Prunk Dump
2017-Jun-19 20:13 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hello Samba team ! I'am in a very delicate situation. After an upgrade to debian Stretch my DRS stopped working. I have three DCs (fichdc, fichds01, fichds02), all Debian Stretch, all with the same problem. Everything seems to be fine except DRS. -> File shares works -> DNS (with bind9 DLZ) works -> "kinit administrator" works -> "kinit -k FICHDC$" works -> times synchronisation works -> winbind works (with nsswitch) -> domain controller "A" resolve -> domain controller "objectGuid CNAME" record resolve -> nfsv4 share works using sec=krb5 But when I try a DRS connection : -------------------------------- $ samba-tool drs showrepl -d 3 ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr[,seal] resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] NT_STATUS_LOGON_FAILURE ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - drsException: DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed: (-1073741715, 'Logon failure') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) -------------------------------- And in log.samba, here the strange errors I have : -------------------------------- resolve_lmhosts: Attempting lmhosts lookup for name 04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> resolve_lmhosts: Attempting lmhosts lookup for name 04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.20:41611 for krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-G$ Kerberos: Client sent patypes: encrypted-timestamp Kerberos: Looking for PKINIT pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Looking for ENC-TS pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Failed to decrypt PA-DATA -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (enctype arcfour-hmac-md5) error Decrypt integrity check failed Kerberos: Failed to decrypt PA-DATA -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc- ... resolve_lmhosts: Attempting lmhosts lookup for name 6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.20:50934 for krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-G$ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-g ... GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) -------------------------------- This seem to be a computer account problem. But I can't find any problem in Kerberos : -------------------------------- # kinit -k FICHDC$ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Valid starting Expires Service principal 19/06/2017 22:05:54 20/06/2017 08:05:54 krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR renew until 20/06/2017 22:05:54 # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Here my smb.conf : -------------------------------- [global] log level = 3 netbios aliases = sambaaccount sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr load printers = yes workgroup = FICHNET realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR netbios name = FICHDC interfaces = lo, eth0 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No -------------------------------- A big thank if someone can help me ! Baptiste.
Andrew Bartlett
2017-Jun-19 21:58 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:> Hello Samba team ! > > I'am in a very delicate situation. After an upgrade to debian Stretch > my DRS stopped working.Have you ever had MIT krb5 installed, or is krb5kdc now running? Samba doesn't use /etc/krb5.keytab, so this may be related to some previous install (or may be related to how you are trying to use NFS).> > This seem to be a computer account problem. But I can't find any > problem in Kerberos : > > > -------------------------------- > # kinit -k FICHDC$ > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FRCan you do this against the secrets.keytab in Samba's private/ dir? You can reset the Samba machine account pw with ./source4/scripting/devel/chgtdcpass, but: - it wont be packaged so you will have to build Samba and tell it to operate against the right paths - it shouldn't be needed, upgrades shouldn't break this, and understanding the root cause would be better Does 'samba-tool time -P' work? It is any different with 'samba-tool time -P -k no'? (It seems you issue is related primarily to kerberos and a keytab out of sync somehow).> Valid starting Expires Service principal > 19/06/2017 22:05:54 20/06/2017 08:05:54 > krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > renew until 20/06/2017 22:05:54 > # klist -k > Keytab name: FILE:/etc/krb5.keytabAs I mention above, this is the wrong keytab for a Samba DC.> A big thank if someone can help me !I hope this helps, otherwise depending on the urgency you might need to get some professional guidance. It gets really stressful when then network is down and we all know that can lead to mistakes. Take care, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
L.P.H. van Belle
