Olivier BILHAUT
2015-Feb-13 15:09 UTC
[Samba] Samba4 kinit issue with principal and keytab file
Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like :> kinit -k -t/root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL But no success with such a command. Any idea? -- Olivier
Rowland Penny
2015-Feb-13 15:48 UTC
[Samba] Samba4 kinit issue with principal and keytab file
On 13/02/15 15:09, Olivier BILHAUT wrote:> > > Hi Rowland, > > Hi looks like the "-c" option is optional. > > My > problem is not really the kerberos cache file, but the "principal" > linked to the user kerbuser. > > The principal is > HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL > > I would like to use kinit > and give this principal as parameter. something like : > >> kinit -k -t > /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL > > But no > success with such a command. > > Any idea? > > -- > > Olivier > >Yes, you are mixing up user principal names with service principal names, your user has a user principal name of 'kerbuser at MYDOMAIN.LOCAL' If we create the user, add an spn and export the keytab as per the wiki: samba-tool user create --random-password http-dc01 samba-tool spn add HTTP/dc01.home.lan http-dc01 samba-tool domain exportkeytab /etc/httpd.keytab --principal=HTTP/dc01.example.com at EXAMPLE.COM Then examine the keytab: ktutil ktutil: rkt /etc/httpd.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 HTTP/dc01.example.com at EXAMPLE.COM 2 1 HTTP/dc01.example.com at EXAMPLE.COM 3 1 HTTP/dc01.example.com at EXAMPLE.COM ktutil: q You can see that there is only the spn in the keytab and if you try 'kinit' kinit -k -t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01 kinit: Generic preauthentication failure while getting initial credentials now if you export another keytab but this time use the upn as the principal: samba-tool domain exportkeytab /etc/http-dc01.keytab --principal=http-dc01 at EXAMPLE.COM and if you examine this keytab: ktutil ktutil: rkt /etc/http-dc01.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 http-dc01 at EXAMPLE.COM 2 1 http-dc01 at EXAMPLE.COM 3 1 http-dc01 at EXAMPLE.COM ktutil: q and try kinit again: kinit -k -t /etc/http-dc01.keytab -c /tmp/http-dc01.krb5cc http-dc01 and look in /tmp you will find the krb5 cache: http-dc01.krb5cc Rowland
Possibly Parallel Threads
- Samba4 kinit issue with principal and keytab file
- Samba4 kinit issue with principal and keytab file
- Samba4 kinit issue with principal and keytab file
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates