forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:54978for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- UBUNTU-TEST$ @
MYDOMAIN.NET
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:34088for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- UBUNTU-TEST$ @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:31 starttime: unset endtime:
2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:60077for dns/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:31 starttime:
2012-07-16T11:10:31 endtime: 2012-07-16T21:10:31 renew till:
2012-07-17T11:10:27
-----------------------------------------------------------------
ubuntu-test:/root# file /etc/krb5.keytab
/etc/krb5.keytab: ERROR: cannot open `/etc/krb5.keytab' (No such file or
directory)
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
As you can see, no matter if a /etc/krb5.keytab exists or not and no matter
if I add "HOST/ubuntu-test.mydomain.net" to the domain either via
"samba-tool spn add" or via the client's "net ads join", kerberos
authentication fails with "no such entry found in hdb".
Anyways, I found a workaround. I noticed during "net ads join" that
kerberos authentication was succeeding using "UBUNTU$@MYDOMAIN.NET", so
using method 2, I added the following:
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=UBUNTU-TEST\$
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
On the client, in /etc/default/nslcd, add the line:
K5START_PRINCIPAL="`hostname | tr [:lower:] [:upper:]`$"
then at least nslcd service seems to work. I would be interested in
knowing if using <hostname in uppercase>$ is better than HOST/<hostname>.
mydomain.net .
br,
Quinn
Best regards/Med venlig hilsen,
Quinn Plattel
Thanks for the info. I am now trying two ways to get, for example, the
nslcd service to work with samba4 kerberos.
Note: Spaces around "@" are intentional and exist only on the list.
Method 1: The non-integration-with-samba method
==================================================================
server:/root# samba-tool user add nslcd-service --random-password
server:/root# samba-tool spn add HOST/ubuntu-test.mydomain.net nslcd-service
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
Method 2: The samba4 integration method
==================================================================
server:/root# samba-tool spn delete
HOST/ubuntu-test.mydomain.netnslcd-service # Make sure HOST/
ubuntu-test.mydomain.net does not exist already
server:/root# samba-tool user delete nslcd-service
ubuntu-test:/root# nano /etc/samba/smb.conf # Change/add the following
lines:
workgroup = MYDOMAIN
realm = mydomain.net
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
security = ads
ubuntu-test:/root# rm /etc/krb5.keytab # Delete any existing keytabs so
there is no confusion
ubuntu-test:/root# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYDOMAIN
Joined 'UBUNTU-TEST' to realm 'mydomain.net'
DNS Update for ubuntu-test.mydomain.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!
log.samba shows this during ads join:
-----------------------------------------------------------------
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47888for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator @
MYDOMAIN.NET
Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47831for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:30 starttime: unset endtime:
2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:37803for ldap/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:38998for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET [renewable, forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:54978for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- UBUNTU-TEST$ @
MYDOMAIN.NET
Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:34088for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
Kerberos: ENC-TS Pre-authentication succeeded -- UBUNTU-TEST$ @
MYDOMAIN.NET using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-07-16T11:10:31 starttime: unset endtime:
2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27
Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, forwardable
Kerberos: TGS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:60077for dns/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-07-16T11:10:31 starttime:
2012-07-16T11:10:31 endtime: 2012-07-16T21:10:31 renew till:
2012-07-17T11:10:27
-----------------------------------------------------------------
ubuntu-test:/root# file /etc/krb5.keytab
/etc/krb5.keytab: ERROR: cannot open `/etc/krb5.keytab' (No such file or
directory)
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
ubuntu-test:/root# /etc/init.d/nslcd restart
* Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database
log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================
As you can see, no matter if a /etc/krb5.keytab exists or not and no matter
if I add "HOST/ubuntu-test.mydomain.net" to the domain either via
"samba-tool spn add" or via the client's "net ads join", kerberos
authentication fails with "no such entry found in hdb".
Anyways, I found a workaround. I noticed during "net ads join" that
kerberos authentication was succeeding using "UBUNTU$@MYDOMAIN.NET", so
using method 2, I added the following:
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=UBUNTU-TEST\$
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab
On the client, in /etc/default/nslcd, add the line:
K5START_PRINCIPAL="`hostname | tr [:lower:] [:upper:]`$"
then at least nslcd service seems to work. I would be interested in
knowing if using <hostname in uppercase>$ is better than HOST/<hostname>.
mydomain.net .
br,
Quinn
Quinn Plattel
steve
Jul 16, 2012, 7:10:02 AM7/16/12
to
On 16/07/12 12:10, Quinn Plattel wrote:
> Hi,
>
> Thanks for the info. I am now trying two ways to get, for example, the
> nslcd service to work with samba4 kerberos.
The host principals are already there so I can't see why you are trying
> Hi,
>
> Thanks for the info. I am now trying two ways to get, for example, the
> nslcd service to work with samba4 kerberos.
to recreate them. Don't use the host key. Use a separate key to unlock
the nslcd service so that it cann access the Samba 4 LDAP.
The problem with nslcd in Ubuntu is k5start. The configuration file is
located In /etc/default/nslcd which prevents it using a Samba4
principal. With Samba4, nslcd triggeres k5start and it has no key to
reference.
Set k5start to "No" and start it manually yourself with a keytab you
have extracted for your nslcd-service. If you do not, you will have to
manually restart nslcd every 10 hours anyway.
Cheers,
HTH
Steve
steve
Jul 16, 2012, 7:30:02 AM7/16/12
to
On 16/07/12 13:21, Quinn Plattel wrote:
> Hi Steve,
>
> I was taking nslcd as an example and I know that one workaround is the
> way you describe it, but I see more than just nslcd/k5start service that
> uses the HOST/hostname.domain.net
Hi Quinn
Sorry. I thought you were still with the nslcd workaround.
You may come across nfs. That by default needs principals in
/etc/krb5.keytab. host/realm is one of many keys that work.
Cheers,
> Hi Steve,
>
> I was taking nslcd as an example and I know that one workaround is the
> way you describe it, but I see more than just nslcd/k5start service that
> uses the HOST/hostname.domain.net
Hi Quinn
Sorry. I thought you were still with the nslcd workaround.
You may come across nfs. That by default needs principals in
/etc/krb5.keytab. host/realm is one of many keys that work.
Cheers,
Quinn Plattel
Jul 16, 2012, 7:30:02 AM7/16/12
to
Hi Steve,
I was taking nslcd as an example and I know that one workaround is the way
you describe it, but I see more than just nslcd/k5start service that uses
the HOST/hostname.domain.net principal to authenticate - for example, ssh
I was taking nslcd as an example and I know that one workaround is the way
you describe it, but I see more than just nslcd/k5start service that uses
with GSSAPI seems to do the same thing unless you use
"GSSAPIStrictAcceptorCheck no" in /etc/sshd_config, and then there is
"ldapsearch -Y GSSAPI" which asks for ldap/hostname.domain.net principal.
So far, of these three issues, I see two workarounds and one with no
solution yet. It would be nice to see a common solution that works for all
kerberos aware services - hence the subject "Understanding kerberos
principals in samba4".
br,
Quinn
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
--
Best regards/Med venlig hilsen,
Quinn Plattel
0 new messages