L.P.H. van Belle
2017-Feb-01 13:44 UTC
[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
Hai, I noticed something strange in the keytab file on my member server. This is a followup of : [Samba] winbind question. (challenge/response password authentication) Samba 4.5.3 on Debian Jessie. Leave the domain. net ads leave -k Deleted account for 'PROXY2' in realm 'REALM' I checked in windows, and the computer is gone in the “Computer” ou. Removed the keytab file. rm krb5.keytab net ads join –k Using short domain name -- NTDOM Joined 'PROXY2' to dns domain 'internal.domain.tld' check the new keytab ( created at join ) klist -ket Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:01:34 host/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:01:34 host/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:01:34 host/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-crc) 2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-md5) 2 02/01/2017 14:01:34 PROXY2$@REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 PROXY2$@REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:01:34 PROXY2$@REALM (arcfour-hmac) so far good. I logged in on the DC with fsmo roles Created the needed nfs entries.: samba-tool spn add nfs/proxy2 proxy2$ samba-tool spn add nfs/proxy2.internal.domain.tld proxy2$ back to the member. backuped the original keytab file. mv krb5.keytab krb5.keytab-1 create new keytab file: net ads keytab create -k klist -ket Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:06:56 host/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:06:56 host/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:06:57 host/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-crc) 2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-md5) 2 02/01/2017 14:06:57 PROXY2$@REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 PROXY2$@REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:06:57 PROXY2$@REALM (arcfour-hmac) all looks ok... now the (not) funny part. ( on the DC ) samba-tool spn add HTTP/proxy2 proxy2$ samba-tool spn add HTTP/proxy2.internal.domain.tld proxy2$ backuped the keytab file again ( on the member ) mv krb5.keytab krb5.keytab-2 net ads keytab create -k klist -ket Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:09:27 host/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:09:27 host/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:09:27 host/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (des-cbc-crc) 2 02/01/2017 14:09:28 http/PROXY2 at REALM (des-cbc-crc) 2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 02/01/2017 14:09:28 http/PROXY2 at REALM (des-cbc-md5) 2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 http/PROXY2 at REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 http/PROXY2 at REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 02/01/2017 14:09:28 http/PROXY2 at REALM (arcfour-hmac) 2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-crc) 2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-md5) 2 02/01/2017 14:09:28 PROXY2$@REALM (aes128-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 PROXY2$@REALM (aes256-cts-hmac-sha1-96) 2 02/01/2017 14:09:28 PROXY2$@REALM (arcfour-hmac) Now why is the HTTP now http. some spn's need CAPS, some not. squid needs HTTP/ not http.. :-( when i now check in windows, user manager, goto the computer and (OU=Computers) on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit. i seeing here: HOST/PROXY2 HOST/proxy2.internal.domain.tld http/proxy2 HTTP/PROXY2 http/proxy2.internal.domain.tld HTTP/proxy2.internal.domain.tld nfs/proxy2 nfs/proxy2.internal.domain.tld now why is there a http and HTTP while this didnt happen with the nfs spn? and why is HOST in caps in the servicePrincipalName in windows but in keytab not. Can someone confirm this, this make it all very unpredictable. Im running samba 4.5.3 now, i remove the failty keytab again. removed the failty entries http/.. so only HTTP/ is in windows under servicePrincipalName created the keytab file and same result, only lower cased http/ :-( exporting on the DC. samba-tool domain exportkeytab --principal=HTTP/proxy2.internal.domain.tld /root/keytabs/proxy2.keytab-new klist -ke /root/keytabs/proxy2.keytab-new Keytab name: FILE:/root/keytabs/proxy2.keytab-new KVNO Principal ---- -------------------------------------------------------------------------- 2 HTTP/proxy2.internal.domain.tld at REALM (arcfour-hmac) 2 HTTP/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 2 HTTP/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 2 HTTP/proxy2.internal.domain.tld at REALM (des-cbc-md5) 2 HTTP/proxy2.internal.domain.tld at REALM (des-cbc-crc) which looks correct to me. Did we find a real bug here? Greetz, Louis
Rowland Penny
2017-Feb-04 12:30 UTC
[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
On Wed, 1 Feb 2017 14:43:52 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > > I noticed something strange in the keytab file on my member server. >I can confirm this, but it gets stranger ;-) If I go into the computers object and remove any 'http' lines so that I have this: servicePrincipalName: HOST/DEVCLIENT servicePrincipalName: HOST/devclient.samdom.example.com servicePrincipalName: nfs/devclient servicePrincipalName: nfs/devclient.samdom.example.com servicePrincipalName: HTTP/devclient servicePrincipalName: HTTP/devclient.samdom.example.com If I then remove the keytab, then recreate it. I then find this in the computers object servicePrincipalName: HOST/DEVCLIENT servicePrincipalName: HOST/devclient.samdom.example.com servicePrincipalName: nfs/devclient servicePrincipalName: nfs/devclient.samdom.example.com servicePrincipalName: HTTP/devclient servicePrincipalName: HTTP/devclient.samdom.example.com servicePrincipalName: http/devclient servicePrincipalName: http/devclient.samdom.example.com The lowercase 'http' spn line are back! And the relevant lines in the keytab are all lowercase: 2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc) 2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc) 2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5) 2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5) 2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac) 2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac) Rowland
Rowland Penny
2017-Feb-04 13:23 UTC
[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
On Sat, 4 Feb 2017 12:30:29 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 1 Feb 2017 14:43:52 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > > > > > I noticed something strange in the keytab file on my member server. > > > > I can confirm this, but it gets stranger ;-) >OK, I think I have found a workaround ;-) Remove the 'http' SPNs from the computers AD object Then (on the client) run this: net ads keytab add HTTP -k klist -ket ................. 2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc) 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc) 2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5) 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5) 2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac) 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac) and in the computers AD object: servicePrincipalName: HOST/DEVCLIENT servicePrincipalName: HOST/devclient.samdom.example.com servicePrincipalName: nfs/devclient servicePrincipalName: nfs/devclient.samdom.example.com servicePrincipalName: HTTP/devclient servicePrincipalName: HTTP/devclient.samdom.example.com Rowland
L.P.H. van Belle
2017-Feb-07 07:32 UTC
[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
Hm instresting way. Whats the difference in createing the HTTP/spn with net ads or samba tool ( besides de found bug ) I'll go try this out. You remember the "squid" spn/upn problem, this solved it also. The squid kerberos group plugin now correctly detects the HTTP spn. Thanks for trying out. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: zaterdag 4 februari 2017 14:24 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba creating keytabs... ( possible bug, can > someone confirm this ) > > On Sat, 4 Feb 2017 12:30:29 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On Wed, 1 Feb 2017 14:43:52 +0100 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > Hai, > > > > > > > > > > > > I noticed something strange in the keytab file on my member server. > > > > > > > I can confirm this, but it gets stranger ;-) > > > OK, I think I have found a workaround ;-) > > Remove the 'http' SPNs from the computers AD object > > Then (on the client) run this: > > net ads keytab add HTTP -k > > klist -ket > > ................. > 2 04/02/17 12:44:48 > HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc) > 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc) > 2 04/02/17 12:44:48 > HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5) > 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5) > 2 04/02/17 12:44:48 > HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac- > sha1-96) > 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac- > sha1-96) > 2 04/02/17 12:44:48 > HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac- > sha1-96) > 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac- > sha1-96) > 2 04/02/17 12:44:48 > HTTP/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac) > 2 04/02/17 12:44:48 HTTP/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac) > > and in the computers AD object: > > servicePrincipalName: HOST/DEVCLIENT > servicePrincipalName: HOST/devclient.samdom.example.com > servicePrincipalName: nfs/devclient > servicePrincipalName: nfs/devclient.samdom.example.com > servicePrincipalName: HTTP/devclient > servicePrincipalName: HTTP/devclient.samdom.example.com > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba