I want to setup a service to check the kdc with nagios. With my kdc (samba4) I create the user using this script
#!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv
samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDN
then I copy the keytab on nagios server and restart service
scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagios
the permissions are ok
ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul 2 02:25 /etc/nagios/nagios.keytab
the keys seems ok
klist -ke /etc/nagios/nagios.keytab
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nagioskerberos/[email protected] (aes256-cts-hmac-sha1-96)
But when I try to check...
./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/[email protected] -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/[email protected]' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/[email protected] from /etc/nagios/nagios.keytab)
Why?
This is the krb5.conf for server samba4 and server nagios
[libdefaults]
default_realm = MYHOST.PRIV
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
Solution found.
First I change my script
from
to
I recreate the user.
BEFORE export the tab and copy I did this
modify this line
exit..
Copy the keytab, restart nagios and...