2017-Jun-20 08:35 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai, Just saying samba does not use /etc/krb5.keytab is not totaly correct. A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab Because systemd defaults point to /etc/krb5.keytab.>From his logs:Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab ) the above server is found. Only the HOST/SPN entry is missing. This looks like that : dedicated keytab file = /etc/krb5.keytab was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc I suspect last one due to the upgrade. In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist. use ktutil to import all entries from both keytab files and export the one you need back. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andrew Bartlett via samba > Verzonden: maandag 19 juni 2017 23:59 > Aan: Prunk Dump; samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote: > > Hello Samba team ! > > > > I'am in a very delicate situation. After an upgrade to > debian Stretch > > my DRS stopped working. > > Have you ever had MIT krb5 installed, or is krb5kdc now running? > > Samba doesn't use /etc/krb5.keytab, so this may be related to > some previous install (or may be related to how you are > trying to use NFS). > > > > > > This seem to be a computer account problem. But I can't find any > > problem in Kerberos : > > > > > > -------------------------------- > > # kinit -k FICHDC$ > > # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > > Can you do this against the secrets.keytab in Samba's private/ dir? > > You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and > tell it to operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause would be better > > Does 'samba-tool time -P' work? It is any different with > 'samba-tool time -P -k no'? (It seems you issue is related > primarily to kerberos and a keytab out of sync somehow). > > > Valid starting Expires Service principal > > 19/06/2017 22:05:54 20/06/2017 08:05:54 > > > krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAU > ME-FICHET.AC-GRENOBLE.FR > > renew until 20/06/2017 22:05:54 > > # klist -k > > Keytab name: FILE:/etc/krb5.keytab > > As I mention above, this is the wrong keytab for a Samba DC. > > > A big thank if someone can help me ! > > I hope this helps, otherwise depending on the urgency you > might need to get some professional guidance. It gets really > stressful when then network is down and we all know that can > lead to mistakes. > > Take care, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Prunk Dump
2017-Jun-20 08:58 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Thanks for the help !!! 2017-06-19 23:58 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:> On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote: >> Hello Samba team ! >> >> I'am in a very delicate situation. After an upgrade to debian Stretch >> my DRS stopped working. > > Have you ever had MIT krb5 installed, or is krb5kdc now running? > > Samba doesn't use /etc/krb5.keytab, so this may be related to some > previous install (or may be related to how you are trying to use NFS). > >I have checked, MIT kerberos is not installed, just the "krb5-user" kerberos client package.>> >> This seem to be a computer account problem. But I can't find any >> problem in Kerberos : >> >> >> -------------------------------- >> # kinit -k FICHDC$ >> # klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > > Can you do this against the secrets.keytab in Samba's private/ dir? > > You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and tell it to > operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause would be better > > Does 'samba-tool time -P' work? It is any different with 'samba-tool > time -P -k no'? (It seems you issue is related primarily to kerberos > and a keytab out of sync somehow). >Yes you're right ! I need to understand the root of the problem as I have some other DC to upgrade the same manner. And you're right authentication with the private keytab does not work. But strangely it works with /etc/krb5.keytab. -------------------------------- -------------------------------- ~# klist -e -k /var/lib/samba/private/secrets.keytab Keytab name: FILE:/var/lib/samba/private/secrets.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) ~# kinit -V -k -t /var/lib/samba/private/secrets.keytab FICHDC$ Using default cache: /tmp/krb5cc_0 Using principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Using keytab: /var/lib/samba/private/secrets.keytab kinit: Preauthentication failed while getting initial credentials ~# samba-tool time -P ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - (-1073741715, "Connection to SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed: NT_STATUS_LOGON_FAILURE") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", line 59, in run self.outf.write(net.time(server_name)+"\n") ~# samba-tool time -P -k no ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 ERROR(runtime): uncaught exception - (-1073741715, "Connection to SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed: NT_STATUS_LOGON_FAILURE") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", line 59, in run self.outf.write(net.time(server_name)+"\n") ~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) ~# kinit -k -t /etc/krb5.keytab FICHDC$ -------------------------------- -------------------------------- I don't know what is "KVNO". But on the "/etc/krb5.keytab" there is "1" and "2" FICHDC$ principals entries. But on "/var/lib/samba/private/secret.keytab" there is only "1". And on the samba log file I have : -------------------------------- GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) -------------------------------- How "/var/lib/samba/private/secrets.keytab" is updated by samba ? Thank you very much for the help ! Baptiste.
L.P.H. van Belle
2017-Jun-20 09:13 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai Baptiste, What you can try; Type: ktutil (enter) rkt /etc/krb5.keytab rkt /var/lib/samba/private/krb5.keytab list Now check if you see, host/server.internal.domain.tld at REALM host/server at REALM (same (both) for nfs/.. at REALM) And NETBIOSNAME$@REALM If you see all, you can write this back to a new file. wkt /etc/krb5.keytab.new1 And if needed you can also cleanup the keytab file before writing. Now choose, of dedicated keytab file = /etc/krb5.keytab Or use the samba default in /var/lib/samba/private/krb5.keytab In case of the samba default rm /etc/krb5.keytab ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf Some extra info on the keytab things. https://wiki.samba.org/index.php/Generating_Keytabs https://wiki.samba.org/index.php/Keytab_Extraction Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: dinsdag 20 juni 2017 10:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > Thanks for the help !!! > > 2017-06-19 23:58 GMT+02:00 Andrew Bartlett <abartlet at samba.org>: > > On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote: > >> Hello Samba team ! > >> > >> I'am in a very delicate situation. After an upgrade to > debian Stretch > >> my DRS stopped working. > > > > Have you ever had MIT krb5 installed, or is krb5kdc now running? > > > > Samba doesn't use /etc/krb5.keytab, so this may be related to some > > previous install (or may be related to how you are trying > to use NFS). > > > > > > I have checked, MIT kerberos is not installed, just the "krb5-user" > kerberos client package. > > >> > >> This seem to be a computer account problem. But I can't find any > >> problem in Kerberos : > >> > >> > >> -------------------------------- > >> # kinit -k FICHDC$ > >> # klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > > > > Can you do this against the secrets.keytab in Samba's private/ dir? > > > > You can reset the Samba machine account pw with > > ./source4/scripting/devel/chgtdcpass, but: > > - it wont be packaged so you will have to build Samba and > tell it to > > operate against the right paths > > - it shouldn't be needed, upgrades shouldn't break this, and > > understanding the root cause would be better > > > > Does 'samba-tool time -P' work? It is any different with > 'samba-tool > > time -P -k no'? (It seems you issue is related primarily > to kerberos > > and a keytab out of sync somehow). > > > > Yes you're right ! I need to understand the root of the > problem as I have some other DC to upgrade the same manner. > And you're right authentication with the private keytab does > not work. But strangely it works with /etc/krb5.keytab. > > -------------------------------- > -------------------------------- > ~# klist -e -k /var/lib/samba/private/secrets.keytab > Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > > > ~# kinit -V -k -t /var/lib/samba/private/secrets.keytab > FICHDC$ Using default cache: /tmp/krb5cc_0 Using principal: > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > Using keytab: /var/lib/samba/private/secrets.keytab > kinit: Preauthentication failed while getting initial credentials > > ~# samba-tool time -P > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered GENSEC backend > 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' > registered GENSEC backend 'spnego' registered GENSEC backend > 'schannel' registered GENSEC backend 'naclrpc_as_system' > registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC > backend 'ntlmssp' registered GENSEC backend > 'ntlmssp_resume_ccache' registered GENSEC backend > 'http_basic' registered GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered GENSEC backend > 'fake_gssapi_krb5' registered > resolve_lmhosts: Attempting lmhosts lookup for name > fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > Wrong username or password: kinit for > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > (Preauthentication failed) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: > NT_STATUS_LOGON_FAILURE Failed initial gensec_update with > mechanism spnego: NT_STATUS_LOGON_FAILURE > ERROR(runtime): uncaught exception - (-1073741715, > "Connection to SRVSVC pipe of server > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' > failed: NT_STATUS_LOGON_FAILURE") > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > line 59, in run > self.outf.write(net.time(server_name)+"\n") > > ~# samba-tool time -P -k no > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered GENSEC backend > 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' > registered GENSEC backend 'spnego' registered GENSEC backend > 'schannel' registered GENSEC backend 'naclrpc_as_system' > registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC > backend 'ntlmssp' registered GENSEC backend > 'ntlmssp_resume_ccache' registered GENSEC backend > 'http_basic' registered GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered GENSEC backend > 'fake_gssapi_krb5' registered > resolve_lmhosts: Attempting lmhosts lookup for name > fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > ERROR(runtime): uncaught exception - (-1073741715, > "Connection to SRVSVC pipe of server > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' > failed: NT_STATUS_LOGON_FAILURE") > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > line 59, in run > self.outf.write(net.time(server_name)+"\n") > > ~# klist -e -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > > ~# kinit -k -t /etc/krb5.keytab FICHDC$ > > -------------------------------- > -------------------------------- > > I don't know what is "KVNO". But on the "/etc/krb5.keytab" > there is "1" and "2" FICHDC$ principals entries. But on > "/var/lib/samba/private/secret.keytab" there is only "1". > > And on the samba log file I have : > > -------------------------------- > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): Failed to find > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in > keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > -------------------------------- > > How "/var/lib/samba/private/secrets.keytab" is updated by samba ? > > Thank you very much for the help ! > > Baptiste. