samba keytab support for AD and kinit -k

Bob.Smart@csiro.au Bob.Smart at csiro.au
Sat Nov 27 16:06:00 EST 2004


With samba 3.0.9 and MIT kerberos 1.3.5 and "use kerberos keytab = yes"
in smb.conf, I can do "net ads join" and it populates /etc/krb5.keytab.

Unfortunately when I test it with "kinit -k" it says "can't find KDC".
An ordinary kinit works.

First thing I noticed in the AD LDAP is that userPrincipalName is set to
HOST/barehostname at REALM. This seemed strange. In libads/ldap.c it is set
based on variable host_spn. However there are 2 variables with that
name: the one in ads_add_service_principal_name uses the fully qualified
name. The one in ads_add_machine_acct uses the machine name. This at
least suggests that the variables should not be the same name.

However changing it to use the fqdn in the userPrincipalName didn't have
any effect.

So I tried to figure out what kinit -k was doing. I had trouble doing
this, but it seems that (a) in krb5_do_preauth it doesn't do anything;
then later (b) it gets an error saying "preauth required". Then when
each KDC in turn has failed it reports the "no KDC" error.

So it seems samba is setting up the account or the keytab wrongly with
regard to preauth?

I suggest that for circumstances where each KDC is tried in turn then
kerberos utilities should report the error from the last KDC rather than
reporting that it ran out of KDCs to try.

So should I go back to mucking around with ktpass, etc.

Thanks,

Bob



More information about the Kerberos mailing list