Lorenzo Milesi
2021-Jul-16 14:13 UTC
[Samba] Cannot create keytab for Apache Kerberos auth: Client SPN_RECORD not found in Kerberos database while getting initial credentials
Hi. I'm trying to configure nginx (or apache) with kerberos authentication but I'm unable to generate an usable keytab file. Env: # samba-tool domain info 127.1 Forest : ad.internal.contoso.com Domain : ad.internal.contoso.com Netbios domain : MYAD DC name : dc1.ad.internal.contoso.com DC netbios name : DC1 Server site : Default-First-Site-Name Client site : Default-First-Site-Name # samba -V Version 4.14.6-Debian # cat /etc/krb5.conf [libdefaults] default_realm = AD.INTERNAL.CONTOSO.COM dns_lookup_kdc = true dns_lookup_realm = false Following [1] and other guides I ended up with the following commands: # samba-tool user create --random-password webauth # samba-tool user setexpiry webauth --noexpiry # samba-tool spn add HTTP/test2021.domain.com webauth # samba-tool spn add HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM webauth # samba-tool spn list webauth webauth User CN=webauth,CN=Users,DC=ad,DC=internal,DC=contoso,DC=com has the following servicePrincipalName: HTTP/test2021.domain.com HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM I didn't setup DNS because test2021.domain.com is a public host and has A and PTR records. Then I add cyphers with: # net ads enctypes set webauth 'webauth' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 # samba-tool domain exportkeytab /tmp/abc.keyttab --principal=HTTP/test2021.domain.com (executing the command adding the Kerberos realm suffix produces the same keytab file, and same result below) # klist -kte /tmp/abc.keyttab Keytab name: FILE:/tmp/abc.keyttab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (arcfour-hmac) 2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes256-cts-hmac-sha1-96) 2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes128-cts-hmac-sha1-96) Without even moving the keytab to the webserver, if I try to use it locally on the DC I get: # kinit -5 -V -k -t /tmp/abc.keyttab HTTP/test2021.domain.com Using default cache: /tmp/krb5cc_0 Using principal: HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM Using keytab: /tmp/abc.keyttab kinit: Client 'HTTP/test2021.ufficyo.com at AD.INTERNAL.CONTOSO.COM' not found in Kerberos database while getting initial credentials Same result on the webserver. Other guides suggest to add SPN also for host/test2021.domain.com and merge both keys into a single keytab using ktutil, I tried but I got the same result. Most of the guides I found generate the SPN from a Windows machine, I fear I'm doing something wrong using the corresponding commands on Linux. What am I doing wrong? Thanks [1] https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory -- Lorenzo Milesi - lorenzo.milesi at yetopen.com YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Lorenzo Milesi
2021-Jul-17 04:48 UTC
[Samba] Cannot create keytab for Apache Kerberos auth: Client SPN_RECORD not found in Kerberos database while getting initial credentials
> kinit: Client 'HTTP/test2021.ufficyo.com at AD.INTERNAL.CONTOSO.COM' not found in > Kerberos database while getting initial credentialsThe problem seems to be in how Samba stores userPrincipalName. Bug #9113 [1]?has the solution (or probably a workaround):> If I change 'userPrincipalName' in Samba 4 via ldbedit to the value of 'servicePrincipalName' + REALM, then kinit works.And indeed updating the attribute finally made kinit work! I suppose this means there must be a single account for each service, while SPN is supposed to authenticate several services with a single account. I wonder how it behaves with CNAME hosts. I also found a last year thread [2] on this ml reporting a possible bug on how searches are performed for SPN entries, but coulnd't find a corresponding bugzilla entry for it. [1]?https://bugzilla.samba.org/show_bug.cgi?id=9113 [2]?https://lists.samba.org/archive/samba/2020-June/230197.html -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.