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2017-Jun-20 19:29 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 2017-06-20 at 10:35 +0200, L.P.H. van Belle via samba wrote:> Hai, > > Just saying samba does not use /etc/krb5.keytab is not totaly correct.As an AD DC, we don't use it.> A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab > Because systemd defaults point to /etc/krb5.keytab.Sure, but that is not used by the AD DC.> From his logs: > Failed to find > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > > And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab ) the above server is found. > Only the HOST/SPN entry is missing. > > This looks like that : > dedicated keytab file = /etc/krb5.keytab > was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc > I suspect last one due to the upgrade.I'm not disputing that the OP may have copied the keytab. It still won't change what path the Samba AD DC will use.> In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist. > use ktutil to import all entries from both keytab files and export the one you need back.That won't change Samba to use /etc/krb5.keytab as an AD DC, nor should it. It might impact if NFS is in operation, but that is a secondary task at this point. I'm being so blunt because: - Samba is internally inconsistent on this point and - Samba folklore spreads like wildfire Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Achim Gottinger
2017-Jun-20 21:35 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Can you do this against the secrets.keytab in Samba's private/ dir?> You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and tell it to > operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause would be better > >Hello Andrew, May I ask a few questions in regards to chgtdcpass. Can this command be used to add newer enctypes on machines only having des and arcfour types? Is it save to use this command on all ad-dc's in an productive environment? Thanks in advance, achim~
L.P.H. van Belle
2017-Jun-21 06:45 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai Andrew, No, your not blund. Its good you correct things like this, since english is not my native language, It can be a bit fuzzy to understand what i mean.> -----Oorspronkelijk bericht----- > Van: Andrew Bartlett [mailto:abartlet at samba.org] > Verzonden: dinsdag 20 juni 2017 21:29 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > On Tue, 2017-06-20 at 10:35 +0200, L.P.H. van Belle via samba wrote: > > Hai, > > > > Just saying samba does not use /etc/krb5.keytab is not > totaly correct. > > As an AD DC, we don't use it. > > > A lot of setups use the setting : dedicated keytab file = > > /etc/krb5.keytab Because systemd defaults point to /etc/krb5.keytab. > > Sure, but that is not used by the AD DC. > > > From his logs: > > Failed to find > > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab > > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > > > > And from his command (klist -k : Keytab name: > FILE:/etc/krb5.keytab ) the above server is found. > > Only the HOST/SPN entry is missing. > > > > This looks like that : > > dedicated keytab file = /etc/krb5.keytab was in smb.conf > but is gone > > now, or a symlink is replaced by a keytab file /etc I > suspect last one > > due to the upgrade. > > I'm not disputing that the OP may have copied the keytab. It > still won't change what path the Samba AD DC will use.Im not disputing that also, but im "guessing" what is changed between jessie and stretch. I found one old "thingy" that the debian maint wont fix. Example: install winbind only, and you get missing ldb modules thing, not that they are used but still. ( missing samba-dsdb-modules ) Somehow in how the system defaults work and how samba was setup, created the problem at upgrade time. I suspect, something like, during the upgrade of jessie to stretch, at samba upgrade, Samba is updateing the ADDB, now its unknown how long this takes and what happens if you reboot the server While the samba AD DB is still being updated.> > > In this case, export the spn's again and check if host/spn > and NETBIOSNAME$@SPN exist. > > use ktutil to import all entries from both keytab files and > export the one you need back. > > That won't change Samba to use /etc/krb5.keytab as an AD DC, > nor should it. It might impact if NFS is in operation, but > that is a secondary task at this point.Now, i dont run my nfs v4 on my DC's, so did not encounter this. Thanks, good to know.> > I'm being so blunt because: > - Samba is internally inconsistent on this point and > - Samba folklore spreads like wildfire > > Sorry,No problems, comments from developers are most welkom and keeps thing more clear. "Respect"> > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > >
Possibly Parallel Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Workaround for bind9 reload bug : samba_dlz Ignoring duplicate zone