2

I have set up a practical room dedicated to web development learning. Users accounts are managed by a Samba 4 AD and users files are stored in a central NFS server with exports securised by Kerberos.

All work fine :

  • Users can be authenticated by Kerberos (and receive a ticket at login)
  • Homes are mounted fine with NFS4 (sec=krb5)
  • Rights are correctly applied to all domain users

But, I need to install on each client a localhost-only apache server (with php and other stuff) with userdir activated.

I've crawled the internet but it seems that very few people are in the same configuration as me.

I've tried all I found like creating an spn and an apache dedicated keytab :

# samba-tool spn add HTTP/client1.domain client1$
# samba-tool domain exportkeytab httpclient1.keytab --principal=HTTP/client1.domain

and exporting this generated keytab in /etc/apache2 on client1 but if I try to do a kinit on this keytab : # kinit -k -t /etc/apache2/client1http.keytab HTTP/client1.domain kinit: Client "HTTP/client.domain@REALM" not found in Kerberos database while getting initial credentials

keytab seems to be correct :

# klist -kt /etc/apache2/client1http.keytab
KVBO Timestamp           Principal
---- ------------------- ----------------------------
   4 29/07/2016 16:12:38 HTTP/client1.domain@REALM
   4 29/07/2016 16:12:38 HTTP/client1.domain@REALM
   4 29/07/2016 16:12:38 HTTP/client1.domain@REALM

I don't know how to made this working... Must I create a domain user to replace local www-data user on each client ?

Just for informational purpose : Server side : Ubuntu server 14.04 (upgrade to 16.04 planned... but later) with samba 4.2.3 (compiled) Client side : XUbuntu 16.04 with samba 4.3.9 (from repos)

All help would be appreciated !!

Best regards, Bruno.

0 Answers0