Lorenzo Milesi
2022-Jul-14 06:43 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's
repos.
The DC is used for LDAP auth and working fine. It hasn't been tested for
Windows clients auth, yet.
I'm attempting to configure a secondary DC, on a remote VPS withe same specs
as above, but I'm unable to initialize kerberos communications. On the
client I get the "classic" 'Cannot contact any KDC for realm ...
while getting initial credentials', while from debug I'm unable to
figure out what's going bad.
Active DC: 192.168.8.1 Samba 4.15.7-Ubuntu (dc-contabo)
Secondary DC: 192.168.1.206 Samba 4.15.7-Ubuntu (dc-lan)
root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator
[987] 1657780070.241479: Getting initial credentials for Administrator at
WDC.DOMAIN.IT
[987] 1657780070.241481: Sending unauthenticated request
[987] 1657780070.241482: Sending request (215 bytes) to WDC.DOMAIN.IT
[987] 1657780070.241483: Resolving hostname 127.0.0.1
[987] 1657780070.241484: Sending initial UDP request to dgram 127.0.0.1:88
[987] 1657780070.241485: Resolving hostname 192.168.8.1
[987] 1657780070.241486: Sending initial UDP request to dgram 192.168.8.1:88
[987] 1657780070.241487: Received answer (329 bytes) from dgram 192.168.8.1:88
[987] 1657780070.241488: Response was not from master KDC
[987] 1657780070.241489: Received error from KDC: -1765328359/Additional
pre-authentication required
[987] 1657780070.241492: Preauthenticating using KDC method data
[987] 1657780070.241493: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (
19)
[987] 1657780070.241494: Selected etype info: etype aes256-cts, salt
"WDC.DOMAIN.ITAdministrator", params "\x00\x00\x10\x00"
Password for Administrator at WDC.DOMAIN.IT:
[987] 1657780077.572430: AS key obtained for encrypted timestamp:
aes256-cts/3E73
[987] 1657780077.572432: Encrypted timestamp (for 1657780077.598028): plain
301AA011180F32303232303731343036323735375AA105020309200
C, encrypted
E3722A947D2C51C6E1DE8168FFE8454C2C57D19A957E468926BE799D9642A98A234B23B4C2DAEFDF8B9613E5CB0A59EB94D85720C63CF9CE
[987] 1657780077.572433: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[987] 1657780077.572434: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[987] 1657780077.572435: Sending request (295 bytes) to WDC.DOMAIN.IT
[987] 1657780077.572436: Resolving hostname 127.0.0.1
[987] 1657780077.572437: Sending initial UDP request to dgram 127.0.0.1:88
[987] 1657780077.572438: Resolving hostname 192.168.8.1
[987] 1657780077.572439: Sending initial UDP request to dgram 192.168.8.1:88
[987] 1657780077.572440: Received answer (201 bytes) from dgram 192.168.8.1:88
[987] 1657780077.572441: Response was not from master KDC
[987] 1657780077.572442: Received error from KDC: -1765328332/Response too big
for UDP, retry with TCP
[987] 1657780077.572443: Request or response is too big for UDP; retrying with
TCP
[987] 1657780077.572444: Sending request (295 bytes) to WDC.DOMAIN.IT (tcp only)
[987] 1657780077.572445: Resolving hostname 127.0.0.1
[987] 1657780077.572446: Initiating TCP connection to stream 127.0.0.1:88
[987] 1657780077.572447: Terminating TCP connection to stream 127.0.0.1:88
[987] 1657780077.572448: Resolving hostname 192.168.8.1
[987] 1657780077.572449: Initiating TCP connection to stream 192.168.8.1:88
[987] 1657780077.572450: Sending TCP request to stream 192.168.8.1:88
[987] 1657780101.669482: Terminating TCP connection to stream 192.168.8.1:88
kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting
initial credentials
On the primary, log.samba:
[2022/07/14 08:27:57.595905, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator at
WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 08:27:57.595895 CEST] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host
[ipv4:192.168.1.206:53256] became [DOMAIN]\[Administrator]
[S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
{"timestamp": "2022-07-14T08:27:57.596084+0200",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "d6850b4b1d4f33d4",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
"ipv4:192.168.1.206:53256", "serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
"clientAccount": "Administrator at WDC.DOMAIN.IT",
"workstation": null, "becameAccount":
"Administrator", "becameDomain": "DOMAIN",
"becameSid": "S-1-5-21-29876631-4178411864-4110581247-500",
"mappedAccount": "Administrator", "mappedDomain":
"DOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 4066}}
[2022/07/14 08:27:57.663338, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator at
WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 08:27:57.663328 CEST] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host
[ipv4:192.168.1.206:37690] became [DOMAIN]\[Administrator]
[S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
{"timestamp": "2022-07-14T08:27:57.663603+0200",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "4f496ebd9a181770",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
"ipv4:192.168.1.206:37690", "serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
"clientAccount": "Administrator at WDC.DOMAIN.IT",
"workstation": null, "becameAccount":
"Administrator", "becameDomain": "DOMAIN",
"becameSid": "S-1-5-21-29876631-4178411864-4110581247-500",
"mappedAccount": "Administrator", "mappedDomain":
"DOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 4787}}
Primary smb.conf:
# Global parameters
[global]
dns forwarder = 1.1.1.1
netbios name = DC-CONTABO
realm = WDC.DOMAIN.IT
server role = active directory domain controller
workgroup = DOMAIN
allow dns updates = disabled
interfaces = eth1
bind interfaces only = yes
server services = -dns
log level = 1 auth_audit:3 auth_json_audit:3 kerberos:10
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/wdc.domain.it/scripts
read only = No
Secondary smb.conf is yet to be created.
Primary /etc/krb5.conf:
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = true
dns_lookup_realm = false
Secondary /etc/krb5.conf:
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
WDC.DOMAIN.IT = {
kdc = 127.0.0.1
kdc = 192.168.8.1
}
Thanks
--
Lorenzo Milesi - lorenzo.milesi at yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us
at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
Rowland Penny
2022-Jul-14 07:23 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
On Thu, 2022-07-14 at 08:43 +0200, Lorenzo Milesi via samba wrote:> I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's > repos. > The DC is used for LDAP auth and working fine. It hasn't been tested > for Windows clients auth, yet. > > I'm attempting to configure a secondary DC, on a remote VPS withe > same specs as above, but I'm unable to initialize kerberos > communications. On the client I get the "classic" 'Cannot contact any > KDC for realm ... while getting initial credentials', while from > debug I'm unable to figure out what's going bad. > > Active DC: 192.168.8.1 Samba 4.15.7-Ubuntu (dc-contabo) > Secondary DC: 192.168.1.206 Samba 4.15.7-Ubuntu (dc-lan)No, that is: first DC and another DC, all DC's are equal except for the FSMO roles.> > > root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator > [987] 1657780070.241479: Getting initial credentials for > Administrator at WDC.DOMAIN.IT > kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting > initial credentialsObviously your prospective second DC cannot contact your first DC.> Primary smb.conf: > # Global parameters > [global] > dns forwarder = 1.1.1.1 > netbios name = DC-CONTABO > realm = WDC.DOMAIN.IT > server role = active directory domain controller > workgroup = DOMAIN > allow dns updates = disabledWhy have you disabled dns updates ?> interfaces = eth1 > bind interfaces only = yes > server services = -dnsAs you seem to be using Bind9, why is a dns forwarder set ? Can you ping the first DC from the second DC ? I suggest you go here: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Download the script and run it on both your DC's and post the output into a reply to this. Rowland