User Principal

german

#1

Hallo,

wie kann ich ein Mapping zwischen einem User und einem Principal herstellen und in eine Keytab exportieren?

Im Windows AD würde der User so angelegt werden:
DSADD user cn=server_1_krbsvr400,cn=users,dc=REALM,dc=LOCAL -pwd Password -display server_1_krbsvr400

Auf Windows würde das Mapping so aussehen
KTPASS -MAPUSER server_1_krbsvr400 -PRINC krbsvr400/server.realm.local@REALM.LOCAL -PASS Password -mapop set +DesOnly -ptype KRB5_NT_PRINCIPAL /out keytab


#2

Hilft das Working with kerberos principals and keytabs?


#3

Das habe ich alles schon probiert. Das Script create_spn_account.sh legt mir einen User zwar an, aber es wird keine keytab erstellt. Und am Ende kommt immer der Fehler “Entry already exists” obwohl der Benutzer vom Script gerade angelegt wurde.

root@s-vucs01:/var/lib/samba/private# /usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname 's-vas01_1_krbsvr400' --serviceprincipalname 'krbsvr400/s-vas01.realm.local' --privatekeytab 'as400.keytab' params.c:pm_process() - Processing configuration file "/etc/samba/base.conf" params.c:pm_process() - Processing configuration file "/etc/samba/installs.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/homes" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/Holz-Vitis" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/IT" params.c:pm_process() - Processing configuration file "/etc/samba/printers.conf" params.c:pm_process() - Processing configuration file "/etc/samba/local.conf" User 's-vas01_1_krbsvr400' created successfully params.c:pm_process() - Processing configuration file "/etc/samba/base.conf" params.c:pm_process() - Processing configuration file "/etc/samba/installs.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/homes" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/IT" params.c:pm_process() - Processing configuration file "/etc/samba/printers.conf" params.c:pm_process() - Processing configuration file "/etc/samba/local.conf" Expiry for user 's-vas01_1_krbsvr400' disabled. params.c:pm_process() - Processing configuration file "/etc/samba/base.conf" params.c:pm_process() - Processing configuration file "/etc/samba/installs.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/homes" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/IT" params.c:pm_process() - Processing configuration file "/etc/samba/printers.conf" params.c:pm_process() - Processing configuration file "/etc/samba/local.conf" GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Modified 1 records successfully params.c:pm_process() - Processing configuration file "/etc/samba/base.conf" params.c:pm_process() - Processing configuration file "/etc/samba/installs.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/homes" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/Holz-Vitis" params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf.d/IT" params.c:pm_process() - Processing configuration file "/etc/samba/printers.conf" params.c:pm_process() - Processing configuration file "/etc/samba/local.conf" GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered ERR: Entry already exists : "Entry samAccountName=s-vas01_1_krbsvr400,CN=Principals already exists" on DN samAccountName=s-vas01_1_krbsvr400,CN=Principals at block before line 10 Add failed after processing 0 records