Kees van Vloten
2021-Jul-04 20:53 UTC
[Samba] samba-tool domain exportkeytab fails silently
Hi Samba-team, I am using samba 4.14 from Louis' repo and Debian Buster. I have created some service accounts for apache with a SPN on each. When I do: samba-tool domain exportkeytab --principal=HTTP/host1.example.com at EXAMPLE.COM /path/host1_apache.keytab It creates the keytab with the principal. When I do: samba-tool domain exportkeytab --principal=HTTP/host2.example.com at EXAMPLE.COM /path/host2_apache.keytab It does not create any file and returns with rc=0 Both principals are created on a dedicated service (user) account (i.e. not on the computer account) with: samba-tool spn add HTTP/host1.example.com at EXAMPLE.COM svc_host1_apache samba-tool spn add HTTP/host2.example.com at EXAMPLE.COM svc_host2_apache I ran the exportkeytab command with '-d 8' and then the difference in behaviour is visible: samba-tool domain exportkeytab -d 8 --principal=HTTP/host1.example.com at EXAMPLE.COM /path/host1_apache.keytab ... GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered schema_fsmo_init: we are master[yes] updates allowed[no] gendb_search_v: DC=example,DC=com NULL -> 1 gendb_search_v: DC=example,DC=com NULL -> 1 Export one principal to /path/host1_apache.keytab gendb_search_v: DC=example,DC=com NULL -> 1 sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012 ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (18) and version (2) sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017 ../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1592: Saving entry with kvno [2] enctype [18] for principal: HTTP/host1.example.com at EXAMPLE.COM. ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (23) and version (2) samba-tool domain exportkeytab -d 8 --principal=HTTP/host2.example.com at EXAMPLE.COM /path/host2_apache.keytab ... GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered schema_fsmo_init: we are master[yes] updates allowed[no] gendb_search_v: DC=example,DC=com NULL -> 1 gendb_search_v: DC=example,DC=com NULL -> 1 Export one principal to /path/host2_apache.keytab gendb_search_v: DC=example,DC=com NULL -> 1 Both hosts have a computer-account. But since this is a principal on a user account, I would expect that to be irrelevant. However the only difference I can come up with to explain this behaviour is that host1 has actually done a domain-join while host2 did not. This leaves me with the questions: - Why doesn't exportkeytab display any error nor returns a rc != 0 when it fails? - Why is exporttab failing in the first place? - Apache has its own service (user) account and does not need the domain-join to authenticate users to its web-pages, or does it? - Kees
On Sun, 2021-07-04 at 22:53 +0200, Kees van Vloten via samba wrote:> Hi Samba-team, > > I am using samba 4.14 from Louis' repo and Debian Buster. > > I have created some service accounts for apache with a SPN on each. > When I do: > > samba-tool domain exportkeytab > --principal=HTTP/host1.example.com at EXAMPLE.COM > /path/host1_apache.keytab > > It creates the keytab with the principal. > When I do: > > samba-tool domain exportkeytab > --principal=HTTP/host2.example.com at EXAMPLE.COM > /path/host2_apache.keytab > > It does not create any file and returns with rc=0 > > Both principals are created on a dedicated service (user) account > (i.e. > not on the computer account) with: > > samba-tool spn add HTTP/host1.example.com at EXAMPLE.COM > svc_host1_apache > samba-tool spn add HTTP/host2.example.com at EXAMPLE.COM > svc_host2_apache >Please check how you created the users and how you added the SPN's. It works for myself, so you could have mistyped something. If you still cannot find anything wrong with how you created everything, then check the users SPN's etc. It will also help if you can post exactly how you created the users and then added the SPN's Rowland
Andrew Bartlett
2021-Jul-04 22:13 UTC
[Samba] samba-tool domain exportkeytab fails silently
On Sun, 2021-07-04 at 22:53 +0200, Kees van Vloten via samba wrote:> Hi Samba-team, > > I am using samba 4.14 from Louis' repo and Debian Buster. > > I have created some service accounts for apache with a SPN on each. > When I do: > > samba-tool domain exportkeytab > --principal=HTTP/host1.example.com at EXAMPLE.COM > /path/host1_apache.keytab > > It creates the keytab with the principal. > When I do: > > samba-tool domain exportkeytab > --principal=HTTP/host2.example.com at EXAMPLE.COM > /path/host2_apache.keytab > > It does not create any file and returns with rc=0 > > Both principals are created on a dedicated service (user) account > (i.e. > not on the computer account) with: > > samba-tool spn add HTTP/host1.example.com at EXAMPLE.COM > svc_host1_apache > samba-tool spn add HTTP/host2.example.com at EXAMPLE.COM > svc_host2_apache >The issue is the @EXAMPLE.COM, we should block the creation of such entries as this creates an SPN of host2.example.com@ EXAMPLE.COM at EXAMPLE.COM which isn't what you want. Patches welcome :-)> I ran the exportkeytab command with '-d 8' and then the difference > in > behaviour is visible: > > samba-tool domain exportkeytab -d 8 > --principal=HTTP/host1.example.com at EXAMPLE.COM > /path/host1_apache.keytab > > ... > > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > schema_fsmo_init: we are master[yes] updates allowed[no] > gendb_search_v: DC=example,DC=com NULL -> 1 > gendb_search_v: DC=example,DC=com NULL -> 1 > Export one principal to /path/host1_apache.keytab > gendb_search_v: DC=example,DC=com NULL -> 1 > sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012 > ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for > (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (18) and > version (2) > sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017 > ../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab > entries > ../../lib/krb5_wrap/krb5_samba.c:1592: Saving entry with kvno [2] > enctype [18] for principal: HTTP/host1.example.com at EXAMPLE.COM. > ../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for > (HTTP/host1.example.com at EXAMPLE.COM) with encryption type (23) and > version (2) > > > samba-tool domain exportkeytab -d 8 > --principal=HTTP/host2.example.com at EXAMPLE.COM > /path/host2_apache.keytab > > ... > > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > schema_fsmo_init: we are master[yes] updates allowed[no] > gendb_search_v: DC=example,DC=com NULL -> 1 > gendb_search_v: DC=example,DC=com NULL -> 1 > Export one principal to /path/host2_apache.keytab > gendb_search_v: DC=example,DC=com NULL -> 1 > > Both hosts have a computer-account. But since this is a principal on > a > user account, I would expect that to be irrelevant. > However the only difference I can come up with to explain this > behaviour > is that host1 has actually done a domain-join while host2 did not. > > This leaves me with the questions: > - Why doesn't exportkeytab display any error nor returns a rc != 0 > when > it fails?That is a reasonable request, originally the tool was built to export all entries, and then a filter was added. That nothing matches the filter is an additional error case that should be checked for.> - Why is exporttab failing in the first place?Because of two many @s in the the SPN.> - Apache has its own service (user) account and does not need the > domain-join to authenticate users to its web-pages, or does it?This is the normal arrangement. Ensure the password on the account is strong. Otherwise, Samba can have the SPN added to it's own account and manage the keytab. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions