Summary:
I used to use 'net rpc keytab vampire' which probably populated the host's SPN
in AD with all that crap. After cleaning up (had to do it manually one by one) and
deleting the krb5.keytab file, I successfully managed to recreate it with 'net ads
keytab create' - not even need to have the 'netbios name' defined.
Many thanks to Sumit for the help provided!
Ondrej
-----Original Message-----
From: Ondrej Valousek [mailto:Ondrej.Valousek@s3group.com]
Sent: Tuesday, July 10, 2018 9:40 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users] Re: recreate machine keytab file
Hi,
Ok, I did not have 'netbios name' in my smb.conf (which is a simple 4-liner). I
added it but it did not make any difference.
In summary, it fills my keytab with entries like (as per klist -k -K):
<someones_username>/<myhost>@<KERBEROS_REALM>
Or
<some_hostname>/<myhost>@<KERBEROS_REALM>
Where <someones_username> is a username of someone in AD and <some_hostname>
is a hostname of some machine joined to AD.
This command actually runs for a very long time, generating very big keytab - I guess if I
left it running (I break it via Ctrl-C after a minute or so), it would eventually populate
my keytab with all accounts in AD.
Whereas I would expect this would actually do:
<MYHOST$>@<KERBEROS_REALM>
+ all SPNs set in AD, i.e:
Host/<myhost>@<KERBEROS_REALM>
Nfs/<myhost>@<KERBEROS_REALM>
Shall I send you the debug log (I would rather send it to you directly as it contains
sensitive information).
My samba version:
samba-client-libs-4.4.4-12.el7_3.x86_64
samba-common-tools-4.4.4-12.el7_3.x86_64
samba-common-libs-4.4.4-12.el7_3.x86_64
samba-client-4.4.4-12.el7_3.x86_64
samba-common-4.4.4-12.el7_3.noarch
samba-libs-4.4.4-12.el7_3.x86_64
Thanks,
Ondrej
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Monday, July 09, 2018 4:55 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
Thanks,
"net ads keytab create" does work, but it populates my keytab with all accounts
(user and computer) that can be found in AD - i.e. pretty dangerous.
I would like to add it some parameter to only will with entries relevant for my computer
- i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Do you have 'netbios name' set in your smb.conf? This is where net should got your
hostname from.
You can '-d 10' to see in more details what net is doing.
Nevertheless all the entries it currently creates should use the same keys based on the
host password stored by Samba. You can check this with 'klist -k -K -e'.
bye,
Sumit
Ondrej
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Monday, July 09, 2018 3:57 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> Is there any way how can we recreate system keytab file of a machine joined to AD if
the file has been broken/deleted?
> I want to avoid doing join again as this would probably delete the existing account
(with all attributes we have set).
> Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might
work for you because Samba can recover the keytab with the help of the stored plain text
password.
With 'adcli update' you have to kinit first as a use which can update the
password and then use the --login-ccache option because chances are you cannot kinit with
the keytab anymore. But you should use an account which is only allowed to update the
password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye,
Sumit
>
> Ondrej
>
> -----
>
> The information contained in this e-mail and in any attachments is confidential and
is designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor
> ah
osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah
osted.org/message/Z6AV3THJ6J6IELOAFKJO22PX6IB73JES/
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah
osted.org/message/C6RRA57W3S3ZD7Q3CNOMRKCF5OSVTL3M/
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.