Re: [Samba] Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain
- Date: Mon, 17 Jul 2017 08:48:04 +0200
- From: André Welter via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain
> On Fri, 14 Jul 2017 10:05:45 +0200
> André Welter via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hi everyone,
> > I'm new to this list and I already have quite a long question. Please
> > bear with me.
> > We have a samba 4.6 active directory domain which was recently
> > upgraded from a samba 3 NT-Style domain.
> > The name of the domain is something like ad.foo.bar. Domain
> > Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.
> > We have a large number of linux servers (RHEL 7 & 6) joined to the
> > domain (using sssd for authentication).
> > Our goal is to be able to log into a linux server from a linux client
> > (or windows client) using a kerberos ticket.
> > This works for most linux servers but not all of them.
> > The problem seems to be related to the dns subdomains we are using.
> > E.g. we have two servers named "servera.foo.bar" and
> > "servera.test.foo.bar" they reside in the same class B network, the
> > subdomain is just an organizational thing (Our team does not have
> > controle over DNS).
> > To be able to join both servers to the domain we change the netbios
> > name of the server from the test.foo.bar domain and append "_T" to it
> > (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do
> > this, the "netbios name" parameter in smb.conf and the
> > ldap_sasl_authid parameter in sssd.conf.
> > By this both servers can be joined to the domain and users can
> > authenticate on both servers locally.
> > But they can not access servera.test.foo.bar via ssh using a kerberos
> > ticket (it works for servera.foo.bar). The error message is "Server
> > not found in Kerberos database".
> > Doing "kvno host/servera.test.foo.bar" results in the same error.
> > But "samba-tool spn list "SERVERA_T$" shows that the spn
> > "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab"
> > on servera.test.foo.bar also shows an entry for
> > "host/servera.test.foo.bar".
> > I did not get any further with debugging this but I found something
> > that seems to be related:
> > When trying to export a keytab for servera.test.foo.bar via
> > "samba-tool domain exportkeytab" on dc1, I noticed that it is not
> > possible to export the principal "host/servera.test.foo.bar". The
> > tool simply does nothing and does not return an error.
> > Doing the exportkeytab with debug level 255 shows an ldb query with
> > the following expression:
> > (|(&(servicePrincipalName=host/servera.test.foo.bar)(objectClass=user))(&(cn=servera)(objectClass=computer)))
> > This results in two dns being returned:
> > CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and
> > CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression
> > includes "cn=servera" which matches servera.foo.bar and
> > "servicePrincipalName=host/servera.test.foo.bar" which matches
> > servera.test.foo.bar.
> > After that samba-tool just ends without error and without exporting
> > anything.
> > My guess is that something similar happens when a client requests a
> > ticket for "host/servera.test.foo.bar".
> > Is what we are doing not possible (by design)?
> > I hope my description makes any sense.
> > Regards,
> > Andre
> As far as I am aware, your AD realm must be the same as your dns domain
> (not to be confused with a NetBIOS domain name), so I don't think this
> is going to work as is.
> Your other problem: neither sssd or adcli are Samba products and as you
> are using them, you are asking in the wrong place, try the sssd-users
> mailing list.
Thanks for the reply.
Ok, I think I got a workaround. By adding a suffix ("_L") to the netbios name of servera.foo.bar the problem goes away.
But I am still curious.
Regardless if it's linux or windows clients, I can arrive at the same problem by only using pdbedit and samba-tool on one of the DCs to create computer accounts and SPNs. And I think, I am doing nothing illegal.
I haven't looked at the code but to me it seems like whatever builds the ldb query I mentioned above assumes that the cn of a computer account (which is the netbios name) always is the hostname. Which might not be true.
Can anybody comment on that?
* bitbone AG
* Prymstraße 3
* D-97070 Würzburg
* Tel: +49(0)931-250993-10
* Fax: +49(0)931-250993-199
* E-Mail: info@xxxxxxxxxx
* Web: www.bitbone.de
* Sitz der Gesellschaft: Würzburg
* Handelsregister: Amtsgericht Würzburg HRB-7457
* Aufsichtsratsvorsitzender: Randolf Schürmann
* Vorstand: Sebastian Scheuring, Thomas Sprickmann Kerkerinck
* Ust-ID: DE216268143
Informationsmanagement und Standardtechnologien
von Ihrem Open-Source-Systemhaus
To unsubscribe from this list go to the following URL and read the