Bug 9311 - Cannot kinit -k on auto-generated keytab
Cannot kinit -k on auto-generated keytab
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.7
All All
: P5 major
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-21 10:16 UTC by Michael Osipov
Modified: 2012-10-21 10:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2012-10-21 10:16:39 UTC
When joining a domain and "kerberos method" is set to "secrets and keytab" a keytab is auto-generated.

The entries are generated in the following order:
$ klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 host/hostname.sub.company.net@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 host/hostname@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 host/hostname@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 cifs/hostname@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOSTNAME$@SUB.COMPANY.NET (ArcFour with HMAC/md5)

The machine's UPN is the last entry. This makes it impossible to issue a 'kinit -k'. It fails with: kinit(v5): Client not found in Kerberos database while getting initial credentials

The machine's UPN (HOSTNAME$@SUB.COMPANY.NET) should always be on top followed by the host service and any other service added by default or 'net ads keytab'.