L.P.H. van Belle
2022-Jan-27 11:14 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Im wondering why you dont use winbind for the keytabs setup and let samba handle
it.
Thats what i suggest.
Install winbind only.
Use :
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
Add the use that keytab or make separated keytab file as you do now.
You might have a reason to use k5start but i havent see it so far.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex
> via samba
> Verzonden: donderdag 27 januari 2022 9:12
> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
> Onderwerp: Re: [Samba] Kerberos authentication issue after
> upgrading from 4-14-stable to 4-15-stable
>
> Hello Andrew,
>
> > The big difference with 4.15 is likely to be that we disabled DES
> > encryption types recently, so if you followed an old guide
> that said to
> > force DES that would end badly.
>
> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> Vno Type Principal
> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ
> [root at vm-corp etc]#
>
> There's no DES encryption as far as I see. Or I look at the
> wrong place?
>
> --
> Best regards,
> Alex
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Rowland Penny
2022-Jan-27 11:44 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Thu, 2022-01-27 at 12:14 +0100, L.P.H. van Belle via samba wrote:> Im wondering why you dont use winbind for the keytabs setup and let > samba handle it. > > Thats what i suggest. > Install winbind only. > > Use : > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # renew the kerberos ticket > winbind refresh tickets = yes > > Add the use that keytab or make separated keytab file as you do now. > > You might have a reason to use k5start but i havent see it so far. > > Greetz, > > LouisThe other question is, why limit the keytab to RC4-HMAC ? Rowland
Alex
2022-Jan-27 12:01 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hello Louis, Samba is already handling the system's keytab (/etc/krb5.keytab), but for some reason this error comes up when I try to acquire a TGT with k5start: [root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd -vvv Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ k5start: error getting credentials: Client 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database [root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' 2 DES cbc mode with CRC-32 host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 DES cbc mode with RSA-MD5 host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 AES-128 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 AES-256 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 ArcFour with HMAC/md5 host/vm-corp.abisoft.biz at ABISOFT.BIZ Any ideas why? The reason to use k5start is b/c some progs can't work with keytab file directly. For example, nslcd.> Im wondering why you dont use winbind for the keytabs setup and let samba handle it. > > Thats what i suggest. > Install winbind only.> Use : > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab> # renew the kerberos ticket > winbind refresh tickets = yes> Add the use that keytab or make separated keytab file as you do now.> You might have a reason to use k5start but i havent see it so far.>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex >> via samba >> Verzonden: donderdag 27 januari 2022 9:12 >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett >> Onderwerp: Re: [Samba] Kerberos authentication issue after >> upgrading from 4-14-stable to 4-15-stable >> >> Hello Andrew, >> >> > The big difference with 4.15 is likely to be that we disabled DES >> > encryption types recently, so if you followed an old guide >> that said to >> > force DES that would end badly. >> >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab >> Vno Type Principal >> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ >> [root at vm-corp etc]# >> >> There's no DES encryption as far as I see. Or I look at the >> wrong place? >> >> -- >> Best regards, >> Alex >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>-- Best regards, Alex
L.P.H. van Belle
2022-Jan-27 13:29 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hai Alex,> -----Oorspronkelijk bericht----- > Van: Alex [mailto:samba at abisoft.biz] > Verzonden: donderdag 27 januari 2022 13:02 > Aan: L.P.H. van Belle via samba; L.P.H. van Belle > Onderwerp: Re: [Samba] Kerberos authentication issue after > upgrading from 4-14-stable to 4-15-stable > > Hello Louis, > > Samba is already handling the system's keytab...> Any ideas why?No, sorry, thats one i dont know, except that k5start might look in a different place which does not exist.> > The reason to use k5start is b/c some progs can't work with > keytab file directly. For example, nslcd.Aha.. But wait, if samba is already handle-ing it. Why not this way.. (example for kerberos auth in squid ) kinit Administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads_update keytab ADD HTTP/$(hostname -f) chmod 640 krb5-squid-HTTP-$(hostname -s).keytab chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab Adjust it to you needs for nlscd but it shows how todo it. I think what will work also.> > > Im wondering why you dont use winbind for the keytabs setup > and let samba handle it. > > > > Thats what i suggest. > > Install winbind only. > > > Use : > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > # renew the kerberos ticket > > winbind refresh tickets = yes > > > Add the use that keytab or make separated keytab file as > you do now. > > > You might have a reason to use k5start but i havent see it so far. > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex > >> via samba > >> Verzonden: donderdag 27 januari 2022 9:12 > >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett > >> Onderwerp: Re: [Samba] Kerberos authentication issue after > >> upgrading from 4-14-stable to 4-15-stable > >> > >> Hello Andrew, > >> > >> > The big difference with 4.15 is likely to be that we disabled DES > >> > encryption types recently, so if you followed an old guide > >> that said to > >> > force DES that would end badly. > >> > >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab > >> Vno Type Principal > >> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ > >> [root at vm-corp etc]# > >> > >> There's no DES encryption as far as I see. Or I look at the > >> wrong place? > >> > >> -- > >> Best regards, > >> Alex > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > Best regards, > Alex > >