Hello again, after obtaining the keytab file I tried to use kinit
keytab.file followed by the spn
$ samba-tool spn list z1
z1
User CN=z1,CN=Users,DC=home,DC=lan has the following servicePrincipalName:
zookeeper/ap42.home.lan
$ samba-tool domain exportkeytab z1.ktab --principal=z1
$ samba-tool domain exportkeytab z1.ktab
--principal=zookeeper/ap42.home.lan
$ kinit -V -k -t z1.ktab zookeeper/ap42.home.lan
Using default cache: /tmp/krb5cc_1003
Using principal: zookeeper/ap42.home.lan at HOME.LAN
Using keytab: z1.ktab
kinit: Client 'zookeeper/ap42.home.lan at HOME.LAN' not found in
Kerberos
database while getting initial credentials
zookeeper at AP42:~$
samba log:
[2020/06/10 18:36:14.801334, 2, pid=27610, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[zookeeper/ap42.home.lan at HOME.LAN] at [Wed, 10 Jun 2020
18:36:14.801316 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER]
workstation [(null)] remote host [ipv4:192.168.1.2:37598] mapped to
[(null)]\[(null)]. local host [NULL]
using the principal works:
$ kinit -V -k -t z1.ktab z1
Using default cache: /tmp/krb5cc_1003
Using principal: z1 at HOME.LAN
Using keytab: z1.ktab
Authenticated to Kerberos v5
$ klist -k -e z1.ktab
Keytab name: FILE:z1.ktab
KVNO Principal
----
--------------------------------------------------------------------------
2 zookeeper/ap42.home.lan at HOME.LAN (arcfour-hmac)
2 zookeeper/ap42.home.lan at HOME.LAN (des-cbc-md5)
2 zookeeper/ap42.home.lan at HOME.LAN (des-cbc-crc)
2 z1 at HOME.LAN (aes256-cts-hmac-sha1-96)
2 z1 at HOME.LAN (aes128-cts-hmac-sha1-96)
2 z1 at HOME.LAN (arcfour-hmac)
2 z1 at HOME.LAN (des-cbc-md5)
2 z1 at HOME.LAN (des-cbc-crc)
/etc/krb5.conf:
[libdefaults]
default_realm = HOME.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
thnx.
On 10/06/2020 17:48, banda bassotti via samba wrote:> Hello again, after obtaining the keytab file I tried to use kinit > keytab.file followed by the spn > > $ samba-tool spn list z1 > z1 > User CN=z1,CN=Users,DC=home,DC=lan has the following servicePrincipalName: > zookeeper/ap42.home.lanIs this for Apache zookeeper ? The thing that says it is a 'centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services' ? Or to put it another, something that sounds very similar to AD, if so, what will it give you that AD doesn't ? Rowland
Hi Rowland, yes I'm configuring apache kafka / zookeeper, I need Kerberos
authentication for the test environment and I don't have AD :)
I'v two environment, the first (production), samba 4.5.1 work as intended:
# samba-tool spn list z1
z1
User CN=z1,CN=Users,DC=pro,DC=lan has the following servicePrincipalName:
zookeeper/node1.pro.lan
# klist -k -e z1.ktab
Keytab name: FILE:z1.ktab
KVNO Principal
----
--------------------------------------------------------------------------
2 zookeeper/node1.PRO.lan at PRO.LAN (DEPRECATED:arcfour-hmac)
2 z1 at PRO.LAN (DEPRECATED:arcfour-hmac)
# kinit -k -t z1.ktab zookeeper/node1.pro.lan
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zookeeper/node1.pro.lan at PRO.LAN
Valid starting Expires Service principal
06/10/2020 20:14:07 06/11/2020 06:14:07 krbtgt/PRO.LAN at PRO.LAN
renew until 06/11/2020 20:14:07
the second one, test environment samba 4.11.9, doesn't.
Il giorno mer 10 giu 2020 alle ore 19:06 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 10/06/2020 17:48, banda bassotti via samba wrote:
> > Hello again, after obtaining the keytab file I tried to use kinit
> > keytab.file followed by the spn
> >
> > $ samba-tool spn list z1
> > z1
> > User CN=z1,CN=Users,DC=home,DC=lan has the following
> servicePrincipalName:
> > zookeeper/ap42.home.lan
>
> Is this for Apache zookeeper ?
>
> The thing that says it is a 'centralized service for maintaining
> configuration information, naming, providing distributed
> synchronization, and providing group services' ?
>
> Or to put it another, something that sounds very similar to AD, if so,
> what will it give you that AD doesn't ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>