samba - Mar 2015 - creating Kerberos host principals for multiple hostnames, multihomed server

Hi!

I maintain Linux servers that are members of a Samba4 Domain.
User authentication / login via ssh works fine with Kerberos.

But: only via one hostname.

Those machines need a working Kerberos login via multiple hostnames
(each hostname has its own IP address and DNS is set up correctly.)

"net ads keytab list" of course gives me the main hostname that was in
use when joining the domain (host/my-server at MY.REALM.COM).

With "net ads keytab add" I can only add service principals without
specifying the FQDN of the desired principal.

Is there a way for me to add a "host/my-server2 at MY.REALM.COM"
principal
to the machines' keytab?

I'm very much out of ideas and have searched all the mailing lists'
archives to no avail :-(

Best regards and many thanks for any help!

John

Hai, 
>Those machines need a working Kerberos login via multiple hostnames
>(each hostname has its own IP address and DNS is set up correctly.)
looks to me a bit overkill, but you wil have your reasons this a setup like
this..

so.. you can try this..  

asumming this :
REALM=MY.REALM.TLD
DNSDOMAIN=my.domain.tld 
and a serviceaccount the spn's. 

You can also use the existing "hostname" 
but for these extra spns I use a extra "service_account" 

1) create "serviceaccount" for "HOSTNAME"  : 
serviceaccount_name

2) create the spns for the service accounts 
samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or original
hostname )
samba-tool spn add host/hostname.DNSDOMAIN at REALM serviceaccount_name ( or
original hostname )

samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or original
hostname )
samba-tool spn add host/hostname2.DNSDOMAIN at REALM serviceaccount_name ( or
original hostname )

samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or original
hostname )
samba-tool spn add host/hostname3.DNSDOMAIN at REALM serviceaccount_name ( or
original hostname ) .. etc.


now export the keytabs . .
samba-tool domain exportkeytab /tmp/hostnames-extra.keytab
--principal=host/hostname.DNSDOMAIN
samba-tool domain exportkeytab /tmp/hostnames2-extra.keytab
--principal=host/hostname2.DNSDOMAIN
samba-tool domain exportkeytab /tmp/hostnames3-extra.keytab
--principal=host/hostname3.DNSDOMAIN   .. etc.

check the keytab file: 
klist -e -k /tmp/hostnames-extra.keytab
klist -e -k /tmp/hostnames2-extra.keytab
klist -e -k /tmp/hostnames3-extra.keytab

you should see all the hostnames, if correct make all keytab files in 1 file. 

type : ktutil
ktutil : 

read the all the keytab files in ktutil 
rkt  /tmp/hostnames-extra.keytab
look : list ( use help to get to know ktutil ) 

write the new keytab file. 
wkt /tmp/new.keytab  

and quit ktutil.

check the new one.. 
klist -e -k /tmp/new.keytab

and you can add also the existing keytab file to it. 
then you have 1 keytab file for all hostnames. 

if you also have different domainnames, make sure you dont forget the krb5.conf.
like .. 
[realms]
REALM = {
  kdc = samba-dc1.REALM
  admin_server = samba-dc1.REALM
} 


[domain_realm]
 .DNSDOMAIN = REALM
  DNSDOMAIN = REALM
 .DNSDOMAIN2 = REALM
  DNSDOMAIN2 = REALM

etc.. 


good luck now you know how. 

