Hi Rowland, yes I'm configuring apache kafka / zookeeper, I need Kerberos
authentication for the test environment and I don't have AD :)
I'v two environment, the first (production), samba 4.5.1 work as intended:
# samba-tool spn list z1
z1
User CN=z1,CN=Users,DC=pro,DC=lan has the following servicePrincipalName:
zookeeper/node1.pro.lan
# klist -k -e z1.ktab
Keytab name: FILE:z1.ktab
KVNO Principal
----
--------------------------------------------------------------------------
2 zookeeper/node1.PRO.lan at PRO.LAN (DEPRECATED:arcfour-hmac)
2 z1 at PRO.LAN (DEPRECATED:arcfour-hmac)
# kinit -k -t z1.ktab zookeeper/node1.pro.lan
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zookeeper/node1.pro.lan at PRO.LAN
Valid starting Expires Service principal
06/10/2020 20:14:07 06/11/2020 06:14:07 krbtgt/PRO.LAN at PRO.LAN
renew until 06/11/2020 20:14:07
the second one, test environment samba 4.11.9, doesn't.
Il giorno mer 10 giu 2020 alle ore 19:06 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 10/06/2020 17:48, banda bassotti via samba wrote:
> > Hello again, after obtaining the keytab file I tried to use kinit
> > keytab.file followed by the spn
> >
> > $ samba-tool spn list z1
> > z1
> > User CN=z1,CN=Users,DC=home,DC=lan has the following
> servicePrincipalName:
> > zookeeper/ap42.home.lan
>
> Is this for Apache zookeeper ?
>
> The thing that says it is a 'centralized service for maintaining
> configuration information, naming, providing distributed
> synchronization, and providing group services' ?
>
> Or to put it another, something that sounds very similar to AD, if so,
> what will it give you that AD doesn't ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 10/06/2020 19:25, banda bassotti via samba wrote:> Hi Rowland, yes I'm configuring apache kafka / zookeeper, I need Kerberos > authentication for the test environment and I don't have AD :)How can you be using samba-tool and not have AD ?> > I'v two environment, the first (production), samba 4.5.1 work as intended:But the intended use of Samba 4.5.1 is not to work, it is EOL :-D If I read the zookeeper page correctly, you should be adding the SPN to the hosts object, not to a user. Something like: samba-tool spn add zookeeper/zookeeper1.example.com zookeeper1\$ samba-tool domain exportkeytab /tmp/zookeeper.keytab --principal=zookeeper/zookeeper1.example.com Rowland
The production will be updated as soon as possible, back to the kinit it seems to me that we are going around the problem :) I will do tests, in the next few days I will make up for it unless there are some hints. thanks. Il giorno mer 10 giu 2020 alle ore 20:46 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 10/06/2020 19:25, banda bassotti via samba wrote: > > Hi Rowland, yes I'm configuring apache kafka / zookeeper, I need Kerberos > > authentication for the test environment and I don't have AD :) > How can you be using samba-tool and not have AD ? > > > > I'v two environment, the first (production), samba 4.5.1 work as > intended: > > But the intended use of Samba 4.5.1 is not to work, it is EOL :-D > > If I read the zookeeper page correctly, you should be adding the SPN to > the hosts object, not to a user. > > Something like: > > samba-tool spn add zookeeper/zookeeper1.example.com zookeeper1\$ > > samba-tool domain exportkeytab /tmp/zookeeper.keytab > --principal=zookeeper/zookeeper1.example.com > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >