samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Ok, last thing i could find. 

https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2
Its a 10y old post but read it, i think it might help you find the source of
your problem.

That link gives back some old memories here, as wil for Rowland.. ;-) 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: Alex [mailto:samba at abisoft.biz] 
> Verzonden: donderdag 27 januari 2022 15:03
> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> >> Any ideas why?
> > No, sorry, thats one i dont know, except that k5start might 
> look in a different place which does not exist. 
> 
> I checked that - it does read the file I specified.
> 
> >> The reason to use k5start is b/c some progs can't work with 
> >> keytab file directly. For example, nslcd.
> 
> > Aha..  But wait, if samba is already handle-ing it. 
> > Why not this way.. 
> 
> > (example for kerberos auth in squid ) 
> > kinit Administrator
> 
> > export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
> 
> > net ads_update keytab ADD HTTP/$(hostname -f)
> 
> > chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
> 
> > chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
> 
> > Adjust it to you needs for nlscd but it shows how todo it. 
> > I think what will work also. 
> 
> B/c (as I said) nslcd is not able to work thru a keytab file. 
> It only supports ready-to-use TGT:
> sasl_mech       GSSAPI
> krb5_ccname /tmp/krb5cc_nslcd
> 
> 
> -- 
> Best regards,
> Alex
> 
>

On Thu, 2022-01-27 at 15:53 +0100, L.P.H. van Belle via samba
wrote:
> Ok, last thing i could find. 
> 
>
https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2
> Its a 10y old post but read it, i think it might help you find the
> source of your problem. 
> 
> That link gives back some old memories here, as wil for Rowland.. ;-
> ) 
Yes, that brings back memories, mostly of Steve before he gained
multiple identities and got banned.

If it is of any help, I now have nslcd working on Debian 11 with Samba
4.15.4 , just have to wait until tomorrow to see if kstart renews the
ticket.

Rowland

>
https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2
> Its a 10y old post but read it, i think it might help you find the source
of your problem.
> That link gives back some old memories here, as wil for Rowland.. ;-) 
I will definitely check that thread, thank you! But we came to this after I put
extra encryption algorithms in the keytab. They do not work with the old Samba
as well, so I simply gonna leave a single entry in the keytab with ArcFour
encryption.

Once again. This works with Samba 4.14:
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
Vno  Type                                        Principal
  1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d
-k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
[root at vm-corp etc]# ^C

And does not work with Samba 4.15:
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d
-k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
k5start: error getting credentials: Pre-authentication failed: No key table
entry found for padl at ABISOFT.BIZ

It's not a problem with nslcd or anything like that. Something has changed
in 4.15 and I'd like to find out what and how to get things back to work..

Obviously the new Samba sends back something to k5start tool which it can't
match with the keytab entry. Here are tcpdump outputs for both cases:
v4.14:
18:22:03.617311 IP 172.26.200.32.43659 > 172.26.1.84.88:  v5
E..... at .@...... ...T...X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ....20220128152203Z....20220203152203Z......$...0.........................
18:22:03.622709 IP 172.26.1.84.88 > 172.26.200.32.43659:
E..... at .@..w...T... .X.....Y~..0................20220127152203Z....    
~..........ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ.+.)Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ.M.K0I0        .........0      .........0     
.........0.........     0.0......0.........
<here goes further communication>

v4.15:
18:22:40.781201 IP 172.26.200.32.57417 > 172.26.1.84.88:  v5
E....;@. at .O/... ...T.I.X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ....20220128152240Z....20220203152240Z....P.....0.........................
18:22:40.832462 IP 172.26.1.84.88 > 172.26.200.32.57417:
E..8.. at .@.A&...T...
.X.I.$u.~...0.................20220127152240Z................ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ.+.)Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ.i.g0e0  .........0      .........0     
.........0B......;.90705......&.$ABISOFT.BIZnslcdmy
<no further communication happened>
>> -----Oorspronkelijk bericht-----
>> Van: Alex [mailto:samba at abisoft.biz] 
>> Verzonden: donderdag 27 januari 2022 15:03
>> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
>> Onderwerp: Re: [Samba] Kerberos authentication issue after 
>> upgrading from 4-14-stable to 4-15-stable
>> 
>> >> Any ideas why?
>> > No, sorry, thats one i dont know, except that k5start might 
>> look in a different place which does not exist. 
>> 
>> I checked that - it does read the file I specified.
>> 
>> >> The reason to use k5start is b/c some progs can't work
with
>> >> keytab file directly. For example, nslcd.
>> 
>> > Aha..  But wait, if samba is already handle-ing it. 
>> > Why not this way.. 
>> 
>> > (example for kerberos auth in squid ) 
>> > kinit Administrator
>> 
>> > export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
>> 
>> > net ads_update keytab ADD HTTP/$(hostname -f)
>> 
>> > chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > Adjust it to you needs for nlscd but it shows how todo it. 
>> > I think what will work also. 
>> 
>> B/c (as I said) nslcd is not able to work thru a keytab file. 
>> It only supports ready-to-use TGT:
>> sasl_mech       GSSAPI
>> krb5_ccname /tmp/krb5cc_nslcd
>> 
>> 
>> -- 
>> Best regards,
>> Alex
>> 
>> 




-- 
Best regards,
Alex