thr3ads.net - samba - [Samba] Trouble adding a service principal to keytab [Feb 2016]

If this information is useful, please help other people find it:
Share via:

Norm Green

2016-Feb-25 21:42 UTC

[Samba] Trouble adding a service principal to keytab

Hi,

I am new to samba and Kerberos so please be gentle!

I have built a samba AD DC (v4.3.5) on Centos Linux from source and am 
trying to add a service principal and generate a keytab containing the 
principal.  However the principal entry does not appear in the keytab.

Here's what I did:

[root at bones ~]# samba-tool spn add 
GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM normg
[root at bones ~]# samba-tool spn list normg
normg
User CN=normg,CN=Users,DC=sambatest,DC=gemtalksystems,DC=com has the 
following servicePrincipalName:
  GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM

Ok, so it appears to be there under user normg.  Now if I export the 
entire keytab:

[root at bones ~]# samba-tool domain exportkeytab samba.keytab
[root at bones ~]# klist -k samba.keytab
Keytab name: FILE:samba.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM

So the GEMSTONE64 principal is NOT in the keytab!  And requesting that 
principal for the keytab fails:

[root at bones ~]# samba-tool domain exportkeytab s 
--principal=GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM
ERROR(runtime): uncaught exception - Key table entry not found
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 117, in run
     net.export_keytab(keytab=keytab, principal=principal)

Removing the realm from the request fails in the same way.

If I was using Kerberos without samba, I would just do:

kadmin -q "addprinc -randkey GEMSTONE64/bunk.gemtalksystems.com"
kadmin -q "xst -norandkey -k my.keytab
GEMSTONE64/bunk.gemtalksystems.com"

but I know kadmin is a no-no under samba.

How can I get a keytab which contains the service principal?

Norm Green

L.P.H. van Belle

2016-Feb-26 07:18 UTC

head link

[Samba] Trouble adding a service principal to keytab

Same question as a few days ago... 
Have a look here :  http://www.spinics.net/lists/samba/msg132273.html 

Greetz, 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Norm Green
> Verzonden: donderdag 25 februari 2016 22:43
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Trouble adding a service principal to keytab
> 
> Hi,
> 
> I am new to samba and Kerberos so please be gentle!
> 
> I have built a samba AD DC (v4.3.5) on Centos Linux from source and am
> trying to add a service principal and generate a keytab containing the
> principal.  However the principal entry does not appear in the keytab.
> 
> Here's what I did:
> 
> [root at bones ~]# samba-tool spn add
> GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM normg
> [root at bones ~]# samba-tool spn list normg
> normg
> User CN=normg,CN=Users,DC=sambatest,DC=gemtalksystems,DC=com has the
> following servicePrincipalName:
>   GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM
> 
> Ok, so it appears to be there under user normg.  Now if I export the
> entire keytab:
> 
> [root at bones ~]# samba-tool domain exportkeytab samba.keytab
> [root at bones ~]# klist -k samba.keytab
> Keytab name: FILE:samba.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
> 
> So the GEMSTONE64 principal is NOT in the keytab!  And requesting that
> principal for the keytab fails:
> 
> [root at bones ~]# samba-tool domain exportkeytab s
> --
> principal=GEMSTONE64/bunk.gemtalksystems.com at
SAMBATEST.GEMTALKSYSTEMS.COM
> ERROR(runtime): uncaught exception - Key table entry not found
>    File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 117, in run
>      net.export_keytab(keytab=keytab, principal=principal)
> 
> Removing the realm from the request fails in the same way.
> 
> If I was using Kerberos without samba, I would just do:
> 
> kadmin -q "addprinc -randkey GEMSTONE64/bunk.gemtalksystems.com"
> kadmin -q "xst -norandkey -k my.keytab
GEMSTONE64/bunk.gemtalksystems.com"
> 
> but I know kadmin is a no-no under samba.
> 
> How can I get a keytab which contains the service principal?
> 
> Norm Green
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Maybe Matching Threads

Search for more apparently analagous threads

samba - Feb 2016 - Trouble adding a service principal to keytab

[Samba] Trouble adding a service principal to keytab

[Samba] Trouble adding a service principal to keytab

Maybe Matching Threads