Bobby Kirchgessner
2014-Feb-03 18:27 UTC
[Samba] Obtaining TGT using service principal name
I have been trying to setup Samba4 as a DC using kerberos for authentication. I have successfully provisioned the domain, and was able to join my domain using my windows machine as well as kinit to obtain a ticket for my administrator user from my servers. I have hit a wall trying to setup a server to authenticate a SPN using a keytab. I can join the domain and kinit as my administrator user, using "net ads join -Uadministrator" and "kinit administrator" but I cannot get a TGT using the SPN with kinit. I used the following commands to create a user and add an SPN to it: samba-tool user create cifs-server samba-tool spn add cifs/server.my.domain.local samba-tool domain exportkeytab /root/server0.keytab --principal=cifs/server.my.domain.local ktutil succesfully lists the entry for the cifs/server.my.domain.local principal. After moving the keytab (and renaming it) to server.my.domain.local, I try to gain a TGT using the command: kinit -k -t /etc/krb5.keytab cifs/server.my.domain.local This returns an "Client (cifs/server.my.domain.local) unknown." error. If I export the principal for the server$ or cifs-server, I can successfully authenticate and obtain an entry in klist. Is there something I am missing to obtain a TGT using a keytab? Thank you for your help.
On Mon, 2014-02-03 at 13:27 -0500, Bobby Kirchgessner wrote:> I have been trying to setup Samba4 as a DC using kerberos for > authentication. I have successfully provisioned the domain, and was able to > join my domain using my windows machine as well as kinit to obtain a ticket > for my administrator user from my servers. > > I have hit a wall trying to setup a server to authenticate a SPN using a > keytab. I can join the domain and kinit as my administrator user, using > "net ads join -Uadministrator" and "kinit administrator" but I cannot get a > TGT using the SPN with kinit. > > I used the following commands to create a user and add an SPN to it: > samba-tool user create cifs-server > samba-tool spn add cifs/server.my.domain.local > samba-tool domain exportkeytab /root/server0.keytab > --principal=cifs/server.my.domain.local > > ktutil succesfully lists the entry for the cifs/server.my.domain.local > principal. > > After moving the keytab (and renaming it) to server.my.domain.local, I try > to gain a TGT using the command: kinit -k -t /etc/krb5.keytab > cifs/server.my.domain.local > > This returns an "Client (cifs/server.my.domain.local) unknown." error. If I > export the principal for the server$ or cifs-server, I can successfully > authenticate and obtain an entry in klist. > > Is there something I am missing to obtain a TGT using a keytab?Can you explain a little more why you are trying to do this? That might help us understand your broader issue. Typically Samba is your CIFS server, and joins the domain using 'net ads join', as you have done, and then uses the values from secrets.tdb to handle kerberos. The specific issue here is that you have to kinit as the account name, not the SPN, so cifs-server. You can export it under that name as well if you need to. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba