14405 – kinit with SPN fails

Bug 14405 - kinit with SPN fails

Summary: kinit with SPN fails

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.11.9
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-06-11 06:37 UTC by bandabasotti
Modified:	2021-03-18 23:51 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bandabasotti 2020-06-11 06:37:17 UTC

Hi, if I try to use:

kinit -k -t test.keytab zookeeper/node1.test.lan

fail with:
kinit: Client 'zookeeper/node1.test.lan@TEST.LAN' not found in Kerberos database while getting initial credentials

using "strace -f -s512 /usr/sbin/samba -i -d 10 " to view ldap queries
in the old version of samba (4.5.1) the following queries are made:

(&(objectClass=user)(userPrincipalName=zookeeper/node1.pro.lan at PRO.LAN))
(&(objectClass=user)(samAccountName=zookeeper/node1.pro.lan))
(&(servicePrincipalName=zookeeper/node1.pro.lan)(objectClass=user))

and not in the new version (4.11.9) :

(&(userPrincipalName=zookeeper/ap42.test.lan at TEST.LAN)(objectClass=user))
(&(samAccountName=zookeeper/ap42.test.lan)(objectClass=user))"
Kerberos: UNKNOWN -- zookeeper/ap42.test.lan at TEST.LAN: no such entry found
in hdb

best regards.

Comment 1 Andrew Bartlett 2021-03-18 23:51:51 UTC

This is deliberate and expected, as we previously deviated from the Windows behaviour.  Put the SPN in the userPrincipalName if you want to do this.