Ubuntu – keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials

active-directorykerberossamba4Ubuntu

I set up a samba 4 active directory on ubuntu 14.04 following Samba AD DC HOWTO. In principle everything works well but I'm stuck in getting kerberos authentication running using SPNs for web applications.
When I try to run 

kinit -k -t keytabfile http/myserver.mycompany.com

I allways get a 

kinit: Client not found in Kerberos database while getting initial credentials

What I allready checked so far:

  • DNS is working on both sides forward and backwards returning FQNs
  • kinit works using username
  • myserver.mycompany.com is returned by nslookup on dc and the webserver
  • myserver allready joined the domain and is listed in
    CN=Computers,DC=mycompany,DC=com
  • there are no dublicate SPNs

I created the service account/SPNs/keytabs as follows:

samba-tool user create $ADS_USER $ADS_PW --userou=$USER_OU
samba-tool user setexpiry --noexpiry $ADS_USER

samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} $ADS_USER
samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST} $ADS_USER

samba-tool spn list $ADS_USER
rm -f $MY_KEYTAB
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN}
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}

when running
klist -k -e $MY_KEYTAB
everything looks good:

root@myhost:~# klist -ke ./test.keytab
Keytab name: FILE:./test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (arcfour-hmac)
   1 http/myserver@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver@MYCOMPANY.COM (arcfour-hmac)

I'm lost, researched several hours in google and have no idea how to work around/fix the 'Client not found in Kerberos database' error. Any hint is welcome!

Thanks

my "/etc/krb5.conf" on client

[libdefaults]
    debug = true
        default_realm = MYCOMPANY.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
[realms]
        MYCOMPANY.COM = {
                kdc = dc01.mycompany.com
                admin_server = dc01.mycompany.com
                kpasswd_server = dc01.mycompany.com

                #ktpasswd_server = dc01.mycompany.com
                #admin_server = dc01.mycompany.com
        }
[domain_realm]
        .mycompany.com = MYCOMPANY.COM
        mycompany.com = MYCOMPANY.COM

on dc server /etc/samba/smb.conf

[global]
        debug level = 1
        syslog = 1
        max log size = 0

        workgroup = MYCOMPANY
        realm = MYCOMPANY.COM
        netbios name = DC01
        server role = active directory domain controller
        server string = MYCOMPANY domain controller
        server role check:inhibit = yes
        dns forwarder = 192.168.22.1
        idmap_ldb:use rfc2307 = yes

Best Answer

Finally - I got it!

The 

samba-tool spn add ...

does not (re)name the UPN as expected in the directory. I found it by comparing with MS ADS entries. So the work around is to change the value by hand before issuing the exportkeytab command:

  • Open the service user entry with a ldap-tool (I used Apache Directory Studio) and
  • find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/myserver.mycompany.com@MYCOMPANY.COM)
  • export keytab and everything works as expected

on the target machine 

kinit -k -t http/myserver.mycompany.com

works without any complains! Hopefully this helps others trying to setup SSO with Samba4 ...

Related Topic