Thanks Mark, I did the following:
net ads keytab ADD HTTP/foundry.example.local It placed the following in my keytab: klist -k: <snip> 2 HTTP/foundry.example.local/[EMAIL PROTECTED] 2 HTTP/foundry.example.local/[EMAIL PROTECTED] 2 HTTP/foundry.example.local/[EMAIL PROTECTED] <snip> The following appears to have done the right thing: net ads keytab ADD HTTP klist -k <snip> 2 HTTP/[EMAIL PROTECTED] 2 HTTP/[EMAIL PROTECTED] <snip> However, I am still no closer than I started: kinit -k -t /etc/krb5.keytab HTTP/foundry.example.local kinit(v5): Client not found in Kerberos database while getting initial credentials Any ideas? Thanks, PS: Interestingly I get the following from css_adkadmin: [EMAIL PROTECTED]:~ # /usr/bin/css_adkadmin -p Administrator -q "getacct foundry" dn: CN=foundry,CN=Computers,DC=example,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: foundry distinguishedName: CN=foundry,CN=Computers,DC=example,DC=local instanceType: 4 whenCreated: 20070219133910.0Z whenChanged: 20070222054545.0Z uSNCreated: 385123 uSNChanged: 409706 name: foundry objectGUID: 0x9f6bbada88e8c8448d666efef54cf896 userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 128165968399043318 localPolicyFlags: 0 pwdLastSet: 128163659510654397 primaryGroupID: 515 objectSid: 0x0105000000000005150000003a271cc8822081797cafeaa3db040000 accountExpires: 9223372036854775807 logonCount: 242 sAMAccountName: foundry$ sAMAccountType: 805306369 operatingSystem: Samba operatingSystemVersion: 3.0.22 dNSHostName: foundry.example.local userPrincipalName: HOST/[EMAIL PROTECTED] servicePrincipalName: HTTP/FOUNDRY.EXAMPLE.LOCAL/foundry.example.local servicePrincipalName: HTTP/FOUNDRY.EXAMPLE.LOCAL/foundry servicePrincipalName: HTTP/foundry.example.local servicePrincipalName: HTTP/foundry servicePrincipalName: CIFS/foundry.example.local servicePrincipalName: CIFS/foundry servicePrincipalName: HOST/foundry.example.local servicePrincipalName: HOST/foundry objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=local isCriticalSystemObject: FALSE msDS-KeyVersionNumber: 2 On 2/21/07, Mark Proehl <[EMAIL PROTECTED]> wrote:
Hi, On Wed, Feb 21, 2007 at 06:41:42PM +1000, Bradley Schatz wrote: > Hi Mark, > > For some background, I am actually trying to set up a http kerberos service > so that I can use mod_auth_krb in apache2. > > Would net ads join createupn=http/foundry.example.local do the trick? no. That command only creates a user principal name for the machine account. So that you could obtain kerberos tickets as http/foundry.example.local, i.e. you could become the identity of http/foundry.example.local. If you want to kerberize apache, you need to create a service principal on the active directory controller: HTTP/foundry.example.local (note: HTTP is uppercase). And you need to create a keytab file for apache. This can be done by samba via net ads keytab ADD HTTP/foundry.example.com This would add some HTTP entries to /etc/krb5.keytab. Typically apache is not running as root, so it cannot read /etc/krb5.keytab. Therefore you should move the HTTP entries to a separate keytab file wich apache can read. This could be done by ktutil or by setting the environment variable "KRB5_KTNAME". > > I am on 3.0.22, which does not support this syntax. Any work-arounds? "createupn" was a new feature in 3.0.23a... - Mark > > On 2/21/07, Mark Proehl <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > >try > > > > net ads join createupn=host/foundry.example.local > > > >- Mark > > > >On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote: > >> I suspect I might be grossly misunderstanding kerberos and AD here, but > >I > >> cant seem to grok the following. > >> > >> net ads join integrates my linux samba server (named foundry) into an AD > >> domain and all works fine. The samba server is using the kerberos > >keytab. > >> > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab foundry$ > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local > >> kinit(v5): Client not found in Kerberos database while getting initial > >> credentials > >> > >> Why can't kinit find the service host/foundry.example.local in the AD > >> Kerberos database? It seems to be in the local linux server keylist: > >> > >> [EMAIL PROTECTED]:~ # klist -k > >> Keytab name: FILE:/etc/krb5.keytab > >> KVNO Principal > >> ---- > >> > >-------------------------------------------------------------------------- > >> 2 host/[EMAIL PROTECTED] > >> 2 host/[EMAIL PROTECTED] > >> .... cut ... > >> > >> What am I missing here? > >> > >> Thanks, > >> > >> Bradley > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- Mit freundlichen Grüßen, Mark Pröhl _______________________________________________creating IT solutions Mark Proehl phone +49(0)7071 9457-591 Senior Solutions Engineer fax +49(0)7071 9457-411 CAx Professional Services science + computing ag [EMAIL PROTECTED] Hagellocher Weg 71-75 [EMAIL PROTECTED] D-72070 Tuebingen, Germany www.science-computing.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
