Bug 11701 - samba-tool exportkeytab does not create keytab if destination file. No error sent.
Summary: samba-tool exportkeytab does not create keytab if destination file. No error ...
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.3.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-28 14:37 UTC by mathias.dufresne
Modified: 2021-04-23 08:02 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mathias.dufresne 2016-01-28 14:37:47 UTC
samba-tool exportkeytab does not create keytab if destination file exists and no error message is sent.

------------------------------------------------------------------------------
dc107:~# date +%Y%m%d-%H%M%S
20160128-152746
dc107:~# samba-tool domain exportkeytab /opt/initial_setup/administrator.keytab --principal=administrator
dc107:~# ll /opt/initial_setup/administrator.keytab
-rw------- 1 root root 427 27 janv. 12:11 /opt/initial_setup/administrator.keytab

** Destination file is still dated from previous day.

dc107:~# kinit  -V -k -t /opt/initial_setup/administrator.keytab administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator@AD.DGFIP.FINANCES.GOUV.FR
Using keytab: /opt/initial_setup/administrator.keytab
kinit: Preauthentication failed while getting initial credentials

** kinit is not working: keytab was not generated.

dc107:~# rm /opt/initial_setup/administrator.keytab
dc107:~# samba-tool domain exportkeytab /opt/initial_setup/administrator.keytab --principal=administrator
dc107:~# ll /opt/initial_setup/administrator.keytab
-rw------- 1 root root 427 28 janv. 15:28 /opt/initial_setup/administrator.keytab

** Here the keytab has been created as file was removed before launching the command

dc107:~# kinit  -V -k -t /opt/initial_setup/administrator.keytab administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator@AD.DGFIP.FINANCES.GOUV.FR
Using keytab: /opt/initial_setup/administrator.keytab
Authenticated to Kerberos v5

** and of course now kinit works.

dc107:~# samba --version
Version 4.3.3-compiled_for_Centos7
------------------------------------------------------------------------------
Comment 1 Rowland Penny 2021-04-23 08:02:01 UTC
It works for me on 4.14.2:

# export keytab
pi@rpidc1:~ $ sudo samba-tool domain exportkeytab /opt/initial_setup/administrator.keytab --principal=administrator
Export one principal to /opt/initial_setup/administrator.keytab
pi@rpidc1:~ $ ls -l /opt/initial_setup/administrator.keytab
-rw------- 1 root root 252 Apr 22 13:37 /opt/initial_setup/administrator.keytab

# kinit as Administrator
pi@rpidc1:~ $ sudo kinit  -V -k -t /opt/initial_setup/administrator.keytab administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator@SAMDOM.EXAMPLE.COM
Using keytab: /opt/initial_setup/administrator.keytab
Authenticated to Kerberos v5
# Success

# following day, export keytab again without deleting /opt/initial_setup/administrator.keytab
pi@rpidc1:~ $ sudo samba-tool domain exportkeytab /opt/initial_setup/administrator.keytab --principal=administrator
Export one principal to /opt/initial_setup/administrator.keytab
pi@rpidc1:~ $ ls -l /opt/initial_setup/administrator.keytab
-rw------- 1 root root 252 Apr 23 08:53 /opt/initial_setup/administrator.keytab

# Kinit as Administrator
pi@rpidc1:~ $ sudo kinit  -V -k -t /opt/initial_setup/administrator.keytab administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator@SAMDOM.EXAMPLE.COM
Using keytab: /opt/initial_setup/administrator.keytab
Authenticated to Kerberos v5
# Success again