Bug 1529301

Summary: [RFE] Support adding SPN of a different host with "net ads keytab add"
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej <ondrej.valousek>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: adzilsky, amitkuma, asn, cpelland, gdeschner, hkhot, jarrpa, ondrej.valousek, rhack
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.9.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:45:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej 2017-12-27 14:43:27 UTC 
Description of problem:
since version of samba-common-tools-4.6.2-12.el7_4.x86_64, the command 'net ads keytab add':
- does not ask for AD admin password
- only updates the local Kerberos database, not the computer object in AD (the SPN attribute)
This was (as of samba-common-tools-4.4) working - not quite properly, but was working.
Comment 2 Andreas Schneider 2018-01-02 13:45:26 UTC 
Ondrej, could you please post the output of:

testparm -s
Comment 3 Ondrej 2018-01-02 14:11:19 UTC 
[root@skynet18 tmp]# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
	realm = DUBLIN.AD.S3GROUP.COM
	workgroup = S3
	kerberos method = system keytab
	security = ADS
	idmap config * : backend = tdb
Comment 4 Ondrej 2018-01-03 08:59:15 UTC 
More info:
The command works as expected when adding SPN for the same machine, i.e:

> net ads keytab add nfs

but fails when I need to add SPN for the different host (say CNAME alias for virtual webserver performing SPNEGO authentication):

> net ads keytab add HTTP/different.host.s3group.com.S3GROUP.COM
Comment 5 Andreas Schneider 2018-01-03 11:02:29 UTC 
I think that's simply not supported. Could you open an upstream bug for this?
Comment 7 Ondrej 2018-01-03 11:07:30 UTC 
Ok, could do. Say for Fedora 26? Any chance someone will bother about this :-)?
I have a few RHEL subscriptions so can open a support request...
Comment 8 Ondrej 2018-01-03 14:43:18 UTC 
Created  support case #02002973.
Basically, I want to follow this Apache howto:
https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability

without having to fiddle with the setspn command. I would expect Samba will do this for me.

Let's see what happens...
Comment 9 Andreas Schneider 2018-01-03 16:53:36 UTC 
Open an upstream Samba bug and paste the link here.
Comment 10 Ondrej 2018-01-04 07:57:50 UTC 
I do not have account there and it does not seem to be straightforward to create one. I hope someone from the RedHat support will do that for me...
Comment 12 Andreas Schneider 2018-02-14 12:43:08 UTC 
There is work in progress, will probably be in RHEL 7.6.
Comment 13 Ondrej 2018-02-19 10:32:09 UTC 
Question: Is it realistic to expect once this feature is implemented in Samba, the "adcli" command will inherit it as well or I need to open a separate RFE for this?
Comment 14 Andreas Schneider 2018-02-19 13:57:23 UTC 
adcli is not a Samba project. So you need to open a RFE for it.
Comment 15 Andreas Schneider 2018-03-07 13:29:45 UTC 
This is in master and will be in Samba 4.9
Comment 22 errata-xmlrpc 2019-08-06 12:45:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2099