added spn and exported keytab not match

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

added spn and exported keytab not match

Samba - General mailing list
Hello All.

I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.

I am add user with RSAT and add SPN for it with samba-tool (like
https://wiki.samba.org/index.php/Generating_Keytabs):
--------------------
root@ad41:/# samba-tool spn list proxy
proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
servicePrincipalName:
          HTTP/proxy.S****.[hidden email]****.RU
          host/proxy.S****.[hidden email]****.RU
------------------

But I cannot export exactly this SPN, in exported file I have other record:

------------------------
samba-tool domain exportkeytab /root/squid.keytab
--principal=HTTP/proxy.S****.[hidden email]****.RU
ERROR(runtime): uncaught exception - Key table entry not found
---------------------------

samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root@ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
----
--------------------------------------------------------------------------
    1 [hidden email]****.RU (des-cbc-crc)
    1 [hidden email]****.RU (des-cbc-md5)
    1 [hidden email]****.RU (arcfour-hmac)

This keytab don't have record needed for using at proxy server

------------------
[root@proxy squid]# kinit -kV -p HTTP/proxy.S****.[hidden email]****.RU -t
/etc/squid/squid.keytab
kinit: Keytab contains no suitable keys for
HTTP/proxy.S****.[hidden email]****.RU while getting initial credentials
----------------

Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example
https://lists.samba.org/archive/samba-technical/2016-April/113598.html

 From what samba version it work correctly?

I try to create keytab from proxy server with ktutil:
-----------
[root@proxy squid]# ktutil
ktutil:  addent -password -p HTTP/proxy.S****.[hidden email]****.RU -k 1 -e
des-cbc-crc
Password for HTTP/proxy.S****.[hidden email]****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.[hidden email]****.RU -k 1 -e
des-cbc-md5
Password for HTTP/proxy.S****.[hidden email]****.RU:
ktutil:  addent -password -p HTTP/proxy.S****.[hidden email]****.RU -k 1 -e
arcfour-hmac
Password for HTTP/proxy.S****.[hidden email]****.RU:
ktutil:  wkt /etc/squid/squid.keytab
------------------
[root@proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- -----------------
    1 11/30/17 10:52:15 HTTP/proxy.S****.[hidden email]****.RU (des-cbc-crc)
    1 11/30/17 10:58:23 HTTP/proxy.S****.[hidden email]****.RU (des-cbc-md5)
    1 11/30/17 10:58:23 HTTP/proxy.S****.[hidden email]****.RU (arcfour-hmac)
------------------
[root@proxy squid]# kinit -kV -p HTTP/proxy.S****.[hidden email]****.RU -t
/etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.[hidden email]****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.[hidden email]****.RU' not found in Kerberos
database while getting initial credentials

I cannot guess why, anybody knows kerberos too good, please?

--
Administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: added spn and exported keytab not match

Samba - General mailing list
On Thu, 30 Nov 2017 11:11:27 +0400
Mike Lykov via samba <[hidden email]> wrote:

> Hello All.
>
> I am using Samba AD DC and Linux server with Squid, and
> I try to configure kerberos authentication for proxy server users.
> I need to add SPN for user and then export keytab with it to file.
>
> I am add user with RSAT and add SPN for it with samba-tool (like
> https://wiki.samba.org/index.php/Generating_Keytabs):
> --------------------
> root@ad41:/# samba-tool spn list proxy
> proxy
> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
> servicePrincipalName:
>           HTTP/proxy.S****.[hidden email]****.RU
>           host/proxy.S****.[hidden email]****.RU

I am not an expert on squid by any means, but you seem to be adding
SPNs meant for a computer account to a user account i.e.
'proxy.S****.ru' would be a FQDN.
Also, the 'S****.ru' should 'dc.s****.ru'

I think you are going to have to wait until Louis gets over the flu, he
is the expert on squid ;-)

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: added spn and exported keytab not match

Samba - General mailing list
30.11.2017 14:00, Rowland Penny via samba пишет:

>> I am add user with RSAT and add SPN for it with samba-tool (like
>> https://wiki.samba.org/index.php/Generating_Keytabs):
>> --------------------
>> root@ad41:/# samba-tool spn list proxy
>> proxy
>> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
>> servicePrincipalName:
>>            HTTP/proxy.S****.[hidden email]****.RU
>>            host/proxy.S****.[hidden email]****.RU
>
> I am not an expert on squid by any means, but you seem to be adding
> SPNs meant for a computer account to a user account i.e.
> 'proxy.S****.ru' would be a FQDN.
> Also, the 'S****.ru' should 'dc.s****.ru'

Thanks for the idea. Here:

DC.S****.RU is a kerberos realm and domain name

proxy.s***.ru is a hostname of proxy server with squid
it is NOT joined to domain
hostname is a FQDN, but not in dc.s****.ru zone

(there is some servers not joined to domain and have FQDN in s****.ru
zone, and some workstations and servers joined to domain in dc.s****.ru
zone)

on servers not joined to domain configured own, not ADDC dns servers

Are there possibility to configure kerberos auth without joining server
to domain and use ADDC dns servers?

> I think you are going to have to wait until Louis gets over the flu, he
> is the expert on squid ;-)

I saw this sadly news and best wishes to him too ;)

--
Mike


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: added spn and exported keytab not match

Samba - General mailing list
30.11.2017 20:40, Mike Lykov via samba пишет:

>>> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
>>> servicePrincipalName:
>>>            HTTP/proxy.S****.[hidden email]****.RU
>>>            host/proxy.S****.[hidden email]****.RU

A.Bartlett wrote about it:

------------
25.01.13 (this list)
https://lists.samba.org/archive/samba/2013-January/171160.html

Exactly.  While the Samba KDC is smart, and knows these are the same
user, the keytab and krb5 client tools are dumb (very), they work on
exact string matches, so you have export out exactly the name you want
to kinit as, or kinit as HTTP/....
-----------

But I can't export keytab "exactly", because my samba-tool show this error:

---------------
ERROR(runtime): uncaught exception - Key table entry not found
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
--------------

spn list shows principals, but domain export can't find that principals.
I don't know why.


--
Administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba