Brian Candler
2016-Dec-19 18:21 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
I am trying to use a keytab for a client machine to authenticate to Samba's own LDAP server. The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2 compiled from source. The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been joined directly to the Samba domain ("net ads join"). I have also extracted a keytab ("net ads keytab create -P") which created /etc/krb5.keytab. Now if I try to authenticate, I can get a TGT, but I can't actually authenticate to the LDAP server: root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab root at wrn-radtest:~# ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Client not found in Kerberos database) root at wrn-radtest:~# cat /tmp/trace.out [17919] 1482170475.951771: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET for server principal ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET [17919] 1482170475.951821: Getting credentials host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET using ccache FILE:/tmp/krb5cc_0 [17919] 1482170475.951863: Retrieving host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found [17919] 1482170475.951900: Retrieving host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with result: 0/Success [17919] 1482170475.951907: Starting with TGT for client realm: host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET [17919] 1482170475.951912: Requesting tickets for ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals on [17919] 1482170475.951929: Generated subkey for TGS request: rc4-hmac/5B25 [17919] 1482170475.951946: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [17919] 1482170475.952023: Encoding request body and padata into FAST request [17919] 1482170475.952068: Sending request (1794 bytes) to AD.EXAMPLE.NET [17919] 1482170475.952489: Resolving hostname wrn-dc1.ad.example.net. [17919] 1482170475.952708: Sending initial UDP request to dgram 192.168.5.86:88 [17919] 1482170475.958164: Received answer (107 bytes) from dgram 192.168.5.86:88 [17919] 1482170475.958397: Response was not from master KDC [17919] 1482170475.958420: TGS request result: -1765328378/Client not found in Kerberos database [17919] 1482170475.958429: Requesting tickets for ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals off [17919] 1482170475.958448: Generated subkey for TGS request: rc4-hmac/D306 [17919] 1482170475.958464: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [17919] 1482170475.958500: Encoding request body and padata into FAST request [17919] 1482170475.958537: Sending request (1794 bytes) to AD.EXAMPLE.NET [17919] 1482170475.958782: Resolving hostname wrn-dc1.ad.example.net. [17919] 1482170475.958937: Sending initial UDP request to dgram 192.168.5.86:88 [17919] 1482170475.963625: Received answer (107 bytes) from dgram 192.168.5.86:88 [17919] 1482170475.963784: Response was not from master KDC [17919] 1482170475.963803: TGS request result: -1765328378/Client not found in Kerberos database But if I kinit with a real user, it works fine: root at wrn-radtest:~# kinit brian ... root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base SASL/GSSAPI authentication started SASL username: brian at AD.EXAMPLE.NET SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ad,dc=example,dc=net> with scope baseObject # filter: (objectclass=*) # requesting: ALL # ... etc Any ideas what's going on, or where else I can look? Aside: What I'm actually trying to do is to get freeradius to authenticate using a keytab in order to do LDAP queries, which I've had working with FreeIPA before and am now trying to replicate with Samba in a different environment. Thanks, Brian. P.S. Here are the config files from the client machine: --- /etc/krb5.conf --- [libdefaults] default_realm = AD.EXAMPLE.NET dns_lookup_realm = false dns_lookup_kdc = true # I added this but it didn't make a difference [domain_realm] .ad.example.net = AD.EXAMPLE.NET --- /etc/samba/smb.conf --- [global] security = ADS workgroup = AD realm = AD.EXAMPLE.NET kerberos method = secrets and keytab log file = /var/log/samba/%m.log log level = 1 username map = /etc/samba/user.map winbind enum users = yes winbind enum groups = yes winbind nss info = template template shell = /bin/bash template homedir = /home/%U imdap config AD : backend = rid idmap config AD : range = 100000-999999 idmap config * : backend = autorid idmap config * : range = 1000000-9999999 idmap config * : rangesize = 100000 The keytab itself looks OK to me: root at wrn-radtest:~# net ads keytab list Vno Type Principal 2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET 2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET 2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET 2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET 2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET 2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
Brian Candler
2016-Dec-19 20:02 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
And FWIW, here's the LDAP entry for the computer which was generated when it joined: root at wrn-dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=wrn-radtest)' # record 1 dn: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: wrn-radtest instanceType: 4 whenCreated: 20161219120818.0Z uSNCreated: 5055 name: wrn-radtest objectGUID: db8fd9f5-4be3-4886-a459-71858010f4fa badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 515 objectSid: S-1-5-21-1073172920-2372885959-993370794-1109 accountExpires: 9223372036854775807 sAMAccountName: wrn-radtest$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=example,DC net isCriticalSystemObject: FALSE userAccountControl: 69632 pwdLastSet: 131266228999887560 dNSHostName: wrn-radtest.ad.example.net servicePrincipalName: HOST/WRN-RADTEST servicePrincipalName: HOST/wrn-radtest.ad.example.net logonCount: 1 lastLogon: 131266508988047120 lastLogonTimestamp: 131266508988047120 whenChanged: 20161219195459.0Z uSNChanged: 7842 distinguishedName: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net I did a "net ads leave" and "net ads join", but it hasn't made a difference. Regards, Brian.
Brian Candler
2016-Dec-20 10:13 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
L.P.H. van Belle wrote: > start with fixing the overlapping idmap config. > that wont help. I don't think they are overlapping: I used 100,000-999,999 for rid and 1,000,000 to 9,999,999 for autorid. > check again if host.fqdn a and ptr exists in the dns. # dig +short wrn-radtest.ad.example.net. a 192.168.5.83 # dig +short -x 192.168.5.83 wrn-radtest.ad.example.net. > check resolv.conf Points to two nearby instances of pdns recursor, which in turn forward domains "ad.example.net" and "5.168.192.in-addr.arpa" to the Samba servers. > make sure your primary domain is listed first. It only has "ad.example.net" in the search section. > you left and rejoined the domain, so you can try regenerateing your keytab file also. Yep, did that, no difference. Rowland Penny wrote: > No, start by using the correct thing for '*': > > idmap config * : backend = tdb > idmap config * : range = 1000000-9999999 I wasn't aware that the default *had* to be tdb; the manpage at https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html gives examples which don't use tdb at all, e.g. [global] security = ads workgroup = CUSTOMER realm = CUSTOMER.COM idmap config * : backend = autorid idmap config * : range = 1000000-1999999 Is it really wrong to use autorid for this? Anyway: I have followed your advice, switched to tdb, left and rejoined domain, and regenerated the keytab. The problem is still there. While doing this I found one stupid problem which was visible in my original post: imdap config AD : backend = rid Arrgh!!! (I noticed this because getent passwd 'AD\brian' started returning a tdb-assigned ID 1000000 instead of the RID-based ID) But after fixing that (and net cache flush and restarting winbind), still no joy: root at wrn-radtest:~# net ads join -U administrator Enter administrator's password: Using short domain name -- AD Joined 'WRN-RADTEST' to dns domain 'ad.example.net' DNS Update for wrn-radtest.ad.example.net failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL root at wrn-radtest:~# rm /etc/krb5.keytab root at wrn-radtest:~# net ads keytab create -P root at wrn-radtest:~# kdestroy root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab root at wrn-radtest:~# ldapsearch -Y GSSAPI -b 'dc=ad,dc=example,dc=net' -h wrn-dc1.ad.example.net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Client not found in Kerberos database) root at wrn-radtest:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET Valid starting Expires Service principal 12/20/2016 09:52:51 12/20/2016 19:52:51 krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET renew until 12/21/2016 09:52:51 I assume the DNS update error on re-joining is just because there was an existing DNS entry. Indeed: if I leave the domain, remove the DNS record, and then join again, there is no error: root at wrn-radtest:~# net ads join -U administrator Enter administrator's password: Using short domain name -- AD Joined 'WRN-RADTEST' to dns domain 'ad.example.net' root at wrn-radtest:~# But still I can't use the keytab ticket for LDAP auth. To be honest: I think the UID mapping is a red herring. If I underestand correctly, mapping RID to unix UID is something which is local to the client system. I can't see how it would affect our Kerberos ticket being accepted by the LDAP server. I will keep digging... Thanks, Brian.
Rowland Penny
2016-Dec-20 10:45 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
On Tue, 20 Dec 2016 10:13:14 +0000 Brian Candler via samba <samba at lists.samba.org> wrote:> L.P.H. van Belle wrote: > > > check resolv.conf > > Points to two nearby instances of pdns recursor, which in turn > forward domains "ad.example.net" and "5.168.192.in-addr.arpa" to the > Samba servers.Can I suggest you stop doing this, point your domain member at the DC only.> > Rowland Penny wrote: > > > No, start by using the correct thing for '*': > > > > idmap config * : backend = tdb > > idmap config * : range = 1000000-9999999 > > I wasn't aware that the default *had* to be tdb; the manpage at > https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html > gives examples which don't use tdb at all, e.g. > > [global] > security = ads > workgroup = CUSTOMER > realm = CUSTOMER.COM > > idmap config * : backend = autorid > idmap config * : range = 1000000-1999999 > > > Is it really wrong to use autorid for this?Best practice is to use 'tdb', there is no need to actually know the IDs for any of the '*' domain users & groups. 'tdb' is known to work.> > Anyway: I have followed your advice, switched to tdb, left and > rejoined domain, and regenerated the keytab. The problem is still > there.When you join the domain with 'kerberos method = secrets and keytab', you should get a keytab created without having to manually create it.> > While doing this I found one stupid problem which was visible in my > original post: > > imdap config AD : backend = rid > > > Arrgh!!! (I noticed this because getent passwd 'AD\brian' started > returning a tdb-assigned ID 1000000 instead of the RID-based ID) > > But after fixing that (and net cache flush and restarting winbind), > still no joy:How did you 'fix' this, on face value, there is nothing wrong with that line. Rowland
Brian Candler
2016-Dec-20 10:56 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
I finally found it, thanks to a clue from https://wiki.archlinux.org/index.php/Active_Directory_Integration This works: kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$' These don't work: kinit -k -t /etc/krb5.keytab kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net kinit -k -t /etc/krb5.keytab host/wrn-radtest That is: the keytab contains three different principals: root at wrn-radtest:~# net ads keytab list Vno Type Principal 2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET 2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET 2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET 2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET 2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET 2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET 2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET 2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET 2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET I can get a TGT for any of them, and by default kinit chooses the first. But the LDAP server won't talk to me unless I choose the 'WRN-RADTEST$' principal. Now I just need to work out how to get freeradius to choose the right principal - but at worst I should be able to make a new keytab which doesn't have the other two. Regards, Brian.
L.P.H. van Belle
2016-Dec-20 11:19 UTC
[Samba] Problem with keytab: "Client not found in Kerberos database"
Hai, Maybe something like this in freeradius but im not 100% sure here. Im also working on my freeradius skills here, its hard.. :-/ ( for me .. ) I used this site: http://deployingradius.com/documents/configuration/active_directory.html for the basics and start with a working set. Now im trying to get rid of ntlm_auth and switch to ldaps or kerberos. This is what i found, dont know if thats exact what your looking for. ( module ) krb5 { keytab = /etc/freeradius/keytab service_principal = radius/radius.example.com } authenticate { Auth-Type PAP { krb5 } Auth-Type Kerberos { krb5 } } For my squid server i needed the correct SPN also. For that ive added these to the environment file to load. KRB5_KTNAME=/etc/squid/keytab.PROXY export KRB5_KTNAME TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE And the SPN which squid needs ( the only one ) is in keytab.PROXY The CA root cert merged in /etc/ssl/certs/ca-certificates.crt to make sure my ldaps work ok. I hope this helps you a bit. And if you got it working i would be very nice to post it here for when i working on freeradius again. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Brian Candler via > samba > Verzonden: dinsdag 20 december 2016 11:57 > Aan: samba > Onderwerp: Re: [Samba] Problem with keytab: "Client not found in Kerberos > database" > > I finally found it, thanks to a clue from > https://wiki.archlinux.org/index.php/Active_Directory_Integration > > This works: > > kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$' > > These don't work: > > kinit -k -t /etc/krb5.keytab > kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net > kinit -k -t /etc/krb5.keytab host/wrn-radtest > > That is: the keytab contains three different principals: > > root at wrn-radtest:~# net ads keytab list > Vno Type Principal > 2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET > 2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET > 2 aes128-cts-hmac-sha1-96 host/wrn- > radtest.ad.example.net at AD.EXAMPLE.NET > 2 aes256-cts-hmac-sha1-96 host/wrn- > radtest.ad.example.net at AD.EXAMPLE.NET > 2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET > 2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET > 2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET > 2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET > 2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET > 2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET > 2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET > 2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET > 2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET > 2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET > 2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET > > I can get a TGT for any of them, and by default kinit chooses the > first. But the LDAP server won't talk to me unless I choose the > 'WRN-RADTEST$' principal. > > Now I just need to work out how to get freeradius to choose the right > principal - but at worst I should be able to make a new keytab which > doesn't have the other two. > > Regards, > > Brian. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba