Bug 9113 - Can't add SPN for Alfresco Kerberos Authentication and SSO
Can't add SPN for Alfresco Kerberos Authentication and SSO
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: Tools
unspecified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-22 18:48 UTC by Sebastian Mißfeldt
Modified: 2016-10-13 08:52 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Mißfeldt 2012-08-22 18:48:34 UTC
Hallo,

I just tried setting up Kerberos Authentication and SSO following the instructions at http://docs.alfresco.com/4.0/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-ADconfig.html

I've created the 2 users described there in steps 1 and 2. 
Step 3 isn't working cause there is no prinicipal at that time.

So I moved forward to step 4 using samba_tool spn add and creating the 4 SPN:
[root@srv-samba4 ~]# samba-tool spn add HTTP/srv-alfresco alfrescohttp
[root@srv-samba4 ~]# samba-tool spn add HTTP/srv-alfresco.fritz.box alfrescohttp
[root@srv-samba4 ~]# samba-tool spn add cifs/srv-alfresco alfrescocifs
[root@srv-samba4 ~]# samba-tool spn add cifs/srv-alfresco.fritz.box alfrescocifs

Then I've called samba_spnupdate --verbose, but no new SPNs has been seen.
[root@srv-samba4 ~]# samba_spnupdate --verbose
Existing SPNs: ['HOST/srv-samba4.fritz.box', 'HOST/srv-samba4.fritz.box/FRITZ', 'ldap/srv-samba4.fritz.box/FRITZ', 'GC/srv-samba4.fritz.box/fritz.box', 'ldap/srv-samba4.fritz.box', 'HOST/srv-samba4.fritz.box/fritz.box', 'ldap/srv-samba4.fritz.box/fritz.box', 'HOST/SRV-SAMBA4', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/7ece4724-0824-42e2-be87-4d03a6aa5548/fritz.box', 'ldap/7ece4724-0824-42e2-be87-4d03a6aa5548._msdcs.fritz.box', 'ldap/SRV-SAMBA4', 'RestrictedKrbHost/SRV-SAMBA4', 'RestrictedKrbHost/srv-samba4.fritz.box', 'ldap/srv-samba4.fritz.box/DomainDnsZones.fritz.box', 'ldap/srv-samba4.fritz.box/ForestDnsZones.fritz.box']
New SPNs: []
Nothing to add

Now Step 3 seemed to be working
[root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescohttp.keytab --principal=HTTP/srv-alfresco
[root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescohttp.keytab --principal=HTTP/srv-alfresco.fritz.box
[root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescocifs.keytab --principal=cifs/srv-alfresco
[root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescocifs.keytab --principal=cifs/srv-alfresco.fritz.box

But when I now check with kinit
[root@srv-samba4 ~]# kinit -k -t krb5.alfrescohttp.keytab HTTP/srv-alfresco.fritz.box@FRITZ.BOX
kinit: Client not found in Kerberos database while getting initial credentials

I got an error.

What's going wrong?
Do I need another workflow with Samba4 Kerberos?

Regards

Sebastian Mißfeldt
Comment 1 Michael Grandjean 2014-10-06 10:07:55 UTC
I can still reproduce this:

samba-tool spn add hdfs/host.example.lan hdfs-user
samba-tool spn add hdfs/host.example.lan@EXAMPLE.LAN hdfs-user

excerpt from ldbsearch:
[...]
> servicePrincipalName: hdfs/host.example.lan@EXAMPLE.LAN
> servicePrincipalName: hdfs/host.example.lan
[...]

Then exporting the keytab, copying it to another machine and testing with kinit results in:
> kinit: Client not found in Kerberos database while getting initial credentials

Now it seems as if Microsoft AD changes also "userPrincipalName" accordingly when adding a spn:

MS AD:
> userPrincipalName: hdfs/host.example.lan@EXAMPLE.LAN

In Samba 4 this is not altered (same value as before adding spn):

Samba 4:
> userPrincipalName: hdfs-user@EXAMPLE.LAN

If I change 'userPrincipalName' in Samba 4 via ldbedit to the value of 'servicePrincipalName' + REALM, then kinit works.

See Also: http://serverfault.com/questions/606189/keytab-auth-against-samba-4-dc-client-not-found-in-kerberos-database-while-gett
Comment 2 asuranzala 2016-03-13 04:38:28 UTC
This bug still remains. It appears that the export_keytab handler cannot parse the principal name correctly when @REALM is included. Is there a workaround other than using ldbedit?