Web lists-archives.com

[Samba] added spn and exported keytab not match

Hello All.

I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.

I am add user with RSAT and add SPN for it with samba-tool (like https://wiki.samba.org/index.php/Generating_Keytabs):
root@ad41:/# samba-tool spn list proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following servicePrincipalName:

But I cannot export exactly this SPN, in exported file I have other record:

samba-tool domain exportkeytab /root/squid.keytab --principal=HTTP/proxy.S****.ru@DC.S****.RU
ERROR(runtime): uncaught exception - Key table entry not found

samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root@ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 proxy@DC.S****.RU (des-cbc-crc)
   1 proxy@DC.S****.RU (des-cbc-md5)
   1 proxy@DC.S****.RU (arcfour-hmac)

This keytab don't have record needed for using at proxy server

[root@proxy squid]# kinit -kV -p HTTP/proxy.S****.ru@DC.S****.RU -t /etc/squid/squid.keytab kinit: Keytab contains no suitable keys for HTTP/proxy.S****.ru@DC.S****.RU while getting initial credentials

Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example

From what samba version it work correctly?

I try to create keytab from proxy server with ktutil:
[root@proxy squid]# ktutil
ktutil: addent -password -p HTTP/proxy.S****.ru@DC.S****.RU -k 1 -e des-cbc-crc
Password for HTTP/proxy.S****.ru@DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru@DC.S****.RU -k 1 -e des-cbc-md5
Password for HTTP/proxy.S****.ru@DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru@DC.S****.RU -k 1 -e arcfour-hmac
Password for HTTP/proxy.S****.ru@DC.S****.RU:
ktutil:  wkt /etc/squid/squid.keytab
[root@proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- -----------------
   1 11/30/17 10:52:15 HTTP/proxy.S****.ru@DC.S****.RU (des-cbc-crc)
   1 11/30/17 10:58:23 HTTP/proxy.S****.ru@DC.S****.RU (des-cbc-md5)
   1 11/30/17 10:58:23 HTTP/proxy.S****.ru@DC.S****.RU (arcfour-hmac)
[root@proxy squid]# kinit -kV -p HTTP/proxy.S****.ru@DC.S****.RU -t /etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.ru@DC.S****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.ru@DC.S****.RU' not found in Kerberos database while getting initial credentials

I cannot guess why, anybody knows kerberos too good, please?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba