hi,
?
i have recently installed a samba 4 in a DC role.
The distribution is a debian jessie/sid, the version of samba is 4.1.7.
The server is globally working but there is some litle trouble.
on the server itself, i can do a kinit without probleme but if i try a kpasswsd,
i obtain the following
?
root at station:/var/log/samba# kinit
Password for administrator at TOTO.FR:
root at station:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TOTO.FR
Valid starting?????? Expires????????????? Service principal
09/05/2014 09:23:42? 09/05/2014 19:23:42? krbtgt/TOTO.FR at TOTO.FR
??? renew until 10/05/2014 09:23:38
root at station:/var/log/samba# kpasswd
[10 sec later ....]
kpasswd: Cannot contact any KDC for requested realm getting initial ticket
?
?
the smb.conf file is the following :
?
[global]
??????? workgroup = TOTO
??????? realm = TOTO.FR
??????? netbios name = station
??????? server role = active directory domain controller
??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
??????? idmap_ldb:use rfc2307 = yes
??????? dns forwarder = 129.20.128.39
??????? allow dns updates = nonsecure
#?????? winbind rpc only = yes
??????? log level = 4
??????? ntp signd socket directory = /var/lib/samba/ntp_signd
[netlogon]
??????? path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
??????? read only = No
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = No
[demo]
??????? path = /share/demo
??????? read only = no
?
and the krb5.conf is the following :
?
[logging]
??? default = FILE:/var/log/krb5.log
[libdefaults]
??????? default_realm = TOTO.FR
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
??????? krb4_config = /etc/krb.conf
??????? krb4_realms = /etc/krb.realms
??????? kdc_timesync = 1
??????? ccache_type = 4
??????? forwardable = true
??????? proxiable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc
des-cbc-md5
?
????? v4_instance_resolve = false
??????? v4_name_convert = {
??????????????? host = {
??????????????????????? rcmd = host
??????????????????????? ftp = ftp
??????????????? }
??????????????? plain = {
??????????????????????? something = something-else
??????????????? }
??????? }
??????? fcc-mit-ticketflags = true
[realms]
??????? IETR.UNIV-RENNES1.FR = {
??????????????? kdc = admin.toto.fr:88
??????????????? admin_server = admin.toto.fr
??????? }
...
?
[domain_realm]
??????? .mit.edu = ATHENA.MIT.EDU
??????? mit.edu = ATHENA.MIT.EDU
??????? .media.mit.edu = MEDIA-LAB.MIT.EDU
??????? media.mit.edu = MEDIA-LAB.MIT.EDU
??????? .csail.mit.edu = CSAIL.MIT.EDU
??????? csail.mit.edu = CSAIL.MIT.EDU
??????? .whoi.edu = ATHENA.MIT.EDU
??????? whoi.edu = ATHENA.MIT.EDU
??????? .stanford.edu = stanford.edu
??????? .slac.stanford.edu = SLAC.STANFORD.EDU
??????? .toronto.edu = UTORONTO.CA
??????? .utoronto.ca = UTORONTO.CA
??????? .toto.fr= TOTO.FR
[login]
??????? krb4_convert = true
??????? krb4_get_tickets = false
?
the tcp dump for a failed attempt of kpasswd give the folllowing :
?
client -> station Kerberos AS-REQ
MSG Type : AS-REQ(10)
Server Name(principal): kadmin/changepw
Encryption type rc4-hmac
?
station-> client BER Error : Empty choice was found ...
?
and the log on the server side gives
?
?Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
?arcfour-hmac-md5) error Decrypt integrity check failed
?Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
?
it seems to me like a crypting negociation failure between the client and the
server, all the enctypes line in the krb5.conf was not there initialy and are a
(fail) attempt to fix the trouble.
?
So my questions are :
?
- is there any way for me to know what kind of encoding samba4/kerberos expect
on the server side ?
- what is the location of the credential for all the user on the server side ?
are they stored in the ldap part of samba4 ?
- does any one see what i can do to fix this mess ?
?
?
best regards
