keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials

Question

I set up a samba 4 active directory on ubuntu 14.04 following Samba AD DC HOWTO. In principle everything works well but I'm stuck in getting kerberos authentication running using SPNs for web applications. When I try to run

kinit -k -t keytabfile http/myserver.mycompany.com

I allways get a

kinit: Client not found in Kerberos database while getting initial credentials

What I allready checked so far:

DNS is working on both sides forward and backwards returning FQNs
kinit works using username
myserver.mycompany.com is returned by nslookup on dc and the webserver
myserver allready joined the domain and is listed in
CN=Computers,DC=mycompany,DC=com
there are no dublicate SPNs

I created the service account/SPNs/keytabs as follows:

samba-tool user create $ADS_USER $ADS_PW --userou=$USER_OU
samba-tool user setexpiry --noexpiry $ADS_USER

samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} $ADS_USER
samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST} $ADS_USER

samba-tool spn list $ADS_USER
rm -f $MY_KEYTAB
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN}
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}

when running klist -k -e $MY_KEYTAB everything looks good:

root@myhost:~# klist -ke ./test.keytab
Keytab name: FILE:./test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (arcfour-hmac)
   1 http/myserver@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver@MYCOMPANY.COM (arcfour-hmac)

I'm lost, researched several hours in google and have no idea how to work around/fix the 'Client not found in Kerberos database' error. Any hint is welcome!

Thanks

my "/etc/krb5.conf" on client

[libdefaults]
    debug = true
        default_realm = MYCOMPANY.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
[realms]
        MYCOMPANY.COM = {
                kdc = dc01.mycompany.com
                admin_server = dc01.mycompany.com
                kpasswd_server = dc01.mycompany.com

                #ktpasswd_server = dc01.mycompany.com
                #admin_server = dc01.mycompany.com
        }
[domain_realm]
        .mycompany.com = MYCOMPANY.COM
        mycompany.com = MYCOMPANY.COM

on dc server /etc/samba/smb.conf

[global]
        debug level = 1
        syslog = 1
        max log size = 0

        workgroup = MYCOMPANY
        realm = MYCOMPANY.COM
        netbios name = DC01
        server role = active directory domain controller
        server string = MYCOMPANY domain controller
        server role check:inhibit = yes
        dns forwarder = 192.168.22.1
        idmap_ldb:use rfc2307 = yes

score 5 · Accepted Answer · answered Jun 20 '14 at 18:04

5

Finally - I got it!

The

samba-tool spn add ...

does not (re)name the UPN as expected in the directory. I found it by comparing with MS ADS entries. So the work around is to change the value by hand before issuing the exportkeytab command:

Open the service user entry with a ldap-tool (I used Apache Directory Studio) and
find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/myserver.mycompany.com@MYCOMPANY.COM)
export keytab and everything works as expected

on the target machine

kinit -k -t http/myserver.mycompany.com

works without any complains! Hopefully this helps others trying to setup SSO with Samba4 ...

answered Jun 20 '14 at 18:04

Heiko Robert

291
1
2
7

Thank you very much, took some hours to find but has been life saver! I suppose this means there must be a single account for each service, while SPN is supposed to authenticate several services with a single account. I wonder how it behaves with CNAME hosts... – Maxxer Jul 17 '21 at 04:40
That's at least the way we configure kerberos authentication on MS AD to be used from java. I have never questioned creating a separate account for each service, so not sure if this would work on MS ... – Heiko Robert Aug 24 '21 at 07:45

score 0 · Answer 2 · answered Sep 02 '15 at 10:35

Initially I got below error under Redhat Linux environment.

kinit: Client not found in Kerberos database while getting initial credentials

While I tried with the below service account registerdd with the F_KEY

$ kinit  HOST/domainname.no@HOSTNAME.NET

And it prompted me to provide the password and it worked !

I am able to generate 'krb5cc_0' Credentials cache file under /tmp folder in the server.

I am able to list all details by using command 'klist' about the temporary TGT.

Valid starting
Expires
Service principal

keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials

2 Answers2