Hi, Thanks for the info. I am now trying two ways to get, for example, the nslcd service to work with samba4 kerberos. Note: Spaces around "@" are intentional and exist only on the list.
Method 1: The non-integration-with-samba method ================================================================== server:/root# samba-tool user add nslcd-service --random-password server:/root# samba-tool spn add HOST/ubuntu-test.mydomain.net nslcd-service server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab --principal=HOST/ubuntu-test.mydomain.net server:/root# scp /etc/ubuntu-test.keytab root @ ubuntu-test:/etc/krb5.keytab ubuntu-test:/root# /etc/init.d/nslcd restart * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database log.samba on server shows: Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb ================================================================== Method 2: The samba4 integration method ================================================================== server:/root# samba-tool spn delete HOST/ubuntu-test.mydomain.netnslcd-service # Make sure HOST/ ubuntu-test.mydomain.net does not exist already server:/root# samba-tool user delete nslcd-service ubuntu-test:/root# nano /etc/samba/smb.conf # Change/add the following lines: workgroup = MYDOMAIN realm = mydomain.net kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab security = ads ubuntu-test:/root# rm /etc/krb5.keytab # Delete any existing keytabs so there is no confusion ubuntu-test:/root# net ads join -U Administrator Enter Administrator's password: Using short domain name -- MYDOMAIN Joined 'UBUNTU-TEST' to realm 'mydomain.net' DNS Update for ubuntu-test.mydomain.net failed: ERROR_DNS_INVALID_MESSAGE DNS update failed! log.samba shows this during ads join: ----------------------------------------------------------------- Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from ipv4:10.45.1.55:47888for krbtgt/ MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator @ MYDOMAIN.NET Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from ipv4:10.45.1.55:47831for krbtgt/ MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET Kerberos: ENC-TS Pre-authentication succeeded -- Administrator @ MYDOMAIN.NET using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-07-16T11:10:30 starttime: unset endtime: 2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30 Kerberos: Client supported enctypes: arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, forwardable Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from ipv4:10.45.1.55:37803for ldap/ cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime: 2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30 Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from ipv4:10.45.1.55:38998for krbtgt/ MYDOMAIN.NET @ MYDOMAIN.NET [renewable, forwarded, forwardable] Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime: 2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30 Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from ipv4:10.45.1.55:54978for krbtgt/ MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET Kerberos: No preauth found, returning PREAUTH-REQUIRED -- UBUNTU-TEST$ @ MYDOMAIN.NET Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from ipv4:10.45.1.55:34088for krbtgt/ MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET Kerberos: ENC-TS Pre-authentication succeeded -- UBUNTU-TEST$ @ MYDOMAIN.NET using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-07-16T11:10:31 starttime: unset endtime: 2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27 Kerberos: Client supported enctypes: arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, forwardable Kerberos: TGS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from ipv4:10.45.1.55:60077for dns/ cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-07-16T11:10:31 starttime: 2012-07-16T11:10:31 endtime: 2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27 ----------------------------------------------------------------- ubuntu-test:/root# file /etc/krb5.keytab /etc/krb5.keytab: ERROR: cannot open `/etc/krb5.keytab' (No such file or directory) ubuntu-test:/root# /etc/init.d/nslcd restart * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database log.samba on server shows: Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab --principal=HOST/ubuntu-test.mydomain.net server:/root# scp /etc/ubuntu-test.keytab root @ ubuntu-test:/etc/krb5.keytab ubuntu-test:/root# /etc/init.d/nslcd restart * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database log.samba on server shows: Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb ================================================================== As you can see, no matter if a /etc/krb5.keytab exists or not and no matter if I add "HOST/ubuntu-test.mydomain.net" to the domain either via "samba-tool spn add" or via the client's "net ads join", kerberos authentication fails with "no such entry found in hdb". Anyways, I found a workaround. I noticed during "net ads join" that kerberos authentication was succeeding using "[email protected]", so using method 2, I added the following: server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab --principal=UBUNTU-TEST\$ server:/root# scp /etc/ubuntu-test.keytab root @ ubuntu-test:/etc/krb5.keytab On the client, in /etc/default/nslcd, add the line: K5START_PRINCIPAL="`hostname | tr [:lower:] [:upper:]`$" then at least nslcd service seems to work. I would be interested in knowing if using <hostname in uppercase>$ is better than HOST/<hostname>. mydomain.net . br, Quinn On Sat, Jul 14, 2012 at 1:27 AM, Andrew Bartlett <[email protected]> wrote: > On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote: > > Hi, > > > > When I have a service on a client that tries to use kerberos and I get > > errors such as these in the log.samba file: > > > > Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no > such > > entry found in hdb > > > > Does this mean that the kerberos authentication system is looking for the > > principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's > domain > > That would be in the domain. hdb is a reference to our sam.ldb in this > case. > > > or in the server's /etc/krb5.keytab file? I have tried adding this > > principal to the /etc/krb5.keytab file using ktutil, but this error still > > pops up. I noticed that you can export a principal into a keytab file > > using "samba-tool domain exportkeytab" but how do you add the principal > to > > the domain? Will adding the missing principal using "samba-tool spn" > solve > > problems like these? > > Yes. > > > According to https://help.ubuntu.com/community/SingleSignOn , you add a > > host to the kerberos realm by doing these two commands on the kerberos > > server: > > > > kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM > > kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM > > > > I am guessing that "kadmin: ktadd -k ~/client.keytab > host/client.example.com@ > > EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab > > ~/client.keytab --principal=host/client.example.com" but what is the > > equivalent of "kadmin: addprinc -randkey host/client.example.com @ > > EXAMPLE.COM" under samba4 ??? > > If the client doesn't wish to have any Samba integration it would be > adding a user, adding an spn, setting a random password and then using > the exportkeytab command you mentioned. > > However, joining the machine using Samba would be more likely what you > want, ie run 'net ads join' on the client, and look into the keytab > options in the smb.conf for how to have Samba maintain a system keytab > for your other services. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
