Bug 14405 - kinit with SPN fails
Summary: kinit with SPN fails
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-11 06:37 UTC by bandabasotti
Modified: 2021-03-18 23:51 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description bandabasotti 2020-06-11 06:37:17 UTC
Hi, if I try to use:

kinit -k -t test.keytab zookeeper/node1.test.lan

fail with:
kinit: Client 'zookeeper/node1.test.lan@TEST.LAN' not found in Kerberos database while getting initial credentials

using "strace -f -s512 /usr/sbin/samba -i -d 10 " to view ldap queries
in the old version of samba (4.5.1) the following queries are made:

(&(objectClass=user)(userPrincipalName=zookeeper/node1.pro.lan at PRO.LAN))
(&(objectClass=user)(samAccountName=zookeeper/node1.pro.lan))
(&(servicePrincipalName=zookeeper/node1.pro.lan)(objectClass=user))

and not in the new version (4.11.9) :

(&(userPrincipalName=zookeeper/ap42.test.lan at TEST.LAN)(objectClass=user))
(&(samAccountName=zookeeper/ap42.test.lan)(objectClass=user))"
Kerberos: UNKNOWN -- zookeeper/ap42.test.lan at TEST.LAN: no such entry found
in hdb

best regards.
Comment 1 Andrew Bartlett 2021-03-18 23:51:51 UTC
This is deliberate and expected, as we previously deviated from the Windows behaviour.  Put the SPN in the userPrincipalName if you want to do this.