Re: [Samba] Samba 4 krb5.keytab confusion

[steve]

On 01/09/2012 07:38 AM, Gémes Géza wrote:
2012-01-08 10:13 keltezéssel, steve írta:
Hi
I have Samba 4 installed and working. I recently changed FQDN to dns
name hh3.hh3.site. It works OK and e.g. on a windows 7 box which
joined the domain, users can logon. But I have a mess in the keytab:
klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
    2 HH3$@HH3.HH1.SITE
    2 HH3$@HH3.HH1.SITE
    2 HH3$@HH3.HH1.SITE
    2 host/h...@hh3.hh1.site
    2 host/h...@hh3.hh1.site
    2 host/h...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/hh3.hh3.hh1.s...@hh3.hh1.site
    2 host/h...@hh3.hh1.site
    2 host/h...@hh3.hh1.site
    2 host/h...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 cifs/hh3.hh3.hh1.s...@hh3.hh1.site
    2 HH3$@HH3.SITE
    2 HH3$@HH3.SITE
    2 HH3$@HH3.SITE
    2 host/h...@hh3.site
    2 host/h...@hh3.site
    2 host/h...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/hh3.hh3.s...@hh3.site
    2 host/h...@hh3.site
    2 host/h...@hh3.site
    2 host/h...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    2 cifs/hh3.hh3.s...@hh3.site
    1 ste...@hh3.site
    1 ste...@hh3.site
    1 ste...@hh3.site
    2 ste...@hh3.site
    2 ste...@hh3.site
    2 ste...@hh3.site
    1 ly...@hh3.site
    1 ly...@hh3.site
    1 ly...@hh3.site

This all seems OK:

Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for
STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime:
2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till:
2012-01-15T09:35:01

Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.2:46577 for
host/steve-pc.hh3.s...@hh3.site [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime:
2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till:
2012-01-15T09:35:06

Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user
[]\[]@[STEVE-PC]
auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC]


But I also get this:

Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for
steve-pc$\@hh3.s...@hh3.site [canonicalize, request-anonymous,
renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from steve-pc$@HH3.SITE
(steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to
steve-pc$\@hh3.s...@hh3.site not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588

Which I think is due to the keytab

smb.conf contains:

[global]
     server role = domain controller
     workgroup = CACTUS
     realm = hh3.site
     netbios name = HH3
     passdb backend = samba4
     template shell = /bin/bash

So, 2 very newbie questions:

1. Is there anyway I can tidy up the keytab to see if removes that error?
2. In the above example, steve-pc is a windows 7 client which is
joined to the domain called CACTUS. Why doesn't steve-pc$ appear in
the keytab listing?


/etc/krb5.keytab is a keytab you've created (e.g. with samba-tool domain
exportkeytab /etc/krb5.keytab) it is not used by Samba4 in any way. If
you need a keytab for any service you run (e.g. nfs) I would suggest to
extract a keytab only for the principal you've created for that service.
E.g.:

samba-tool user create whateverserviceusername --random-password
samba-tool spn add previouslyusedusername servicename/hostname
samba-tool domain exportkeytab --principal=servicename/hostname
/path/to/the/keytab

Regards

Geza
Yeah, I can see I've not understood this. If I create a Samba 4 user 
using samba-tool, he has to have a keytab to be able to login on a Linux 
client.

For user steve4 on domain HH3.SITE I did this:

samba-tool user add steve4
(the spn stuff you mention doesn't seem to be needed?)
samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4

for nfs I did this:
samba-tool spn add nfs/HH3.SITE Administrator
samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/HH3.SITE

steve4 can login to the Linux client and is placed in his nfs4 mounted 
/home directory (applause!). (The keytab  above was before I added nfs)

What I don't understand is why I need the keytab at all and how the 
other stuff got in there.
Thanks for your patience.
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba