Thorsten Otto
2025-Jun-20 03:52 UTC
[Samba] Asking help exporing a valid keytab file for cups http
Hello and thanks again for your answer. But shouldn't the "kinit" with the exported keytab work also if I don't need it? And how can I use the HOST principal for cups if the keytab isn't working? Thorsten Am Donnerstag, dem 19.06.2025 um 19:07 +0100 schrieb Rowland Penny via samba:> On Thu, 19 Jun 2025 19:11:45 +0200 > Thorsten Otto via samba <samba at lists.samba.org> wrote: > > > Thank you so much for your answer. > > > > Am Donnerstag, dem 19.06.2025 um 17:19 +0100 schrieb Rowland Penny > > via > > samba: > > > On Thu, 19 Jun 2025 16:34:33 +0200 > > > Thorsten Otto via samba <samba at lists.samba.org> wrote: > > > > ?> > > > > > > > > root at dc:~# samba-tool spn add > > > > HTTP/cupsserver.domain.tld at DOMAIN.TLD?cupsserver$ > > > > root at dc:~# samba-tool spn list cupsserver$ > > > > cupsserver$ > > > > User > > > > CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=t > > > > ld > > > > has the following servicePrincipalName: > > > > HOST/CUPSSERVER > > > > HOST/cupsserver.domain.tld > > > > HTTP/cupsserver.domain.tld at DOMAIN.TLD > > > > > > That is another mistake, 'HOST' is a placeholder for other > > > services > > > (amongst which is 'HTTP'), you can see the entire list with: > > > > I did not create the HOST entries. They must have been put there by > > samba or another service. > > I wasn't referring to the 'HOST' part, I was referring to the 'HTTP' > part, you do not need it. > > > > > > > sudo ldbsearch --cross-ncs --show-binary -H > > > /var/lib/samba/private/sam.ldb -P -b > > > 'dc=samdom,dc=example,dc=com' > > > -s sub '(sPNMappings=*)' sPNMappings > > If you replace the '-P' above with '--use-kerberos', it still works, > but using kerberos. > > > > > > > Which should produced something like this: > > > # record 1 > > > dn: CN=Directory Service,CN=Windows > > > NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com > > > sPNMappings: > > > host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat > > > or,e > > > ventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msi > > > serv > > > er,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugpla > > > y,pr > > > otectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,sams > > > s,sc > > > ardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisr > > > v,tr > > > ksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc > > > > > > I hope you can see from that, you should be able to use the > > > servers > > > host key. > > > > > Rowland > > > > > > > I get the same output for the mappings. But I don't reallly > > understand > > how I could use that for the http authentication. I did tried these > > steps and got the same error as before > > What I am saying is, you should not need the 'HTTP' SPN, because the > standard 'HOST' SPN should cover it. > > Rowland
Rowland Penny
2025-Jun-20 08:21 UTC
[Samba] Asking help exporing a valid keytab file for cups http
On Fri, 20 Jun 2025 05:52:36 +0200 Thorsten Otto via samba <samba at lists.samba.org> wrote:> Hello and thanks again for your answer. > > But shouldn't the "kinit" with the exported keytab work also if I > don't need it? > > And how can I use the HOST principal for cups if the keytab isn't > working? > > Thorsten > >I normally do not use a computer keytab on Linux, so just naively believed it would work, it doesn't :-( What does work, you can export a keytab with the 'http' SPN prefix without there actually being any such SPN in AD, provided there is a SPN that starts with 'host'. If you try to use the keytab, you get this: kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials When there is quite obviously a servicePrincipalName attribute containing that in AD. I stared at the computers object for quite sometime until it hit me, while 'devstation' had a few SPNs, it didn't have a userPrincipalName attribute, so adding: userPrincipalName: host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM Lead to a successful kinit, which lead to this: rowland at devstation:~$ sudo klist Ticket cache: FILE:/tmp/krb5cc_11104 Default principal: host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 20/06/25 09:07:17 20/06/25 19:07:17 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 21/06/25 09:07:17 Hope this helps. Rowland