samba - Nov 2017 - added spn and exported keytab not match

Hello All.

I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.

I am add user with RSAT and add SPN for it with samba-tool (like 
https://wiki.samba.org/index.php/Generating_Keytabs):
--------------------
root at ad41:/# samba-tool spn list proxy
proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following 
servicePrincipalName:
          HTTP/proxy.S****.ru at DC.S****.RU
          host/proxy.S****.ru at DC.S****.RU
------------------

But I cannot export exactly this SPN, in exported file I have other record:

------------------------
samba-tool domain exportkeytab /root/squid.keytab 
--principal=HTTP/proxy.S****.ru at DC.S****.RU
ERROR(runtime): uncaught exception - Key table entry not found
---------------------------

samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root at ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 proxy at DC.S****.RU (des-cbc-crc)
    1 proxy at DC.S****.RU (des-cbc-md5)
    1 proxy at DC.S****.RU (arcfour-hmac)

This keytab don't have record needed for using at proxy server

------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t 
/etc/squid/squid.keytab
kinit: Keytab contains no suitable keys for 
HTTP/proxy.S****.ru at DC.S****.RU while getting initial credentials
----------------

Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example
https://lists.samba.org/archive/samba-technical/2016-April/113598.html

 From what samba version it work correctly?

I try to create keytab from proxy server with ktutil:
-----------
[root at proxy squid]# ktutil
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
des-cbc-crc
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
des-cbc-md5
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e 
arcfour-hmac
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil:  wkt /etc/squid/squid.keytab
------------------
[root at proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- -----------------
    1 11/30/17 10:52:15 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-crc)
    1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-md5)
    1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (arcfour-hmac)
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t 
/etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.ru at DC.S****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.ru at DC.S****.RU' not found in Kerberos
database while getting initial credentials

I cannot guess why, anybody knows kerberos too good, please?

-- 
Administrator

On Thu, 30 Nov 2017 11:11:27 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:
> Hello All.
> 
> I am using Samba AD DC and Linux server with Squid, and
> I try to configure kerberos authentication for proxy server users.
> I need to add SPN for user and then export keytab with it to file.
> 
> I am add user with RSAT and add SPN for it with samba-tool (like 
> https://wiki.samba.org/index.php/Generating_Keytabs):
> --------------------
> root at ad41:/# samba-tool spn list proxy
> proxy
> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following 
> servicePrincipalName:
>           HTTP/proxy.S****.ru at DC.S****.RU
>           host/proxy.S****.ru at DC.S****.RU
I am not an expert on squid by any means, but you seem to be adding
SPNs meant for a computer account to a user account i.e.
'proxy.S****.ru' would be a FQDN.
Also, the 'S****.ru' should 'dc.s****.ru'

I think you are going to have to wait until Louis gets over the flu, he
is the expert on squid ;-)

Rowland

30.11.2017 14:00, Rowland Penny via samba пишет:
>> I am add user with RSAT and add SPN for it with samba-tool (like
>> https://wiki.samba.org/index.php/Generating_Keytabs):
>> --------------------
>> root at ad41:/# samba-tool spn list proxy
>> proxy
>> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
>> servicePrincipalName:
>>            HTTP/proxy.S****.ru at DC.S****.RU
>>            host/proxy.S****.ru at DC.S****.RU
> 
> I am not an expert on squid by any means, but you seem to be adding
> SPNs meant for a computer account to a user account i.e.
> 'proxy.S****.ru' would be a FQDN.
> Also, the 'S****.ru' should 'dc.s****.ru'
Thanks for the idea. Here:

DC.S****.RU is a kerberos realm and domain name

proxy.s***.ru is a hostname of proxy server with squid
it is NOT joined to domain
hostname is a FQDN, but not in dc.s****.ru zone

(there is some servers not joined to domain and have FQDN in s****.ru 
zone, and some workstations and servers joined to domain in dc.s****.ru 
zone)

on servers not joined to domain configured own, not ADDC dns servers

Are there possibility to configure kerberos auth without joining server 
to domain and use ADDC dns servers?
> I think you are going to have to wait until Louis gets over the flu, he
> is the expert on squid ;-)
I saw this sadly news and best wishes to him too ;)

--
Mike