Re: [Samba] KDC and samba4
Got it and it seems to work exactly as it should! Thanks! On 4/17/2011 8:55 AM, Matthieu Patou wrote: On 17/04/2011 04:13, Andrew Dumaresq wrote: Hi, I'm using GIT pull from a few days ago. I am trying to get ssh working with kerberos when samba is the KDC. I am having trouble getting my machine keytabs to work. Here's some of the problems I have: 1) root@morannon:~# samba-tool export keytab /tmp/test.keytab added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 ldb_wrap open of secrets.ldb root@morannon:~# klist -k -t /tmp/test.keytab Keytab name: WRFILE:/tmp/test.keytab KVNO Timestamp Principal - 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 root@morannon:~# samba-tool machinepw 'MORANNON$' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 There was a bug, the command would only succeed when you are in the path where the secrets.ldb file is. I pushed a fix in autobuild for this, normally it should land in the master tree of Samba soon. 2) (This is likely related to my previous problem) I extracted the host keytab from Samba (using ktpass.sh with no password) and put the extract info in /etc/krb5.keytab Strange, normally you should provide a password or --password * klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/morannon.dumaresq.local@DUMARESQ.LOCAL but when I try to use that to to run kinit I get this: kinit -k kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found in Kerberos database while getting initial credentials Not sure that it's a bug or if it's normal but I noticed that you can't get a TGT ticket when you use a keytab with just a servicePrincipalName, you should be able thought to get for the SPN in the keytab. Matthieu. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] KDC and samba4
On 17/04/2011 04:13, Andrew Dumaresq wrote: Hi, I'm using GIT pull from a few days ago. I am trying to get ssh working with kerberos when samba is the KDC. I am having trouble getting my machine keytabs to work. Here's some of the problems I have: 1) root@morannon:~# samba-tool export keytab /tmp/test.keytab added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 ldb_wrap open of secrets.ldb root@morannon:~# klist -k -t /tmp/test.keytab Keytab name: WRFILE:/tmp/test.keytab KVNO Timestamp Principal - 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 root@morannon:~# samba-tool machinepw 'MORANNON$' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 There was a bug, the command would only succeed when you are in the path where the secrets.ldb file is. I pushed a fix in autobuild for this, normally it should land in the master tree of Samba soon. 2) (This is likely related to my previous problem) I extracted the host keytab from Samba (using ktpass.sh with no password) and put the extract info in /etc/krb5.keytab Strange, normally you should provide a password or --password * klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/morannon.dumaresq.local@DUMARESQ.LOCAL but when I try to use that to to run kinit I get this: kinit -k kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found in Kerberos database while getting initial credentials Not sure that it's a bug or if it's normal but I noticed that you can't get a TGT ticket when you use a keytab with just a servicePrincipalName, you should be able thought to get for the SPN in the keytab. Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] KDC and samba4
Hi, I'm using GIT pull from a few days ago. I am trying to get ssh working with kerberos when samba is the KDC. I am having trouble getting my machine keytabs to work. Here's some of the problems I have: 1) root@morannon:~# samba-tool export keytab /tmp/test.keytab added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 ldb_wrap open of secrets.ldb root@morannon:~# klist -k -t /tmp/test.keytab Keytab name: WRFILE:/tmp/test.keytab KVNO Timestamp Principal - 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 root@morannon:~# samba-tool machinepw 'MORANNON$' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 2) (This is likely related to my previous problem) I extracted the host keytab from Samba (using ktpass.sh with no password) and put the extract info in /etc/krb5.keytab klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/morannon.dumaresq.local@DUMARESQ.LOCAL but when I try to use that to to run kinit I get this: kinit -k kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found in Kerberos database while getting initial credentials I've tried both capital and not capital HOST, I've tried every combination of FQDNs and such none of it seems to help. as a result I can't use ssh to connect using kerberos. Just make sure I didn't have a DNS issue or something like that I shutdown samba and installed a standard kdc I was able to get everything working just fine. This obviously breaks samba quite badly and I as far as I can tell samba4 can't use external kerberos. Any ideas? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba