samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

On Thu, 2022-01-27 at 09:54 +0300, Alex via samba wrote:
> Stefan,
> 
> > > The permissions are correct and they didn't change during the
> > > Samba upgrade:
> > > [root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab
> > > -rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytab
> > I just set up a new debian11 with k5start together with OpenLDAP
> > and I
> > also had the permission to "600 root root" and it did not
work.
> > With the
> > new version of k5start you must set the owner to the user who
> > should use
> > the keytab so in you setup it should belong to padl and 600 as
> > permission is required, but you already have it set to 600.
> 
> As I said before, no changes were made besides upgrading Samba on the
> domain controllers (and vm-corp is not a DC). So, these permissions
> work w/o issues when the DC is Samba 4.14.
> 
> Anyway, thanks for trying to help!
The big difference with 4.15 is likely to be that we disabled DES
encryption types recently, so if you followed an old guide that said to
force DES that would end badly.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Hello Andrew,
> The big difference with 4.15 is likely to be that we disabled DES
> encryption types recently, so if you followed an old guide that said to
> force DES that would end badly.
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
Vno  Type                                        Principal
  1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
[root at vm-corp etc]#

There's no DES encryption as far as I see. Or I look at the wrong place?

-- 
Best regards,
Alex

Im wondering why you dont use winbind for the keytabs setup and let samba handle
it.
 
Thats what i suggest. 
Install winbind only. 

Use : 
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

Add the use that keytab or make separated keytab file as you do now. 

You might have a reason to use k5start but i havent see it so far. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: donderdag 27 januari 2022 9:12
> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> Hello Andrew,
> 
> > The big difference with 4.15 is likely to be that we disabled DES
> > encryption types recently, so if you followed an old guide 
> that said to
> > force DES that would end badly.
> 
> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> Vno  Type                                        Principal
>   1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
> [root at vm-corp etc]#
> 
> There's no DES encryption as far as I see. Or I look at the 
> wrong place?
> 
> -- 
> Best regards,
> Alex
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>