adcli update does not update keytab-file when new SPNs was added via AD
Having a domain-joined Debian 12 System (adcli 0.9.1-2) Adding an additonal SPN-attribute to machine-account on local domain controller.
Running adcli update -v shows the additional records, but does not update local keytab file. Thats leads to failing kerberos-authentication as application does not know about the new SPNs.
# adcli update -v
* Found realm in keytab: DOMAIN.LOCAL
* Found computer name in keytab: KERBEROS-TEST
* Found service principal in keytab: host/KERBEROS-TEST
* Found service principal in keytab: host/kerberos-test.domain.intern
* Found host qualified name in keytab: kerberos-test.domain.intern
* Found service principal in keytab: RestrictedKrbHost/KERBEROS-TEST
* Found service principal in keytab: RestrictedKrbHost/kerberos-test.domain.intern
* Calculated domain name from host fqdn: domaingmbh.intranet
* Using computer account name: KERBEROS-TEST
* Using domain realm: domaingmbh.intranet
* Discovering domain controllers: _ldap._tcp.domaingmbh.intranet
* Sending NetLogon ping to domain controller: ox.domaingmbh.intranet
* Sending NetLogon ping to domain controller: ox.domaingmbh.intranet
* Received NetLogon info from: ox.domaingmbh.intranet
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-qCsk5n/krb5.d/adcli-krb5-conf-IQIFDI
* Authenticated as default/reset computer account: KERBEROS-TEST
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: MUSTERGMBH
* Looked up domain SID: S-1-5-21-2666612435-3853467678-3725716476
* Using fully qualified name: kerberos-test.domaingmbh.intranet
* Using domain name: domaingmbh.intranet
* Using computer account name: KERBEROS-TEST
* Using domain realm: domaingmbh.intranet
* Using fully qualified name: kerberos-test.domain.intern
* Enrolling computer name: KERBEROS-TEST
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for KERBEROS-TEST$ at: CN=KERBEROS-TEST,CN=Computers,DC=domaingmbh,DC=intranet
* Retrieved kvno '2' for computer account in directory: CN=KERBEROS-TEST,CN=Computers,DC=domaingmbh,DC=intranet
* Password not too old, no change needed
* Sending NetLogon ping to domain controller: ox.domaingmbh.intranet
* Sending NetLogon ping to domain controller: ox.domaingmbh.intranet
* Received NetLogon info from: ox.domaingmbh.intranet
* Checking host/KERBEROS-TEST
* Added host/KERBEROS-TEST
* Checking host/kerberos-test.domain.intern
* Added host/kerberos-test.domain.intern
* Checking RestrictedKrbHost/KERBEROS-TEST
* Added RestrictedKrbHost/KERBEROS-TEST
* Checking RestrictedKrbHost/kerberos-test.domain.intern
* Added RestrictedKrbHost/kerberos-test.domain.intern
* Checking HTTP/KERBEROS-TEST
* Added HTTP/KERBEROS-TEST
* Checking HTTP/KERBEROS-TEST.domain.intern
* Added HTTP/KERBEROS-TEST.domain.intern
# klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 KERBEROS-TEST$@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)
2 KERBEROS-TEST$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 KERBEROS-TEST$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 host/KERBEROS-TEST@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)
2 host/KERBEROS-TEST@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 host/KERBEROS-TEST@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 host/kerberos-test.domain.intern@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)
2 host/kerberos-test.domain.intern@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 host/kerberos-test.domain.intern@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/KERBEROS-TEST@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/KERBEROS-TEST@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/KERBEROS-TEST@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/kerberos-test.domain.intern@DOMAIN.LOCAL (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/kerberos-test.domain.intern@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/kerberos-test.domain.intern@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
However adding the SPN via adcli, updates the keytab file and keytab now contains all records:
# adcli update -v --add-service-principal=ldap/kerberos-test.domain.intern@MUSTER.LOCAL
* Found realm in keytab: MUSTER.LOCAL
* Found computer name in keytab: KERBEROS-TEST
* Found service principal in keytab: host/KERBEROS-TEST
* Found service principal in keytab: host/kerberos-test.domain.intern
* Found host qualified name in keytab: kerberos-test.domain.intern
* Found service principal in keytab: RestrictedKrbHost/KERBEROS-TEST
* Found service principal in keytab: RestrictedKrbHost/kerberos-test.domain.intern
