Dania Ramirez Moya
2014-Jul-19 19:36 UTC
[Samba] Kerberos: Server not found in database...no such entry found in hdb
Hi, i have a server with samba 4.1.5 and i want to authenticate my
mail server against samba via Kerberos.
The protocols envolved are pop and imap, as you know, then i created
two users: imap and pop:
samba-tool user add pop --random-password
samba-tool user imap pop --random-password
and later i created two Service Principal Names for these users:
samba-tool spn add pop/mailserver.domain.cu at DOMAIN.CU pop
samba-tool spn add imap/mailserver.domain.cu at DOMAIN.CU imap
then i exported the keys and copied it to the mailserver
samba-tool domain exportkeytab /etc/krb5.keytab
after that i configured Dovecot /etc/dovecot/conf.d/10-auth.conf
auth_realms = domain.cu
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_mechanisms = gssapi
then i tried to login but it didn?t work...
this is what samba?s log says:
Kerberos: TGS-REQ dania at DOMAIN.CU from ipv4:192.168.17.207:1195 for
pop/mailserver.domain.cu at DOMAIN.CU [renewable, forwardable]
Kerberos: Searching referral for mailserver.domain.cu
Kerberos: Server not found in database:
pop/mailserver.domain.cu at DOMAIN.CU: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.17.207:1195
i have made queries to the database and the SPNs exists
samba-tool spn list pop pop User CN=pop,CN=Users,DC=domain,DC=cu has
the following servicePrincipalName:
pop/mailserver.domain.cu at DOMAIN.CU
samba-tool spn list imap imap User CN=imap,CN=Users,DC=domain,DC=cu
has the following servicePrincipalName:
imap/mailserver.domain.cu at DOMAIN.CU
ldbsearch -H /usr/local/samba/private/sam.ldb
'(serviceprincipalname=pop/mailserver.domain.cu at DOMAIN.CU)'
# record 1
dn: CN=pop,CN=Users,DC=domain,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pop
instanceType: 4
whenCreated: 20140719145826.0Z
uSNCreated: 21693
name: pop
objectGUID: e063e896-6900-458d-a7bd-76319829cb81
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1345859412-382380422-3804354134-1361
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pop
sAMAccountType: 805306368
userPrincipalName: pop at domain.cu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=cu
pwdLastSet: 130502555070000000
userAccountControl: 512
servicePrincipalName: pop/mailserver.domain.cu at DOMAIN.CU
whenChanged: 20140719150053.0Z
uSNChanged: 21702
distinguishedName: CN=pop,CN=Users,DC=domain,DC=cu
i would like to know of which way kerberos makes queries to the
database and how to see these queries in the samba log
i need some help... i don?t know what else to do... forgive my english... thanks
Andrew Bartlett
2014-Jul-19 21:12 UTC
[Samba] Kerberos: Server not found in database...no such entry found in hdb
On Sat, 2014-07-19 at 15:36 -0400, Dania Ramirez Moya wrote:> Hi, i have a server with samba 4.1.5 and i want to authenticate my > mail server against samba via Kerberos. > The protocols envolved are pop and imap, as you know, then i created > two users: imap and pop: > > samba-tool user add pop --random-password > samba-tool user imap pop --random-password > > and later i created two Service Principal Names for these users: > > samba-tool spn add pop/mailserver.domain.cu at DOMAIN.CU pop > samba-tool spn add imap/mailserver.domain.cu at DOMAIN.CU imapRemove the @DOMAIN.CU part. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba