Olivier BILHAUT
2015-Feb-16 15:07 UTC
[Samba] Samba4 kinit issue with principal and keytab file
Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of using the UPN directly ? So the same question more clearly : how do you use the SPN and why? Thanks, -- Olivier> Yes, you are mixing up userprincipal names with service principal> names, your user has a userprincipal name of 'kerbuser at MYDOMAIN.LOCAL'> > If we create the user,add an spn and export the keytab as per the wiki:> > samba-tool usercreate --random-password http-dc01> samba-tool spn addHTTP/dc01.home.lan http-dc01> samba-tool domain exportkeytab/etc/httpd.keytab> --principal=HTTP/dc01.example.com at EXAMPLE.COM > >Then examine the keytab:> > ktutil > ktutil: rkt /etc/httpd.keytab >ktutil: l> slot KVNO Principal > ---- ---- >--------------------------------------------------------------------->1 1 HTTP/dc01.example.com at EXAMPLE.COM> 2 1HTTP/dc01.example.com at EXAMPLE.COM> 3 1HTTP/dc01.example.com at EXAMPLE.COM> ktutil: q > > You can see thatthere is only the spn in the keytab and if you try 'kinit'> > kinit -k-t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01> kinit: Genericpreauthentication failure while getting initial credentials> > now ifyou export another keytab but this time use the upn as the principal:>> samba-tool domain exportkeytab /etc/http-dc01.keytab >--principal=http-dc01 at EXAMPLE.COM> > and if you examine this keytab: >> ktutil > ktutil: rkt /etc/http-dc01.keytab > ktutil: l > slot KVNOPrincipal> ---- ---- >--------------------------------------------------------------------->1 1 http-dc01 at EXAMPLE.COM> 2 1 http-dc01 at EXAMPLE.COM > 3 1http-dc01 at EXAMPLE.COM> ktutil: q > > and try kinit again: > > kinit-k -t /etc/http-dc01.keytab -c /tmp/http-dc01.krb5cc http-dc01> > andlook in /tmp you will find the krb5 cache:> > http-dc01.krb5cc > >Rowland
Possibly Parallel Threads
- Samba4 kinit issue with principal and keytab file
- Samba4 kinit issue with principal and keytab file
- Samba4 kinit issue with principal and keytab file
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates