keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials
Finally - I got it!
The
samba-tool spn add ...
does not (re)name the UPN as expected in the directory. I found it by comparing with MS ADS entries. So the work around is to change the value by hand before issuing the exportkeytab command:
- Open the service user entry with a ldap-tool (I used Apache Directory Studio) and
- find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/[email protected])
- export keytab and everything works as expected
on the target machine
kinit -k -t http/myserver.mycompany.com
works without any complains! Hopefully this helps others trying to setup SSO with Samba4 ...
Related videos on Youtube
06 : 08
05 : 11
02 : 58
57 : 36
15 : 36
Heiko Robert
Updated on September 18, 2022Comments
-
Heiko Robert almost 2 years
I set up a samba 4 active directory on ubuntu 14.04 following Samba AD DC HOWTO. In principle everything works well but I'm stuck in getting kerberos authentication running using SPNs for web applications. When I try to run
kinit -k -t keytabfile http/myserver.mycompany.comI allways get a
kinit: Client not found in Kerberos database while getting initial credentialsWhat I allready checked so far:
- DNS is working on both sides forward and backwards returning FQNs
- kinit works using username
- myserver.mycompany.com is returned by nslookup on dc and the webserver
- myserver allready joined the domain and is listed in
CN=Computers,DC=mycompany,DC=com - there are no dublicate SPNs
I created the service account/SPNs/keytabs as follows:
samba-tool user create $ADS_USER $ADS_PW --userou=$USER_OU samba-tool user setexpiry --noexpiry $ADS_USER samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} $ADS_USER samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST} $ADS_USER samba-tool spn list $ADS_USER rm -f $MY_KEYTAB samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}when running klist -k -e $MY_KEYTAB everything looks good:
root@myhost:~# klist -ke ./test.keytab Keytab name: FILE:./test.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 http/[email protected] (des-cbc-crc) 1 http/[email protected] (des-cbc-md5) 1 http/[email protected] (arcfour-hmac) 1 http/[email protected] (des-cbc-crc) 1 http/[email protected] (des-cbc-md5) 1 http/[email protected] (arcfour-hmac)I'm lost, researched several hours in google and have no idea how to work around/fix the 'Client not found in Kerberos database' error. Any hint is welcome!
Thanks
my "/etc/krb5.conf" on client
[libdefaults] debug = true default_realm = MYCOMPANY.COM dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] MYCOMPANY.COM = { kdc = dc01.mycompany.com admin_server = dc01.mycompany.com kpasswd_server = dc01.mycompany.com #ktpasswd_server = dc01.mycompany.com #admin_server = dc01.mycompany.com } [domain_realm] .mycompany.com = MYCOMPANY.COM mycompany.com = MYCOMPANY.COMon dc server /etc/samba/smb.conf
[global] debug level = 1 syslog = 1 max log size = 0 workgroup = MYCOMPANY realm = MYCOMPANY.COM netbios name = DC01 server role = active directory domain controller server string = MYCOMPANY domain controller server role check:inhibit = yes dns forwarder = 192.168.22.1 idmap_ldb:use rfc2307 = yes -
Jan Xavier almost 3 yearsThank you very much, took some hours to find but has been life saver! I suppose this means there must be a single account for each service, while SPN is supposed to authenticate several services with a single account. I wonder how it behaves with CNAME hosts... -
Heiko Robert almost 3 yearsThat's at least the way we configure kerberos authentication on MS AD to be used from java. I have never questioned creating a separate account for each service, so not sure if this would work on MS ...