Greetz, 

Louis





>-----Oorspronkelijk bericht-----
>Van: john.wyzer at gmx.de [mailto:samba-bounces at lists.samba.org] 
>Namens John Wyzer
>Verzonden: donderdag 5 maart 2015 23:38
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] creating Kerberos host principals for 
>multiple hostnames, multihomed server
>
>Hi!
>
>I maintain Linux servers that are members of a Samba4 Domain.
>User authentication / login via ssh works fine with Kerberos.
>
>But: only via one hostname.
>
>Those machines need a working Kerberos login via multiple hostnames
>(each hostname has its own IP address and DNS is set up correctly.)
>
>"net ads keytab list" of course gives me the main hostname that
was in
>use when joining the domain (host/my-server at MY.REALM.COM).
>
>With "net ads keytab add" I can only add service principals
without
>specifying the FQDN of the desired principal.
>
>Is there a way for me to add a "host/my-server2 at MY.REALM.COM"
principal
>to the machines' keytab?
>
>I'm very much out of ideas and have searched all the mailing lists'
>archives to no avail :-(
>
>Best regards and many thanks for any help!
>
>John
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 06/03/15 09:07, L.P.H. van Belle wrote:
> Hai, 
> 
>> Those machines need a working Kerberos login via multiple hostnames
>> (each hostname has its own IP address and DNS is set up correctly.)
> looks to me a bit overkill, but you wil have your reasons this a setup like
this..
> 
> so.. you can try this..  
> 
> asumming this :
> REALM=MY.REALM.TLD
> DNSDOMAIN=my.domain.tld 
> and a serviceaccount the spn's. 
> 
> You can also use the existing "hostname" 
> but for these extra spns I use a extra "service_account" 
> 
> 1) create "serviceaccount" for "HOSTNAME"  : 
serviceaccount_name
> 
> 2) create the spns for the service accounts 
> samba-tool spn add host/hostname.DNSDOMAIN serviceaccount_name ( or
original hostname )
> samba-tool spn add host/hostname.DNSDOMAIN at REALM serviceaccount_name (
or original hostname )
> 
> samba-tool spn add host/hostname2.DNSDOMAIN serviceaccount_name ( or
original hostname )
> samba-tool spn add host/hostname2.DNSDOMAIN at REALM serviceaccount_name (
or original hostname )
> 
> samba-tool spn add host/hostname3.DNSDOMAIN serviceaccount_name ( or
original hostname )
> samba-tool spn add host/hostname3.DNSDOMAIN at REALM serviceaccount_name (
or original hostname ) .. etc.
V>
> 
> now export the keytabs . .
> samba-tool domain exportkeytab /tmp/hostnames-extra.keytab
--principal=host/hostname.DNSDOMAIN
> samba-tool domain exportkeytab /tmp/hostnames2-extra.keytab
--principal=host/hostname2.DNSDOMAIN
> samba-tool domain exportkeytab /tmp/hostnames3-extra.keytab
--principal=host/hostname3.DNSDOMAIN   .. etc.
> 
> check the keytab file: 
> klist -e -k /tmp/hostnames-extra.keytab
> klist -e -k /tmp/hostnames2-extra.keytab
> klist -e -k /tmp/hostnames3-extra.keytab
> 
> you should see all the hostnames, if correct make all keytab files in 1
file.
> 
> type : ktutil
> ktutil : 
> 
> read the all the keytab files in ktutil 
> rkt  /tmp/hostnames-extra.keytab
> look : list ( use help to get to know ktutil ) 
> 
> write the new keytab file. 
> wkt /tmp/new.keytab  
> 
> and quit ktutil.
> 
> check the new one.. 
> klist -e -k /tmp/new.keytab
> 
> and you can add also the existing keytab file to it. 
> then you have 1 keytab file for all hostnames. 
> 
> if you also have different domainnames, make sure you dont forget the
krb5.conf.
> like .. 
> [realms]
> REALM = {
>   kdc = samba-dc1.REALM
>   admin_server = samba-dc1.REALM
> } 
> 
> 
> [domain_realm]
>  .DNSDOMAIN = REALM
>   DNSDOMAIN = REALM
>  .DNSDOMAIN2 = REALM
>   DNSDOMAIN2 = REALM
> 
> etc.. 
> 
> 
> good luck now you know how. 
> 
Thank you very much! That helped me get all the keytabs correct and was
a very useful exercise.

It did not help with the pam_krb5  login however.
Then I discovered this:

All this was not necessary to begin with.

In order to be able to log into the host via pam_krb5 via multiple
hostnames, no additional principals are necessary.
Only the DNS has to be set up as follows:

n001.my.dnsdomain.tld 10 A 192.168.100.1
m001.my.dnsdomain.tld 10 A 192.168.101.1
i001.my.dnsdomain.tld 10 A 192.168.102.1

1.100.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld
1.101.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld
1.102.168.192.in-addr.arpa 10 ptr  n001.my.dnsdomain.tld

No I can ssh into n001 m001 and i001 which are all the same machine
without a password prompt.

Perhaps there is a possibility to set up pam_krb5 in a way that can
handle the reverse lookup according to the hostname/ip address that was
used to initiate the login - but I did not find any and for my setup
this is enough. ("hostname -A" returns all three hostnames, by the
way...)

Many thanks again!

John