Understanding kerberos principals in samba4

Hi,

When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:

Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb

Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the server's /etc/krb5.keytab file? I have tried adding this
principal to the /etc/krb5.keytab file using ktutil, but this error still
pops up.  I noticed that you can export a principal into a keytab file
using "samba-tool domain exportkeytab" but how do you add the principal to
the domain?  Will adding the missing principal using "samba-tool spn" solve
problems like these?

According to https://help.ubuntu.com/community/SingleSignOn , you add a
host to the kerberos realm by doing these two commands on the kerberos
server:

kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM

I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
~/client.keytab --principal=host/client.example.com" but what is the
equivalent of "kadmin: addprinc -randkey host/client.example.com @
EXAMPLE.COM" under samba4 ???

br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote:
That would be in the domain.  hdb is a reference to our sam.ldb in this
case.

> or in the server's /etc/krb5.keytab file? I have tried adding this
> principal to the /etc/krb5.keytab file using ktutil, but this error still
> pops up.  I noticed that you can export a principal into a keytab file
> using "samba-tool domain exportkeytab" but how do you add the principal to
> the domain?  Will adding the missing principal using "samba-tool spn" solve
> problems like these?

Yes.

If the client doesn't wish to have any Samba integration it would be
adding a user, adding an spn, setting a random password and then using
the exportkeytab command you mentioned.

However, joining the machine using Samba would be more likely what you
want, ie run 'net ads join' on the client, and look into the keytab
options in the smb.conf for how to have Samba maintain a system keytab
for your other services.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

Thanks for the info.  I am now trying two ways to get, for example, the
nslcd service to work with samba4 kerberos.
Note: Spaces around "@" are intentional and exist only on the list.

Method 1: The non-integration-with-samba method

==================================================================
server:/root# samba-tool user add nslcd-service --random-password
server:/root# samba-tool spn add HOST/ubuntu-test.mydomain.net nslcd-service
server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab

ubuntu-test:/root# /etc/init.d/nslcd restart
 * Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database

log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
==================================================================


Method 2: The samba4 integration method

==================================================================
server:/root# samba-tool spn delete
HOST/ubuntu-test.mydomain.netnslcd-service  # Make sure HOST/
ubuntu-test.mydomain.net does not exist already
server:/root# samba-tool user delete nslcd-service

ubuntu-test:/root# nano /etc/samba/smb.conf # Change/add the following
lines:
   workgroup = MYDOMAIN
   realm = mydomain.net
   kerberos method = dedicated keytab
   dedicated keytab file = /etc/krb5.keytab
   security = ads

ubuntu-test:/root# rm /etc/krb5.keytab # Delete any existing keytabs so
there is no confusion
ubuntu-test:/root# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYDOMAIN
Joined 'UBUNTU-TEST' to realm 'mydomain.net'
DNS Update for ubuntu-test.mydomain.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!

log.samba shows this during ads join:
-----------------------------------------------------------------
  Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47888for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: 149
  Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator @
MYDOMAIN.NET
  Kerberos: AS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:47831for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: encrypted-timestamp, 149
  Kerberos: Looking for PKINIT pa-data -- Administrator @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- Administrator @ MYDOMAIN.NET
  Kerberos: ENC-TS Pre-authentication succeeded -- Administrator @
MYDOMAIN.NET using arcfour-hmac-md5
  Kerberos: AS-REQ authtime: 2012-07-16T11:10:30 starttime: unset endtime:
2012-07-16T21:10:30 renew till: 2012-07-17T11:10:30
  Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
  Kerberos: Requested flags: renewable-ok, forwardable
  Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:37803for ldap/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
  Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
  Kerberos: TGS-REQ Administrator @ MYDOMAIN.NET from
ipv4:10.45.1.55:38998for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET [renewable, forwarded, forwardable]
  Kerberos: TGS-REQ authtime: 2012-07-16T11:10:30 starttime:
2012-07-16T11:10:30 endtime: 2012-07-16T21:10:30 renew till:
2012-07-17T11:10:30
  Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:54978for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: 149
  Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- UBUNTU-TEST$ @
MYDOMAIN.NET
  Kerberos: AS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:34088for krbtgt/
MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: encrypted-timestamp, 149
  Kerberos: Looking for PKINIT pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- UBUNTU-TEST$ @ MYDOMAIN.NET
  Kerberos: ENC-TS Pre-authentication succeeded -- UBUNTU-TEST$ @
MYDOMAIN.NET using arcfour-hmac-md5
  Kerberos: AS-REQ authtime: 2012-07-16T11:10:31 starttime: unset endtime:
2012-07-16T21:10:31 renew till: 2012-07-17T11:10:27
  Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
  Kerberos: Requested flags: renewable-ok, forwardable
  Kerberos: TGS-REQ UBUNTU-TEST$ @ MYDOMAIN.NET from
ipv4:10.45.1.55:60077for dns/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, forwardable]
  Kerberos: TGS-REQ authtime: 2012-07-16T11:10:31 starttime:
2012-07-16T11:10:31 endtime: 2012-07-16T21:10:31 renew till:
2012-07-17T11:10:27
-----------------------------------------------------------------

