samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Hai Ales, 

Great to hear it now all works. 

If i may ask, can/did you document your steps for this setup with kstart? 
This might be one thats very handy to have in the wiki. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: vrijdag 28 januari 2022 8:30
> Aan: Andrew Bartlett; Rowland Penny via samba; Rowland Penny
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> Andrew,
> 
> Right after sending you pcaps and emails, I started to look 
> at the wiki links Louis sent me yesterday, and I found that 
> "samba-tool domain exportkeytab" command, so I went ahead and 
> created a keytab for padl user on the DC. Then I copied that 
> file back to vm-corp and tried to get new TGTs via k5start - 
> and that worked!! And it works for the old 4.14 Samba! So, 
> that's the solution - thank you all very much!
> 
> However, if we could triage why the old way of generating 
> keytab is not working anymore, it'd be helpful to better 
> understand what's going on under the hood. See below.
> 
> >> My issue is that k5start isn't able to get even the 1st
ticket. Do
> >> you use system's keytab or create a user keytab for this test
case?
> >> Can you show what "net ads keytab list ..." outputs?
> >> 
> 
> > Just one thought before the weekend:
> 
> > Can you remind me how the keytab was obtained?
> 
> I used to use this procedure to generate the keytab file for 
> padl user:
> # ktutil
> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
> Password: ..... (here I put padl's domain account password)
> wkt /usr/local/etc/padl.keytab
> 
> My recent attempts were to add AES encryption, so I added two 
> more entries with:
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
> 
> But that didn't help, error was:
> Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ 
> (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity 
> check failed for checksum type hmac-sha1-96-aes256, key type 
> aes256-cts-hmac-sha1-96
> 
> > RC4 tickets work sometimes in places where AES does not because AES
> > tickets are salted, and if you use the wrong salt it all goes very
> > badly.
> 
> > A keytab extracted using 'samba-tool domain exportkeytab' 
> (there is an
> > option to extract just one principal) will always have the correct
> > salt, and all the right keys, as this is a direct copy from the DB.
> 
> That makes sense! But why adding keys via ktutil has stopped working?
> 
> -- 
> Best regards,
> Alex
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Fri, 2022-01-28 at 09:23 +0100, L.P.H. van Belle via samba
wrote:
> Hai Ales, 
> 
> Great to hear it now all works. 
> 
> If i may ask, can/did you document your steps for this setup with
> kstart? 
> This might be one thats very handy to have in the wiki. 
> 
> Greetz, 
> 
> Louis
Hi Louis, I have it working and I will update the wiki this morning.
I think the problem was that Alex was just using one key.

Rowland

Good Morning Rowland, 

Cool, thats great mate.. 
I now see you post on that. Nice :-) 

We see the post when its finished. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 28 januari 2022 9:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> On Fri, 2022-01-28 at 09:23 +0100, L.P.H. van Belle via samba wrote:
> > Hai Ales, 
> > 
> > Great to hear it now all works. 
> > 
> > If i may ask, can/did you document your steps for this setup with
> > kstart? 
> > This might be one thats very handy to have in the wiki. 
> > 
> > Greetz, 
> > 
> > Louis
> 
> Hi Louis, I have it working and I will update the wiki this morning.
> I think the problem was that Alex was just using one key.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hello L.P.H.,

Friday, January 28, 2022, 11:23:17 AM, you wrote:
> Hai Ales, 
> Great to hear it now all works. 
> If i may ask, can/did you document your steps for this setup with kstart? 
> This might be one thats very handy to have in the wiki. 
Just sent the instructions. Hope, Rowland will add them to the wiki

-- 
Best regards,
Alex