On Mon, 2021-07-05 at 11:32 +0200, Kees van Vloten
wrote:>
> >
> Mistyping something is not likely since I use Ansible for everything.
> A
> possibility is a code change that makes things fail. The host1 spn
> has
> been there for some time, whereas the host2 service-account and spn
> are new.
> This is an excerpt of the code
>
> - name: "service_account_manage.yml - create service account"
> command: "samba-tool user create {{ service_account }} \
> --userou='{{ g_all_samba_dc.locate.service_accounts
}}'
> \
> --random-password \
> --username={{
> g_all_samba_dc.ldap.ansible_admin_user.name }} \
> --password='{{
> g_all_samba_dc.ldap.ansible_admin_user.password }}'"
>
>
> - name: "service_account_manage_spn.yml - create new service
> principal"
> command: "samba-tool spn add {{ principal_name }}/{{ fqdn }}@{{
> all_samba_dc.realm }} {{ service_account }}"
>
> - name: "service_account_manage_spn.yml - create keytab in cache"
> command: "samba-tool domain exportkeytab -d 8 --principal={{
> principal_name }}/{{ fqdn }}@{{ all_samba_dc.realm }} \
> {{ c_server_domain_samba_dc_user.cache }}/{{
> service_account }}_{{ principal_name }}.keytab"
>
> I will remove the @{{ all_samba_dc.realm }} as Andrew suggested in
> the
> other mail.
>
> A samba-tool show user on both accounts shows very similar output:
>
> dn: CN=svc_host1_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_host1_apache
> instanceType: 4
> whenCreated: 20210517162819.0Z
> uSNCreated: 4560
> name: svc_host1_apache
> objectGUID: d9d34aa1-8f75-4019-ac0f-2306768a945c
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1164
> sAMAccountName: svc_host1_apache
> sAMAccountType: 805306368
> userPrincipalName: svc_host1_apache at example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 132657424999463080
> userAccountControl: 512
> msDS-SupportedEncryptionTypes: 16
> accountExpires: 0
> servicePrincipalName: HTTP/host1.example.com at EXAMPLE.COM
> whenChanged: 20210620184321.0Z
> uSNChanged: 5154
> lastLogon: 132688599123876860
> logonCount: 16
> lastLogonTimestamp: 132685880428809030
> distinguishedName: CN=svc_host1_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
>
>
> dn: CN=svc_host2_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_host2_apache
> instanceType: 4
> whenCreated: 20210704150128.0Z
> uSNCreated: 5562
> name: svc_host2_apache
> objectGUID: 59393395-79a7-42bf-91e9-00fbfbfd1aba
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1230
> sAMAccountName: svc_host2_apache
> sAMAccountType: 805306368
> userPrincipalName: svc_host2_apache at example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 132698844889558010
> userAccountControl: 512
> msDS-SupportedEncryptionTypes: 16
> accountExpires: 0
> servicePrincipalName: HTTP/host2.example.com at EXAMPLE.COM
> whenChanged: 20210704150200.0Z
> uSNChanged: 5567
> lastLogon: 0
> logonCount: 0
> distinguishedName: CN=svc_host2_apache,OU=Service
> Accounts,OU=Users,DC=example,DC=com
>
> The only difference is that host1 had (ldap-) logons against the
> account.
>
> Is there a way I can check the contents kerberos database?
>
> - Kees
>
Andrew might be right (he usually is), but I created a couple of users
and added the SPN's to them and I could export both keytabs.
You can read the contents of a keytab with ktutil:
ktutil
ktutil: rkt /tmp/rpidc1_apache.keytab
ktutil: l
slot KVNO Principal
---- ---- -----------------------------------------------------------
----------
1 2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM
2 2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM
3 2 HTTP/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM
Rowland