Problem: kinit -k host/$(hostname -f) is not working as expected

Problem:

kinit -k host/$(hostname -f) is not working as expected, if samba4 is installed.
~# kinit -k host/$(hostname -f)

kinit: krb5_get_init_creds: Client (host/dc01.schein.qa@SCHEIN.QA) unknown

Investigation:

The “unknown” points to the fact, that the username, samba4 expects for authorizing, is not found, because the FQDN is not recognized as username or samaccountname.

Even with samba-tool you can only successfully use the hostname, not the fqdn.
samba-tool domain exportkeytab test-keytab --principal=dc01$
root@dc01:~# klist

Credentials cache: FILE:/tmp/krb5cc_0
Principal: dc01$@SCHEIN.QA

Issued Expires Principal
Mar 31 01:56:19 2021 Mar 31 11:56:19 2021 krbtgt/SCHEIN.QA@SCHEIN.QA

root@dc01:~# ktutil -k test-keytab list

test-keytab:

Vno Type Principal Aliases
2 aes256-cts-hmac-sha1-96 dc01$@SCHEIN.QA
2 aes128-cts-hmac-sha1-96 dc01$@SCHEIN.QA
2 arcfour-hmac-md5 dc01$@SCHEIN.QA
2 des-cbc-md5 dc01$@SCHEIN.QA
2 des-cbc-crc dc01$@SCHEIN.QA


Solution:

This way is working with samba4:

~# kinit -k DC01\$
~# klist

Credentials cache: FILE:/tmp/krb5cc_0
Principal: DC01$@SCHEIN.QA

Issued Expires Principal
Apr 21 05:44:25 2021 Apr 21 15:44:25 2021 krbtgt/SCHEIN.QA@SCHEIN.QA

With this Kerberos Ticket, you can use Ldap

~# univention-ldapsearch -Y GSSAPI -s base
~# klist

Credentials cache: FILE:/tmp/krb5cc_0
Principal: DC01$@SCHEIN.QA

Issued Expires Principal
Apr 21 05:44:25 2021 Apr 21 15:44:25 2021 krbtgt/SCHEIN.QA@SCHEIN.QA
Apr 21 05:45:52 2021 Apr 21 15:44:25 2021 ldap/dc01.schein.qa@
Apr 21 05:45:52 2021 Apr 21 15:44:25 2021 ldap/dc01.schein.qa@SCHEIN.QA

And you can see, you have tickets for ldap used.

~# ssh DC01\$@schein.qa

Univention DC Master 4.4-7:

The UCS management system is available at https://dc01.schein.qa/ (10.200.43.10)

You can log into the Univention Management Console - the principal tool to manage
users, groups, etc. - using the “Administrator” account and the password selected
for the root user on the master domain controller.

Last login: Wed Apr 21 04:58:51 2021 from 10.200.43.10
Could not chdir to home directory /dev/null: Not a directory
$

root@dc01:~# klist

Credentials cache: FILE:/tmp/krb5cc_0
Principal: DC01$@SCHEIN.QA

Issued Expires Principal
Apr 21 05:44:25 2021 Apr 21 15:44:25 2021 krbtgt/SCHEIN.QA@SCHEIN.QA
Apr 21 05:45:52 2021 Apr 21 15:44:25 2021 ldap/dc01.schein.qa@
Apr 21 05:45:52 2021 Apr 21 15:44:25 2021 ldap/dc01.schein.qa@SCHEIN.QA
Apr 21 05:47:55 2021 Apr 21 15:44:25 2021 host/dc01.schein.qa@
Apr 21 05:47:55 2021 Apr 21 15:44:25 2021 host/dc01.schein.qa@SCHEIN.QA

It doesn’t work with Samba that you get a Kerberos ticket with the FQDN, but Samba uses here only the Samaccountname, so the “user name”. Also, no UPN (UserPricipalName) is generated for computer accounts, this only happens automatically when users are created.

Mastodon