Web lists-archives.com

Re: [Samba] Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain




On Fri, 14 Jul 2017 10:05:45 +0200
André Welter via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi everyone,
> 
> I'm new to this list and I already have quite a long question. Please
> bear with me.
> 
> We have a samba 4.6 active directory domain which was recently
> upgraded from a samba 3 NT-Style domain.
> 
> The name of the domain is something like ad.foo.bar. Domain
> Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.
> 
> We have a large number of linux servers (RHEL 7 & 6) joined to the
> domain (using sssd for authentication).
> 
> Our goal is to be able to log into a linux server from a linux client
> (or windows client) using a kerberos ticket.
> 
> This works for most linux servers but not all of them.
> 
> The problem seems to be related to the dns subdomains we are using.
> 
> E.g. we have two servers named "servera.foo.bar" and
> "servera.test.foo.bar" they reside in the same class B network, the
> subdomain is just an organizational thing (Our team does not have
> controle over DNS).
> 
> To be able to join both servers to the domain we change the netbios
> name of the server from the test.foo.bar domain and append "_T" to it
> (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do
> this, the "netbios name" parameter in smb.conf and the
> ldap_sasl_authid parameter in sssd.conf.
> 
> By this both servers can be joined to the domain and users can
> authenticate on both servers locally.
> 
> But they can not access servera.test.foo.bar via ssh using a kerberos
> ticket (it works for servera.foo.bar). The error message is "Server
> not found in Kerberos database".
> 
> Doing "kvno host/servera.test.foo.bar" results in the same error.
> 
> But "samba-tool spn list "SERVERA_T$" shows that the spn
> "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab"
> on servera.test.foo.bar also shows an entry for
> "host/servera.test.foo.bar".
> 
> I did not get any further with debugging this but I found something
> that seems to be related:
> 
> When trying to export a keytab for servera.test.foo.bar via
> "samba-tool domain exportkeytab" on dc1, I noticed that it is not
> possible to export the principal "host/servera.test.foo.bar". The
> tool simply does nothing and does not return an error.
> 
> Doing the exportkeytab with debug level 255 shows an ldb query with
> the following expression:
> 
> (|(&(servicePrincipalName=host/servera.test.foo.bar)(objectClass=user))(&(cn=servera)(objectClass=computer)))
> 
> This results in two dns being returned:
> CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and
> CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression
> includes "cn=servera" which matches servera.foo.bar and
> "servicePrincipalName=host/servera.test.foo.bar" which matches
> servera.test.foo.bar.
> 
> After that samba-tool just ends without error and without exporting
> anything.
> 
> My guess is that something similar happens when a client requests a
> ticket for "host/servera.test.foo.bar".
> 
> Is what we are doing not possible (by design)?
> 
> I hope my description makes any sense.
> 
> Regards,
> 
> Andre
> 

As far as I am aware, your AD realm must be the same as your dns domain
(not to be confused with a NetBIOS domain name), so I don't think this
is going to work as is.

Your other problem: neither sssd or adcli are Samba products and as you
are using them, you are asking in the wrong place, try the sssd-users
mailing list.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba