[Samba] Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain
- Date: Fri, 14 Jul 2017 10:05:45 +0200
- From: André Welter via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain
I'm new to this list and I already have quite a long question. Please bear with me.
We have a samba 4.6 active directory domain which was recently upgraded from a samba 3 NT-Style domain.
The name of the domain is something like ad.foo.bar. Domain Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.
We have a large number of linux servers (RHEL 7 & 6) joined to the domain (using sssd for authentication).
Our goal is to be able to log into a linux server from a linux client (or windows client) using a kerberos ticket.
This works for most linux servers but not all of them.
The problem seems to be related to the dns subdomains we are using.
E.g. we have two servers named "servera.foo.bar" and "servera.test.foo.bar" they reside in the same class B network, the subdomain is just an organizational thing (Our team does not have controle over DNS).
To be able to join both servers to the domain we change the netbios name of the server from the test.foo.bar domain and append "_T" to it (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do this, the "netbios name" parameter in smb.conf and the ldap_sasl_authid parameter in sssd.conf.
By this both servers can be joined to the domain and users can authenticate on both servers locally.
But they can not access servera.test.foo.bar via ssh using a kerberos ticket (it works for servera.foo.bar). The error message is "Server not found in Kerberos database".
Doing "kvno host/servera.test.foo.bar" results in the same error.
But "samba-tool spn list "SERVERA_T$" shows that the spn "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab" on servera.test.foo.bar also shows an entry for "host/servera.test.foo.bar".
I did not get any further with debugging this but I found something that seems to be related:
When trying to export a keytab for servera.test.foo.bar via "samba-tool domain exportkeytab" on dc1, I noticed that it is not possible to export the principal "host/servera.test.foo.bar". The tool simply does nothing and does not return an error.
Doing the exportkeytab with debug level 255 shows an ldb query with the following expression:
This results in two dns being returned: CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression includes "cn=servera" which matches servera.foo.bar and "servicePrincipalName=host/servera.test.foo.bar" which matches servera.test.foo.bar.
After that samba-tool just ends without error and without exporting anything.
My guess is that something similar happens when a client requests a ticket for "host/servera.test.foo.bar".
Is what we are doing not possible (by design)?
I hope my description makes any sense.
* bitbone AG
* Prymstraße 3
* D-97070 Würzburg
* Tel: +49(0)931-250993-10
* Fax: +49(0)931-250993-199
* E-Mail: info@xxxxxxxxxx
* Web: www.bitbone.de
* Sitz der Gesellschaft: Würzburg
* Handelsregister: Amtsgericht Würzburg HRB-7457
* Aufsichtsratsvorsitzender: Randolf Schürmann
* Vorstand: Sebastian Scheuring, Thomas Sprickmann Kerkerinck
* Ust-ID: DE216268143
Informationsmanagement und Standardtechnologien
von Ihrem Open-Source-Systemhaus
To unsubscribe from this list go to the following URL and read the