I am sorry for my ignorance but I have just recently started using Samba4 as a DC.
I have setup my Samba4 DC and DNS for my domain (for the purpose of my post I will call it my.local).
I have checked that I am able to reach the hosts for Samba4's internal KDC (host -v _kerberos._tcp.my.local etc.) as well as resolve my DC's name and reach it. I am able to kinit as my administrator user on FreeNAS via the shell, and I am able to use winbind if I enter my administrator user password directly, rather than a keytab.
Also, my windows machine joined the domain without issue.
I went and setup a user and SPN for my FreeNAS server on my DC:
samba-tool user add cifs-data
samba-tool spn add CIFS/data.my.local cifs-data
Then I exported the keytab:
samba-tool domain exportkeytab /root/cifs.keytab --principal=CIFS/data.my.local
This generated the keytab as expected. I then modified my FreeNAS active directory setup to use the user cifs-data with the keytab generated. The active directory service will not start, and from the logs it seems like it is failing when it tries:
kinit -k /data/krb5.keytab -t CIFS/data.my.local@MY.LOCAL
Of course this fails as well when I try it from the DC and shell directly, since it says the client is unknown. I am not really sure why its trying to kinit here, since from other sites I read that an SPN authentication with a keytab should use a TGS-REQ as opposed to an AS-REQ through kinit.
Any help would be greatly appreciated! Thank you.
Associated ticket: https://bugs.freenas.org/issues/4066
I have setup my Samba4 DC and DNS for my domain (for the purpose of my post I will call it my.local).
I have checked that I am able to reach the hosts for Samba4's internal KDC (host -v _kerberos._tcp.my.local etc.) as well as resolve my DC's name and reach it. I am able to kinit as my administrator user on FreeNAS via the shell, and I am able to use winbind if I enter my administrator user password directly, rather than a keytab.
Also, my windows machine joined the domain without issue.
I went and setup a user and SPN for my FreeNAS server on my DC:
samba-tool user add cifs-data
samba-tool spn add CIFS/data.my.local cifs-data
Then I exported the keytab:
samba-tool domain exportkeytab /root/cifs.keytab --principal=CIFS/data.my.local
This generated the keytab as expected. I then modified my FreeNAS active directory setup to use the user cifs-data with the keytab generated. The active directory service will not start, and from the logs it seems like it is failing when it tries:
kinit -k /data/krb5.keytab -t CIFS/data.my.local@MY.LOCAL
Of course this fails as well when I try it from the DC and shell directly, since it says the client is unknown. I am not really sure why its trying to kinit here, since from other sites I read that an SPN authentication with a keytab should use a TGS-REQ as opposed to an AS-REQ through kinit.
Any help would be greatly appreciated! Thank you.
Associated ticket: https://bugs.freenas.org/issues/4066