Hi
I have Samba 4 installed and working. I recently changed FQDN to dns
name hh3.hh3.site. It works OK and e.g. on a windows 7 box which joined
the domain, users can logon. But I have a mess in the keytab:
klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 HH3$@HH3.HH1.SITE
2 HH3$@HH3.HH1.SITE
2 HH3$@HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 HH3$@HH3.SITE
2 HH3$@HH3.SITE
2 HH3$@HH3.SITE
2 host/HH3 at HH3.SITE
2 host/HH3 at HH3.SITE
2 host/HH3 at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3 at HH3.SITE
2 host/hh3 at HH3.SITE
2 host/hh3 at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
1 steve4 at HH3.SITE
1 steve4 at HH3.SITE
1 steve4 at HH3.SITE
2 steve5 at HH3.SITE
2 steve5 at HH3.SITE
2 steve5 at HH3.SITE
1 lynn2 at HH3.SITE
1 lynn2 at HH3.SITE
1 lynn2 at HH3.SITE
This all seems OK:
Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for
STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime:
2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till:
2012-01-15T09:35:01
Kerberos: TGS-REQ steve4 at HH3.SITE from ipv4:192.168.1.2:46577 for
host/steve-pc.hh3.site at HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime:
2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till:
2012-01-15T09:35:06
Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user
[]\[]@[STEVE-PC]
auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC]
But I also get this:
Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for
steve-pc$\@HH3.SITE at HH3.SITE [canonicalize, request-anonymous,
renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from steve-pc$@HH3.SITE
(steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to
steve-pc$\@HH3.SITE at HH3.SITE not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588
Which I think is due to the keytab
smb.conf contains:
[global]
server role = domain controller
workgroup = CACTUS
realm = hh3.site
netbios name = HH3
passdb backend = samba4
template shell = /bin/bash
So, 2 very newbie questions:
1. Is there anyway I can tidy up the keytab to see if removes that error?
2. In the above example, steve-pc is a windows 7 client which is joined
to the domain called CACTUS. Why doesn't steve-pc$ appear in the keytab
listing?
Thanks
Steve.
2012-01-08 10:13 keltez?ssel, steve ?rta:> Hi > I have Samba 4 installed and working. I recently changed FQDN to dns > name hh3.hh3.site. It works OK and e.g. on a windows 7 box which > joined the domain, users can logon. But I have a mess in the keytab: > > klist -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 HH3$@HH3.HH1.SITE > 2 HH3$@HH3.HH1.SITE > 2 HH3$@HH3.HH1.SITE > 2 host/HH3 at HH3.HH1.SITE > 2 host/HH3 at HH3.HH1.SITE > 2 host/HH3 at HH3.HH1.SITE > 2 host/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 host/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 host/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 host/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 host/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 host/hh3 at HH3.HH1.SITE > 2 host/hh3 at HH3.HH1.SITE > 2 host/hh3 at HH3.HH1.SITE > 2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE > 2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE > 2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE > 2 HH3$@HH3.SITE > 2 HH3$@HH3.SITE > 2 HH3$@HH3.SITE > 2 host/HH3 at HH3.SITE > 2 host/HH3 at HH3.SITE > 2 host/HH3 at HH3.SITE > 2 host/hh3.hh3.site at HH3.SITE > 2 host/hh3.hh3.site at HH3.SITE > 2 host/hh3.hh3.site at HH3.SITE > 2 host/HH3.HH3.SITE at HH3.SITE > 2 host/HH3.HH3.SITE at HH3.SITE > 2 host/HH3.HH3.SITE at HH3.SITE > 2 host/HH3.hh3.site at HH3.SITE > 2 host/HH3.hh3.site at HH3.SITE > 2 host/HH3.hh3.site at HH3.SITE > 2 host/hh3.HH3.SITE at HH3.SITE > 2 host/hh3.HH3.SITE at HH3.SITE > 2 host/hh3.HH3.SITE at HH3.SITE > 2 host/hh3 at HH3.SITE > 2 host/hh3 at HH3.SITE > 2 host/hh3 at HH3.SITE > 2 cifs/hh3.hh3.site at HH3.SITE > 2 cifs/hh3.hh3.site at HH3.SITE > 2 cifs/hh3.hh3.site at HH3.SITE > 2 cifs/HH3.HH3.SITE at HH3.SITE > 2 cifs/HH3.HH3.SITE at HH3.SITE > 2 cifs/HH3.HH3.SITE at HH3.SITE > 2 cifs/HH3.hh3.site at HH3.SITE > 2 cifs/HH3.hh3.site at HH3.SITE > 2 cifs/HH3.hh3.site at HH3.SITE > 2 cifs/hh3.HH3.SITE at HH3.SITE > 2 cifs/hh3.HH3.SITE at HH3.SITE > 2 cifs/hh3.HH3.SITE at HH3.SITE > 1 steve4 at HH3.SITE > 1 steve4 at HH3.SITE > 1 steve4 at HH3.SITE > 2 steve5 at HH3.SITE > 2 steve5 at HH3.SITE > 2 steve5 at HH3.SITE > 1 lynn2 at HH3.SITE > 1 lynn2 at HH3.SITE > 1 lynn2 at HH3.SITE > > This all seems OK: > > Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for > STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable] > Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime: > 2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till: > 2012-01-15T09:35:01 > > Kerberos: TGS-REQ steve4 at HH3.SITE from ipv4:192.168.1.2:46577 for > host/steve-pc.hh3.site at HH3.SITE [canonicalize, renewable, forwardable] > Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime: > 2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till: > 2012-01-15T09:35:06 > > Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0 > auth_check_password_send: Checking password for unmapped user > []\[]@[STEVE-PC] > auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC] > > > But I also get this: > > Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for > steve-pc$\@HH3.SITE at HH3.SITE [canonicalize, request-anonymous, > renewable, forwardable] > Kerberos: Bad request for constrained delegation > Kerberos: constrained delegation from steve-pc$@HH3.SITE > (steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to > steve-pc$\@HH3.SITE at HH3.SITE not allowed > Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588 > > Which I think is due to the keytab > > smb.conf contains: > > [global] > server role = domain controller > workgroup = CACTUS > realm = hh3.site > netbios name = HH3 > passdb backend = samba4 > template shell = /bin/bash > > So, 2 very newbie questions: > > 1. Is there anyway I can tidy up the keytab to see if removes that error? > 2. In the above example, steve-pc is a windows 7 client which is > joined to the domain called CACTUS. Why doesn't steve-pc$ appear in > the keytab listing? > > Thanks > Steve. > > > > >Hi, /etc/krb5.keytab is a keytab you've created (e.g. with samba-tool domain exportkeytab /etc/krb5.keytab) it is not used by Samba4 in any way. If you need a keytab for any service you run (e.g. nfs) I would suggest to extract a keytab only for the principal you've created for that service. E.g.: samba-tool user create whateverserviceusername --random-password samba-tool spn add previouslyusedusername servicename/hostname samba-tool domain exportkeytab --principal=servicename/hostname /path/to/the/keytab Regards Geza
On 9 January 2012 12:56, steve <steve at steve-ss.com> wrote:> On 01/09/2012 11:50 AM, Michael Wood wrote: >> >> On 9 January 2012 12:34, steve<steve at steve-ss.com> ?wrote: >>> >>> On 01/09/2012 09:47 AM, G?mes G?za wrote: >> >> [...] >>>>> >>>>> samba-tool user add steve4 >>>>> (the spn stuff you mention doesn't seem to be needed?) >>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 >>>> >>>> You don't need the last step (see before). >>> >>> OK, I'm understanding this a little more. So how can I remove steve4 from >>> the keytab? >> >> Don't bother trying to do that. ?Just create a new keytab file with >> only the relevant stuff for NFS in it. > > Hi > Rename the keytab, touch /etc/krb5.keytab to start with a blank keytab and > add only the nfs principal? What about all the other stuff about cifs and > host that are in there. Are they not needed?"samba-tool domain exportkeytab" creates a new keytab file, so no need to create an empty file. i.e. you would not be "adding" only the NFS principal. You would be creating a new keytab file with only the NFS principal in it. As for the other things in the keytab, I can't say off hand whether or not you need them, but I suspect not. -- Michael Wood <esiotrot at gmail.com>
On 9 January 2012 14:30, steve <steve at steve-ss.com> wrote:> On 09/01/12 12:12, Michael Wood wrote: >> >> On 9 January 2012 12:56, steve<steve at steve-ss.com> ?wrote:[...]>>> Hi >>> Rename the keytab, touch /etc/krb5.keytab to start with a blank keytab >>> and >>> add only the nfs principal? What about all the other stuff about cifs and >>> host that are in there. Are they not needed? >> >> >> "samba-tool domain exportkeytab" creates a new keytab file, so no need >> to create an empty file. ?i.e. you would not be "adding" only the NFS >> principal. ?You would be creating a new keytab file with only the NFS >> principal in it. >> >> As for the other things in the keytab, I can't say off hand whether or >> not you need them, but I suspect not. > > Hi Michael > I moved the old keytab just to be sure, made a user for nfs, as Geza > suggested on list, recreated the keytab and added nfs to it: > > samba-tool user add nfs-service-account > samba-tool spn add nfs nfs-service-account > > samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/HH3.SITE > > I now have a brand new shiny keytab! Thanks so much for your help.No problem. -- Michael Wood <esiotrot at gmail.com>