* Calculated domain name from host fqdn: mustergmbh.intranet
* Using computer account name: KERBEROS-TEST
* Using domain realm: mustergmbh.intranet
* Discovering domain controllers: _ldap._tcp.mustergmbh.intranet
* Sending NetLogon ping to domain controller: ox.mustergmbh.intranet
* Sending NetLogon ping to domain controller: ox.mustergmbh.intranet
* Received NetLogon info from: ox.mustergmbh.intranet
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-zIw7G5/krb5.d/adcli-krb5-conf-thrPSB
* Authenticated as default/reset computer account: KERBEROS-TEST
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: MUSTERGMBH
* Looked up domain SID: S-1-5-21-2666612435-3853467678-3725716476
* Using fully qualified name: kerberos-test.mustergmbh.intranet
* Using domain name: mustergmbh.intranet
* Using computer account name: KERBEROS-TEST
* Using domain realm: mustergmbh.intranet
* Using fully qualified name: kerberos-test.domain.intern
* Enrolling computer name: KERBEROS-TEST
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for KERBEROS-TEST$ at: CN=KERBEROS-TEST,CN=Computers,DC=mustergmbh,DC=intranet
* Retrieved kvno '2' for computer account in directory: CN=KERBEROS-TEST,CN=Computers,DC=mustergmbh,DC=intranet
* Password not too old, no change needed
* Sending NetLogon ping to domain controller: ox.mustergmbh.intranet
* Sending NetLogon ping to domain controller: ox.mustergmbh.intranet
* Received NetLogon info from: ox.mustergmbh.intranet
* Checking host/KERBEROS-TEST
* Added host/KERBEROS-TEST
* Checking host/kerberos-test.domain.intern
* Added host/kerberos-test.domain.intern
* Checking RestrictedKrbHost/KERBEROS-TEST
* Added RestrictedKrbHost/KERBEROS-TEST
* Checking RestrictedKrbHost/kerberos-test.domain.intern
* Added RestrictedKrbHost/kerberos-test.domain.intern
* Checking HTTP/KERBEROS-TEST
* Added HTTP/KERBEROS-TEST
* Checking HTTP/KERBEROS-TEST.domain.intern
* Added HTTP/KERBEROS-TEST.domain.intern
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: KERBEROS-TEST$@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/KERBEROS-TEST@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/kerberos-test.domain.intern@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/KERBEROS-TEST@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/kerberos-test.domain.intern@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Added the entries to the keytab: ldap/kerberos-test.domain.intern@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Added the entries to the keytab: HTTP/KERBEROS-TEST@MUSTER.LOCAL: FILE:/etc/krb5.keytab
* Added the entries to the keytab: HTTP/KERBEROS-TEST.domain.intern@MUSTER.LOCAL: FILE:/etc/krb5.keytab
(reverse-i-search)`kt': kinit ssotest -^C test.keytab
root@kerberos-test:/etc/apache2# klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 KERBEROS-TEST$@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 KERBEROS-TEST$@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 KERBEROS-TEST$@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 host/KERBEROS-TEST@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 host/KERBEROS-TEST@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 host/KERBEROS-TEST@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 host/kerberos-test.domain.intern@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 host/kerberos-test.domain.intern@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 host/kerberos-test.domain.intern@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/KERBEROS-TEST@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/KERBEROS-TEST@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/KERBEROS-TEST@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/kerberos-test.domain.intern@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/kerberos-test.domain.intern@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/kerberos-test.domain.intern@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 ldap/kerberos-test.domain.intern@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 ldap/kerberos-test.domain.intern@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 ldap/kerberos-test.domain.intern@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 HTTP/KERBEROS-TEST@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 HTTP/KERBEROS-TEST@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 HTTP/KERBEROS-TEST@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)
2 HTTP/KERBEROS-TEST.domain.intern@MUSTER.LOCAL (DEPRECATED:arcfour-hmac)
2 HTTP/KERBEROS-TEST.domain.intern@MUSTER.LOCAL (aes128-cts-hmac-sha1-96)
2 HTTP/KERBEROS-TEST.domain.intern@MUSTER.LOCAL (aes256-cts-hmac-sha1-96)