Bug 7925 - Feature request: describe system keytab management in docs
Feature request: describe system keytab management in docs
Status: ASSIGNED
Product: Samba 4.0
Classification: Unclassified
Component: Other
unspecified
Other Linux
: P3 enhancement
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-18 02:59 UTC by Arvid Requate
Modified: 2011-07-05 14:52 UTC (History)
0 users

See Also:


Attachments
Patch proposal for the secretsdb_self_join function in the provision module (650 bytes, patch)
2011-01-18 03:01 UTC, Arvid Requate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2011-01-18 02:59:19 UTC
For Kerberos authentication with ssh (openssh 1:5.1p1-5) it seems to be necessary to add a servicePrincipalName host/fqdn@REALM to Samba4 (alph14), i.e. a lowercase variation of the existing HOST@fqdn@REALM to /etc/krb5.keytab. Following the thread "question about service principals (samba4)" on samba-technical, the /etc/krb5.keytab was copied from secrets.keytab.

The following shell code adds the SPN, maybe it would be good to add the lowercase version already during Samba4 provision.

ldbmodify -H /var/lib/samba/private/secrets.ldb  \
 -b "flatname=$windows_domain,cn=Primary Domains" <<%EOF
dn: flatname=$windows_domain,cn=Primary Domains
changetype: modify
add: servicePrincipalName
servicePrincipalName: host/$hostname.$domainname
-
%EOF
Comment 1 Arvid Requate 2011-01-18 03:01:55 UTC
Created attachment 6217 [details]
Patch proposal for the secretsdb_self_join function in the provision module
Comment 2 Arvid Requate 2011-01-18 03:18:05 UTC
Adding ldap/fqdn as well makes it possible to use 'ldapsearch -Y GSSAPI' with an openldap server (on a non-standard port on the same host).
Comment 3 Matthias Dieter Wallnöfer 2011-01-18 07:17:41 UTC
(In reply to comment #2)
> Created an attachment (id=6217) [details]
> Patch proposal for the secretsdb_self_join function in the provision module

Well, but this is not AD compliant. AD only knows about an upcased "HOST". Probably we could workaround somehow to lowercase "HOST" on (our) the server side.

(In reply to comment #2)
> Adding ldap/fqdn as well makes it possible to use 'ldapsearch -Y GSSAPI' with
> an openldap server (on a non-standard port on the same host).
> 

Under normal conditions you should already have the 'ldap/<FQDN>' service principal name present. It's added by the "samba_spnupdate" script, which is started by the "samba" executable. This has been implemented like this in order to have always the same SPNs regardless of a provision or domain join (which in fact are very different procedures).
The list of added SPNs to the DC can be customised, please look for the file "spn_update_list" under "source4/setup" in the source tree or "private" in the binary distribution.
Comment 4 Arvid Requate 2011-01-18 12:12:59 UTC
I saw that list and see that by default it adds e.g.

 servicePrincipalName: ldap/master.samb4.local

to the machine account. But this entry (and the uppercase HOST/fqdn) was not sufficient to make the ldapsearch -Y GSSAPI (or ssh) work. In the test it only worked after adding this SPN to secrets.keytab by extending the secrets.ldb entry. What is the recommended way to configure this?
Comment 5 Matthias Dieter Wallnöfer 2011-01-18 12:21:55 UTC
Ah, okay. 

I hope that our kerberos expert (abartlet) comments.
Comment 6 Andrew Bartlett 2011-01-18 14:14:02 UTC
Yes, we should have a clearly documented way to have Samba manage names in the system keytab. 

You are correct that editing secrets.ldb is the right way to have Samba generate the required entries.  There is also the krb5Keytab option that allows Samba to manage any filesystem path, not just the secrets.keytab.

You are also correct that it's not a matter of the AD rules, but what names other applications expect to read, and that's why this functionality was added in the first place, we just need to make it clear to administrators how to use it. 
Comment 7 Matthias Dieter Wallnöfer 2011-02-15 04:06:55 UTC
Andrew, should we leave that open?
Comment 8 Matthias Dieter Wallnöfer 2011-02-25 04:25:52 UTC
Transforming this into a "Feature request".
Comment 9 Matthieu Patou 2011-07-05 14:52:55 UTC
I don't think it's a too good ideas to make secrets.ldb generate all  the keytab entries we will ever need.

A way better solution would be to work on the ktpass.sh, I have patches here http://git.samba.org/?p=mat/samba.git;a=shortlog;h=refs/heads/pybindings for manipulating keytabs in python. I think it would be a better idea for provision to generate keytab like krb5.keytab with entries like host/dcname and such.

Just my point of view of course ...