samba - Feb 2016 - Kerberos Principal

Hi all,

I’m looking to add in a kerberos principal on my server for the AD domain.

I see there are ways to do this for user(s), but I don’t see how to add a
principal for hosts.

In general, I’ld like to add something like the following to me 4.3.4 Domain:

ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass -out
afpserver.keytab

This is for a netatalk server. I’ve never had to add a principal to my samba, so
I’d just like come clarification as this is for a host and not a user.

what would the 'samba-tool spn add …’ syntax look like in order to add in a
host principal

Thanks,


_ _


DT

On 22/02/16 17:58, David Thompson wrote:
> Hi all,
>
> I’m looking to add in a kerberos principal on my server for the AD domain.
>
> I see there are ways to do this for user(s), but I don’t see how to add a
principal for hosts.
>
> In general, I’ld like to add something like the following to me 4.3.4
Domain:
>
> ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass
-out afpserver.keytab
>
> This is for a netatalk server. I’ve never had to add a principal to my
samba, so I’d just like come clarification as this is for a host and not a user.
>
> what would the 'samba-tool spn add …’ syntax look like in order to add
in a host principal
>
> Thanks,
>
>
> _ _
>
>
> DT
>

Try this:

samba-tool spn add afpserver/fqdn at REALM shorthostname$

Rowland

You mean something like : 

Create a user for a service.
samba-tool user create squid-proxy --description="Unprivileged user for
SQUID-Proxy Services" --random-password

Disable password expiry. 
samba-tool user setexpiry squid-proxy --noexpiry

setting HTTP SPN on the proxy user (proxy1)
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1.internal.domain.tld at KERB_REALM squid-proxy

And export the keytab. 
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld
/home/proxy1.keytab

Greetz, 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Thompson
> Verzonden: maandag 22 februari 2016 18:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Kerberos Principal
> 
> Hi all,
> 
> I’m looking to add in a kerberos principal on my server for the AD domain.
> 
> I see there are ways to do this for user(s), but I don’t see how to add a
> principal for hosts.
> 
> In general, I’ld like to add something like the following to me 4.3.4
> Domain:
> 
> ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass
-out
> afpserver.keytab
> 
> This is for a netatalk server. I’ve never had to add a principal to my
> samba, so I’d just like come clarification as this is for a host and not a
> user.
> 
> what would the 'samba-tool spn add …’ syntax look like in order to add
in
> a host principal
> 
> Thanks,
> 
> 
> _ _
> 
> 
> DT
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thank you very much for this! It worked perfectly for me! 
_ _

DT
> On Feb 23, 2016, at 2:35 AM, L.P.H. van Belle <belle at bazuin.nl>
wrote:
> 
> You mean something like : 
> 
> Create a user for a service.
> samba-tool user create squid-proxy --description="Unprivileged user
for SQUID-Proxy Services" --random-password
> 
> Disable password expiry. 
> samba-tool user setexpiry squid-proxy --noexpiry
> 
> setting HTTP SPN on the proxy user (proxy1)
> samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
> samba-tool spn add HTTP/proxy1.internal.domain.tld at KERB_REALM
squid-proxy
> 
> And export the keytab. 
> samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld
/home/proxy1.keytab
> 
> Greetz, 
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens David
Thompson
>> Verzonden: maandag 22 februari 2016 18:59
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Kerberos Principal
>> 
>> Hi all,
>> 
>> I’m looking to add in a kerberos principal on my server for the AD
domain.
>> 
>> I see there are ways to do this for user(s), but I don’t see how to add
a
>> principal for hosts.
>> 
>> In general, I’ld like to add something like the following to me 4.3.4
>> Domain:
>> 
>> ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain
+rndPass -out
>> afpserver.keytab
>> 
>> This is for a netatalk server. I’ve never had to add a principal to my
>> samba, so I’d just like come clarification as this is for a host and
not a
>> user.
>> 
>> what would the 'samba-tool spn add …’ syntax look like in order to
add in
>> a host principal
>> 
>> Thanks,
>> 
>> 
>> _ _
>> 
>> 
>> DT
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi all,

I have W2k8 AD and I need to join Samba fileserver.

Since I'm new to the topic, I'm following a howto, and it says I must
first make Kerberos authenticate users and only then start configuring
Samba. But I cannot get over the Kerberos setup.

The domain is named like ad.domain.com but there is alternative UPN
Suffix so that users are represented by UPN such as user at domain.com

I'm unable to explain this to Kerberos. kinit is able to authenticate
user with full domain name, such as user at AD.DOMAIN.COM
but unable for user at DOMAIN.COM

(kinit: Cannot find KDC for realm "DOMAIN.COM" while getting initial
credentials)


Please, does anybody have experience with such setup? I have googled
over, but haven't found a working solution yet.

On Fri, 30 Jun 2017 10:09:16 +0200
"Mgr. Peter Tuharsky via samba" <samba at lists.samba.org>
wrote:
> Hi all,
> 
> I have W2k8 AD and I need to join Samba fileserver.
> 
> Since I'm new to the topic, I'm following a howto, and it says I
must
> first make Kerberos authenticate users and only then start configuring
> Samba. But I cannot get over the Kerberos setup.
Care to share the link to this howto ?

You do not need to set up kerberos in any meaningful way

You could do worse (and you already have) than to read the Samba
documentation on how to do what you are trying to do:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> The domain is named like ad.domain.com but there is alternative UPN
> Suffix so that users are represented by UPN such as user at domain.com
Don't really understand this, you have to use the dns domain name for
the realm and I don't think you can do what you are suggesting

Rowland

Yes, its possible, but i dont have the time to look it up, howto setup. ( sorry
)
Google for multi domain auth and subdomain auth and kerberos, there are a few
examples, for other systems.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 30 juni 2017 10:49
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba/Kerberos setup - how to enable 
> alternative UPN
> 
> On Fri, 30 Jun 2017 10:09:16 +0200
> "Mgr. Peter Tuharsky via samba" <samba at lists.samba.org>
wrote:
> 
> > Hi all,
> > 
> > I have W2k8 AD and I need to join Samba fileserver.
> > 
> > Since I'm new to the topic, I'm following a howto, and it 
> says I must 
> > first make Kerberos authenticate users and only then start 
> configuring 
> > Samba. But I cannot get over the Kerberos setup.
> 
> Care to share the link to this howto ?
> 
> You do not need to set up kerberos in any meaningful way
> 
> You could do worse (and you already have) than to read the 
> Samba documentation on how to do what you are trying to do:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> > 
> > The domain is named like ad.domain.com but there is alternative UPN 
> > Suffix so that users are represented by UPN such as user at domain.com
> 
> Don't really understand this, you have to use the dns domain 
> name for the realm and I don't think you can do what you are 
> suggesting
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>