Olivier BILHAUT
2015-Feb-12 10:33 UTC
[Samba] Samba4 kinit issue with principal and keytab file
Hi All ! Using Samba Version 4.1.12, updated from source from 4.0beta1 I've created a user, let say kerbuser, for a web server to authenticate with kerberos and provide SSO to the end-users. In my example, my domain is MYDOMAIN.LOCAL, the apache server is webserver.mydomain.local and the AD user is kerbuser I've added a principal on the user and exported everything in a keytab so the result of a ktutil list is the following : 1 2 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 2 2 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 3 2 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 4 1 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 5 1 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 6 1 HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL 7 1 kerbuser at MYDOMAIN.LOCAL 8 1 kerbuser at MYDOMAIN.LOCAL 9 1 kerbuser at MYDOMAIN.LOCAL The machine name is webserver and it resolve successfully the machine name webserver.mydomain.local via DNS. I can successfully kinit with the user : kinit -V -k -t /root/my.keytab kerbuser at MYDOMAIN.LOCAL Using default cache: /tmp/krb5cc_0 Using principal: kerbuser at MYDOMAIN.LOCAL Using keytab: /root/my.keytab Authenticated to Kerberos v5 But using the principal fail : kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL Using default cache: /tmp/krb5cc_0 Using principal: HTTP/webserver.MYDOMAIN.LOCAL Using keytab: /root/my.keytab kinit: Client not found in Kerberos database while getting initial credentials Is there a problem with the REALM somewhere, or I make a mistake using the principal...? I can't figure it out... Thanks in advance. -- Olivier
L.P.H. van Belle
2015-Feb-12 10:57 UTC
[Samba] Samba4 kinit issue with principal and keytab file
Hai, you can find all info you need for a SSO setup on this site. https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 and yes, this stats its for zarafa, but the basics for the setup are very clear here. Just have a look, all things you need to know are there. For me it works perfect, for zarafa and other sites. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: obilhaut at fondation-misericorde.fr >[mailto:samba-bounces at lists.samba.org] Namens Olivier BILHAUT >Verzonden: donderdag 12 februari 2015 11:33 >Aan: samba >Onderwerp: [Samba] Samba4 kinit issue with principal and keytab file > > > >Hi All ! > >Using Samba Version 4.1.12, updated from source from >4.0beta1 > >I've created a user, let say kerbuser, for a web server to >authenticate with kerberos and provide SSO to the end-users. > >In my >example, my domain is MYDOMAIN.LOCAL, the apache server is >webserver.mydomain.local and the AD user is kerbuser > >I've added a >principal on the user and exported everything in a keytab so the result >of a ktutil list is the following : > > 1 2 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 2 2 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 3 2 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 4 1 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 5 1 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 6 1 >HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > > 7 1 >kerbuser at MYDOMAIN.LOCAL > 8 1 kerbuser at MYDOMAIN.LOCAL > 9 1 >kerbuser at MYDOMAIN.LOCAL > >The machine name is webserver and it resolve >successfully the machine name webserver.mydomain.local via DNS. > >I can >successfully kinit with the user : > >kinit -V -k -t /root/my.keytab >kerbuser at MYDOMAIN.LOCAL > >Using default cache: /tmp/krb5cc_0 >Using >principal: kerbuser at MYDOMAIN.LOCAL >Using keytab: >/root/my.keytab >Authenticated to Kerberos v5 > >But using the principal >fail : > >kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL > > >Using default cache: /tmp/krb5cc_0 >Using principal: >HTTP/webserver.MYDOMAIN.LOCAL >Using keytab: /root/my.keytab >kinit: >Client not found in Kerberos database while getting initial credentials > > >Is there a problem with the REALM somewhere, or I make a mistake using >the principal...? > >I can't figure it out... > >Thanks in advance. > > >-- > >Olivier >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Feb-12 11:07 UTC
[Samba] Samba4 kinit issue with principal and keytab file
On 12/02/15 10:33, Olivier BILHAUT wrote:> > > Hi All ! > > Using Samba Version 4.1.12, updated from source from > 4.0beta1 > > I've created a user, let say kerbuser, for a web server to > authenticate with kerberos and provide SSO to the end-users. > > In my > example, my domain is MYDOMAIN.LOCAL, the apache server is > webserver.mydomain.local and the AD user is kerbuser > > I've added a > principal on the user and exported everything in a keytab so the result > of a ktutil list is the following : > > 1 2 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 2 2 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 3 2 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 4 1 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 5 1 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > 6 1 > HTTP/webserver.mydomain.local at MYDOMAIN.LOCAL > > 7 1 > kerbuser at MYDOMAIN.LOCAL > 8 1 kerbuser at MYDOMAIN.LOCAL > 9 1 > kerbuser at MYDOMAIN.LOCAL > > The machine name is webserver and it resolve > successfully the machine name webserver.mydomain.local via DNS. > > I can > successfully kinit with the user : > > kinit -V -k -t /root/my.keytab > kerbuser at MYDOMAIN.LOCAL > > Using default cache: /tmp/krb5cc_0 > Using > principal: kerbuser at MYDOMAIN.LOCAL > Using keytab: > /root/my.keytab > Authenticated to Kerberos v5 > > But using the principal > fail : > > kinit -V -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL > > > Using default cache: /tmp/krb5cc_0 > Using principal: > HTTP/webserver.MYDOMAIN.LOCAL > Using keytab: /root/my.keytab > kinit: > Client not found in Kerberos database while getting initial credentials > > > Is there a problem with the REALM somewhere, or I make a mistake using > the principal...? > > I can't figure it out... > > Thanks in advance. > > > -- > > OlivierHi, have you read the wiki page: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD Rowland