ubuntu-test:/root# file /etc/krb5.keytab
/etc/krb5.keytab: ERROR: cannot open `/etc/krb5.keytab' (No such file or
directory)
ubuntu-test:/root# /etc/init.d/nslcd restart
 * Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database

log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb

server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=HOST/ubuntu-test.mydomain.net
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab

ubuntu-test:/root# /etc/init.d/nslcd restart
 * Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database

log.samba on server shows:
Kerberos: AS-REQ HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
10.45.1.55:36605 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
Kerberos: UNKNOWN -- HOST/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb

==================================================================

As you can see, no matter if a /etc/krb5.keytab exists or not and no matter
if I add "HOST/ubuntu-test.mydomain.net" to the domain either via
"samba-tool spn add" or via the client's "net ads join", kerberos
authentication fails with "no such entry found in hdb".

Anyways, I found a workaround.  I noticed during "net ads join" that
kerberos authentication was succeeding using "UBUNTU$@MYDOMAIN.NET", so
using method 2, I added the following:

server:/root# samba-tool domain exportkeytab /etc/ubuntu-test.keytab
--principal=UBUNTU-TEST\$
server:/root# scp /etc/ubuntu-test.keytab root @
ubuntu-test:/etc/krb5.keytab

On the client, in /etc/default/nslcd, add the line:
K5START_PRINCIPAL="`hostname | tr [:lower:] [:upper:]`$"

then at least nslcd service seems to work.  I would be interested in
knowing if using <hostname in uppercase>$ is better than HOST/<hostname>.
mydomain.net .

br,
Quinn



On Sat, Jul 14, 2012 at 1:27 AM, Andrew Bartlett <[hidden email]> wrote:


--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 16/07/12 12:10, Quinn Plattel wrote:
> Hi,
>
> Thanks for the info.  I am now trying two ways to get, for example, the
> nslcd service to work with samba4 kerberos.

The host principals are already there so I can't see why you are trying
to recreate them. Don't use the host key. Use a separate key to unlock
the nslcd service so that it cann access the Samba 4 LDAP.

The problem with nslcd in Ubuntu is k5start. The configuration file is
located In /etc/default/nslcd which prevents it using a Samba4
principal.  With Samba4, nslcd triggeres k5start and it has no key to
reference.

Set k5start to "No" and start it manually yourself with a keytab you
have extracted for your nslcd-service. If you do not, you will have to
manually restart nslcd every 10 hours anyway.

Cheers,
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi Steve,

I was taking nslcd as an example and I know that one workaround is the way
you describe it, but I see more than just nslcd/k5start service that uses
the HOST/hostname.domain.net principal to authenticate - for example, ssh
with GSSAPI seems to do the same thing unless you use
"GSSAPIStrictAcceptorCheck no" in /etc/sshd_config, and then there is
"ldapsearch -Y GSSAPI" which asks for ldap/hostname.domain.net principal.
So far, of these three issues, I see two workarounds and one with no
solution yet.  It would be nice to see a common solution that works for all
kerberos aware services - hence the subject "Understanding kerberos
principals in samba4".

br,
Quinn

On Mon, Jul 16, 2012 at 12:59 PM, steve <[hidden email]> wrote:



--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 16/07/12 13:21, Quinn Plattel wrote:
> Hi Steve,
>
> I was taking nslcd as an example and I know that one workaround is the
> way you describe it, but I see more than just nslcd/k5start service that
> uses the HOST/hostname.domain.net

Hi Quinn
Sorry. I thought you were still with the nslcd workaround.

You may come across nfs. That by default needs principals in
/etc/krb5.keytab. host/realm is one of many keys that work.
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba