Hallo, I just tried setting up Kerberos Authentication and SSO following the instructions at http://docs.alfresco.com/4.0/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-ADconfig.html I've created the 2 users described there in steps 1 and 2. Step 3 isn't working cause there is no prinicipal at that time. So I moved forward to step 4 using samba_tool spn add and creating the 4 SPN: [root@srv-samba4 ~]# samba-tool spn add HTTP/srv-alfresco alfrescohttp [root@srv-samba4 ~]# samba-tool spn add HTTP/srv-alfresco.fritz.box alfrescohttp [root@srv-samba4 ~]# samba-tool spn add cifs/srv-alfresco alfrescocifs [root@srv-samba4 ~]# samba-tool spn add cifs/srv-alfresco.fritz.box alfrescocifs Then I've called samba_spnupdate --verbose, but no new SPNs has been seen. [root@srv-samba4 ~]# samba_spnupdate --verbose Existing SPNs: ['HOST/srv-samba4.fritz.box', 'HOST/srv-samba4.fritz.box/FRITZ', 'ldap/srv-samba4.fritz.box/FRITZ', 'GC/srv-samba4.fritz.box/fritz.box', 'ldap/srv-samba4.fritz.box', 'HOST/srv-samba4.fritz.box/fritz.box', 'ldap/srv-samba4.fritz.box/fritz.box', 'HOST/SRV-SAMBA4', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/7ece4724-0824-42e2-be87-4d03a6aa5548/fritz.box', 'ldap/7ece4724-0824-42e2-be87-4d03a6aa5548._msdcs.fritz.box', 'ldap/SRV-SAMBA4', 'RestrictedKrbHost/SRV-SAMBA4', 'RestrictedKrbHost/srv-samba4.fritz.box', 'ldap/srv-samba4.fritz.box/DomainDnsZones.fritz.box', 'ldap/srv-samba4.fritz.box/ForestDnsZones.fritz.box'] New SPNs: [] Nothing to add Now Step 3 seemed to be working [root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescohttp.keytab --principal=HTTP/srv-alfresco [root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescohttp.keytab --principal=HTTP/srv-alfresco.fritz.box [root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescocifs.keytab --principal=cifs/srv-alfresco [root@srv-samba4 ~]# samba-tool domain exportkeytab krb5.alfrescocifs.keytab --principal=cifs/srv-alfresco.fritz.box But when I now check with kinit [root@srv-samba4 ~]# kinit -k -t krb5.alfrescohttp.keytab HTTP/srv-alfresco.fritz.box@FRITZ.BOX kinit: Client not found in Kerberos database while getting initial credentials I got an error. What's going wrong? Do I need another workflow with Samba4 Kerberos? Regards Sebastian Mißfeldt
I can still reproduce this: samba-tool spn add hdfs/host.example.lan hdfs-user samba-tool spn add hdfs/host.example.lan@EXAMPLE.LAN hdfs-user excerpt from ldbsearch: [...] > servicePrincipalName: hdfs/host.example.lan@EXAMPLE.LAN > servicePrincipalName: hdfs/host.example.lan [...] Then exporting the keytab, copying it to another machine and testing with kinit results in: > kinit: Client not found in Kerberos database while getting initial credentials Now it seems as if Microsoft AD changes also "userPrincipalName" accordingly when adding a spn: MS AD: > userPrincipalName: hdfs/host.example.lan@EXAMPLE.LAN In Samba 4 this is not altered (same value as before adding spn): Samba 4: > userPrincipalName: hdfs-user@EXAMPLE.LAN If I change 'userPrincipalName' in Samba 4 via ldbedit to the value of 'servicePrincipalName' + REALM, then kinit works. See Also: http://serverfault.com/questions/606189/keytab-auth-against-samba-4-dc-client-not-found-in-kerberos-database-while-gett
This bug still remains. It appears that the export_keytab handler cannot parse the principal name correctly when @REALM is included. Is there a workaround other than using ldbedit?