Sam R
2021-Sep-16 10:09 UTC
[Samba] Can't kinit SPN - Client not found in Kerberos database while getting initial credentials
Hello to all, I am trying to set up a GSSAPI connection for postfix smtp with cyrus SASL and saslauthd. I have two AD samba4 servers. I am creating a keytab file for the smtp service but I am stuck. To limit the possibilities I test directly the kinit command on the AD server, but without success.... Here is the detail of what I do: samba-tool user create --random-password postfixuser samba-tool user setexpiry --noexpiry postfixuser samba-tool spn add smtp/smtp.internaldom.name postfixuser samba-tool domain exportkeytab /root/smtp.keytab --principal=smtp/ smtp.internaldom.name kinit -V -k -t /root/smtp.keytab smtp/smtp.internaldom.name Using default cache: /tmp/krb5cc_0 Using principal: smtp/smtp.internaldom.name at INTERNALDOM.NAME Using keytab: /root/smtp.keytab kinit: Client ' smtp/smtp.internaldom.name at INTERNALDOM.NAME ' not found in Kerberos database while getting initial credentials If anyone has a lead... Thanks ? lot. Samuel
Andrew Bartlett
2021-Sep-16 10:13 UTC
[Samba] Can't kinit SPN - Client not found in Kerberos database while getting initial credentials
On Thu, 2021-09-16 at 12:09 +0200, Sam R via samba wrote:> Hello to all, > > I am trying to set up a GSSAPI connection for postfix smtp with cyrus SASL > and saslauthd. > I have two AD samba4 servers. > I am creating a keytab file for the smtp service but I am stuck. > To limit the possibilities I test directly the kinit command on the AD > server, but without success.... Here is the detail of what I do: > > samba-tool user create --random-password postfixuser > samba-tool user setexpiry --noexpiry postfixuser > samba-tool spn add smtp/smtp.internaldom.name postfixuser > samba-tool domain exportkeytab /root/smtp.keytab --principal=smtp/ > smtp.internaldom.name > > kinit -V -k -t /root/smtp.keytab smtp/smtp.internaldom.name > Using default cache: /tmp/krb5cc_0 > Using principal: smtp/smtp.internaldom.name at INTERNALDOM.NAME > Using keytab: /root/smtp.keytab > kinit: Client ' smtp/smtp.internaldom.name at INTERNALDOM.NAME ' not found in > Kerberos database while getting initial credentials > > If anyone has a lead...\In Samba, and in AD, an SPN in not a UPN. While in traditional kerberos a principal is a principal no matter what. This creates a disconnect in documentation that was written for traditional Kerberos. You don't need to do the kinit step to use the keytab, just configure it in your postfix and it should work. If you must run the kinit (to feel comfortable the keytab matches), then you will need to add smtp/smtp.internaldom.name at INTERNALDOM.NAME (the full principal name) as the userPrincipalName. I hope this helps, Andrew Bartlett> Thanks ? lot. > > Samuel-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba