Got it and it seems to work exactly as it should!
Thanks!
On 4/17/2011 8:55 AM, Matthieu Patou wrote:
On 17/04/2011 04:13, Andrew Dumaresq wrote:
Hi,
I'm using GIT pull from a few days ago.
I am trying to get ssh working with kerberos when samba is the KDC.
I am having trouble getting my machine keytabs to work. Here's some
of the problems I have:
1)
root@morannon:~# samba-tool export keytab /tmp/test.keytab
added interface ip=192.168.1.11 nmask=255.255.255.0
added interface ip=127.0.0.1 nmask=255.0.0.0
added interface ip=192.168.1.11 nmask=255.255.255.0
added interface ip=127.0.0.1 nmask=255.0.0.0
ldb_wrap open of secrets.ldb
root@morannon:~# klist -k -t /tmp/test.keytab
Keytab name: WRFILE:/tmp/test.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL
1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL
1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL
2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL
1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL
1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL
1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL
1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL
1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL
root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL'
ldb_wrap open of secrets.ldb
ERROR: search returned 0 records, expected 1
root@morannon:~# samba-tool machinepw 'MORANNON$'
ldb_wrap open of secrets.ldb
ERROR: search returned 0 records, expected 1
There was a bug, the command would only succeed when you are in the
path where the secrets.ldb file is.
I pushed a fix in autobuild for this, normally it should land in the
master tree of Samba soon.
2) (This is likely related to my previous problem)
I extracted the host keytab from Samba (using ktpass.sh with no
password) and put the extract info in /etc/krb5.keytab
Strange, normally you should provide a password or --password *
klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/morannon.dumaresq.local@DUMARESQ.LOCAL
but when I try to use that to to run kinit I get this:
kinit -k
kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found
in Kerberos database while getting initial credentials
Not sure that it's a bug or if it's normal but I noticed that you
can't get a TGT ticket when you use a keytab with just a
servicePrincipalName, you should be able thought to get for the SPN in
the keytab.
Matthieu.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
