thr3ads.net - samba - [Samba] smbclient kerberos auth fails [Apr 2018]

If this information is useful, please help other people find it:
Share via:

Aurélien Aptel

2018-Apr-14 13:19 UTC

[Samba] smbclient kerberos auth fails

Hi,

I rarely deal with kerberos but everytime I do it's painful...

I have a Windows Server 2016 VM at foo-ad.foo.com. It has the AD role
and it owns the FOO.COM domain. I added a *AD* account FOO\aaptel%aaptel.

    PS C:\share> get-aduser aaptel
    
    
    DistinguishedName : CN=aaptel,CN=Users,DC=foo,DC=com
    Enabled           : True
    GivenName         :
    Name              : aaptel
    ObjectClass       : user
    ObjectGUID        : 97c32e32-593c-4d88-a183-268798016eeb
    SamAccountName    : aaptel
    SID               : S-1-5-21-1780990686-3015222812-3597832517-1105
    Surname           :
    UserPrincipalName : aaptel at foo.com

I can login with AD accounts from a linux machine using ntlmssp with
-U FOO\aaptel%aaptel
-U FOO.COM\aaptel%aaptel
-U aaptel%aaptel (weirdly this works)

they all work fine.

Now to use kerberos on the same linux machine I've done:

* make sure time is ntp sync'd on the client
* add the AD ip address in resolv.conf (i can resolve foo.com and
  foo-ad.foo.com fine)
* set /etc/krb5.conf to:

    [libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = FOO.COM
    
    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = FILE:/var/log/krb5/def.log

* run kinit aaptel at FOO.COM, type pw, ok
* klist output:

    Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs
    Default principal: aaptel at FOO.COM
    
    Valid starting       Expires              Service principal
    04/14/2018 13:49:22  04/14/2018 23:49:22  krbtgt/FOO.COM at FOO.COM
            renew until 04/15/2018 13:49:21


At this point I think it should work, but I get:

    $ smbclient //foo.com/share -k
    SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/foo.com failed
(next[(null)]): NT_STATUS_INVALID_PARAMETER
    SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
    session setup failed: NT_STATUS_INVALID_PARAMETER

I've attached a network trace with SMB, DNS and kerberos traffic.

-------------- next part --------------

Adding KRB5_TRACE=/dev/stderr to the env I get:

KRB5_TRACE=/dev/stderr smbclient //foo.com/share -k
[14620] 1523708816.549070: Getting credentials aaptel at FOO.COM ->
cifs/foo.com at FOO.COM using ccache DIR::/run/user/1000/krb5cc/tkt
[14620] 1523708816.549204: Retrieving aaptel at FOO.COM -> cifs/foo.com at
FOO.COM from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching
credential not found
[14620] 1523708816.549239: Retrieving aaptel at FOO.COM -> krbtgt/FOO.COM at
FOO.COM from DIR::/run/user/1000/krb5cc/tkt with result: 0/Success
[14620] 1523708816.549244: Starting with TGT for client realm: aaptel at FOO.COM
-> krbtgt/FOO.COM at FOO.COM
[14620] 1523708816.549249: Requesting tickets for cifs/foo.com at FOO.COM,
referrals on
[14620] 1523708816.549289: Generated subkey for TGS request: aes256-cts/8C96
[14620] 1523708816.549350: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.549445: Encoding request body and padata into FAST request
[14620] 1523708816.549489: Sending request (1552 bytes) to FOO.COM
[14620] 1523708816.601328: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.601424: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.601458: Initiating TCP connection to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.625955: Sending TCP request to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.661357: Received answer (295 bytes) from stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.694851: Response was not from master KDC
[14620] 1523708816.694885: Decoding FAST response
[14620] 1523708816.694959: TGS request result: -1765328377/Server not found in
Kerberos database
[14620] 1523708816.694966: Requesting tickets for cifs/foo.com at FOO.COM,
referrals off
[14620] 1523708816.694991: Generated subkey for TGS request: aes256-cts/73FA
[14620] 1523708816.695028: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.695096: Encoding request body and padata into FAST request
[14620] 1523708816.695160: Sending request (1552 bytes) to FOO.COM
[14620] 1523708816.745857: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.745934: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.745989: Initiating TCP connection to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.770008: Sending TCP request to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.805500: Received answer (295 bytes) from stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.840186: Response was not from master KDC
[14620] 1523708816.840218: Decoding FAST response
[14620] 1523708816.840268: TGS request result: -1765328377/Server not found in
Kerberos database
[14620] 1523708816.840651: Getting credentials aaptel at FOO.COM ->
cifs/foo.com at COM using ccache DIR::/run/user/1000/krb5cc/tkt
[14620] 1523708816.840710: Retrieving aaptel at FOO.COM -> cifs/foo.com at
COM from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching
credential not found
[14620] 1523708816.840758: Retrieving aaptel at FOO.COM -> krbtgt/COM at COM
from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential
not found
[14620] 1523708816.840796: Retrieving aaptel at FOO.COM -> krbtgt/FOO.COM at
FOO.COM from DIR::/run/user/1000/krb5cc/tkt with result: 0/Success
[14620] 1523708816.840803: Starting with TGT for client realm: aaptel at FOO.COM
-> krbtgt/FOO.COM at FOO.COM
[14620] 1523708816.840841: Retrieving aaptel at FOO.COM -> krbtgt/COM at COM
from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential
not found
[14620] 1523708816.840849: Requesting TGT krbtgt/COM at FOO.COM using TGT
krbtgt/FOO.COM at FOO.COM
[14620] 1523708816.840867: Generated subkey for TGS request: aes256-cts/0E2E
[14620] 1523708816.840899: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.840949: Encoding request body and padata into FAST request
[14620] 1523708816.840999: Sending request (1548 bytes) to FOO.COM
[14620] 1523708816.893032: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.893107: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.893161: Initiating TCP connection to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.919222: Sending TCP request to stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.946685: Received answer (290 bytes) from stream
2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.976231: Response was not from master KDC
[14620] 1523708816.976265: Decoding FAST response
[14620] 1523708816.976299: TGS request result: -1765328377/Server not found in
Kerberos database
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/foo.com failed (next[(null)]):
NT_STATUS_INVALID_PARAMETER
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


Any help welcome.

Cheers,

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Ralph Böhme

2018-Apr-14 13:43 UTC

head link

[Samba] smbclient kerberos auth fails

Hi Aurélien,

On Sat, Apr 14, 2018 at 03:19:59PM +0200, Aurélien Aptel via samba
wrote:> At this point I think it should work, but I get:
> 
>     $ smbclient //foo.com/share -k
I guess you need to specify the FQDN of the host, not the domain.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46

Rowland Penny

2018-Apr-14 13:56 UTC

head link

[Samba] smbclient kerberos auth fails

On Sat, 14 Apr 2018 15:43:37 +0200
Ralph Böhme via samba <samba at lists.samba.org> wrote:
> Hi Aurélien,
> 
> On Sat, Apr 14, 2018 at 03:19:59PM +0200, Aurélien Aptel via samba
> wrote:
> > At this point I think it should work, but I get:
> > 
> >     $ smbclient //foo.com/share -k
> 
> I guess you need to specify the FQDN of the host, not the domain.
> 
> -slow
> 
Totally agree, the share is on a Samba machine, not on the domain ;-)

Rowland

Aurélien Aptel

2018-Apr-18 10:00 UTC

head link

[Samba] smbclient kerberos auth fails

Forgot to reply to this

Ralph Böhme <slow at samba.org> writes:> Hi Aurélien,
>
> On Sat, Apr 14, 2018 at 03:19:59PM +0200, Aurélien Aptel via samba wrote:
>> At this point I think it should work, but I get:
>> 
>>     $ smbclient //foo.com/share -k
>
> I guess you need to specify the FQDN of the host, not the domain.
Yes that was it, thanks! But both the domain and the fqdn resolve to the
same machine so I'm not sure why doesn't work :/

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Apr 2018 - smbclient kerberos auth fails

[Samba] smbclient kerberos auth fails

[Samba] smbclient kerberos auth fails

[Samba] smbclient kerberos auth fails

[Samba] smbclient kerberos auth fails

Possibly Parallel Threads