Rowland Penny
2022-Jul-14 15:10 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
On Thu, 2022-07-14 at 14:36 +0200, Lorenzo Milesi wrote:> > > Primary smb.conf: > > > # Global parameters > > > [global] > > > dns forwarder = 1.1.1.1 > > > netbios name = DC-CONTABO > > > realm = WDC.DOMAIN.IT > > > server role = active directory domain controller > > > workgroup = DOMAIN > > > allow dns updates = disabled > > > > Why have you disabled dns updates ? > > Possibly unintentionally while trying to debug... > > > interfaces = eth1 > > > bind interfaces only = yes > > > server services = -dns > > > > As you seem to be using Bind9, why is a dns forwarder set ? > > Leftover during the upgrade phase > > > Can you ping the first DC from the second DC ? > > Yes, I can ping back and forth, I can telnet from second to first on > port 88. > Also, from what I could get in the server log, the second does > correctly authenticate as Administrator, during kinit. > Something I forgot to add, after I enter the password, the command > remains on hold for something like 20 or 30s, after that time prints > the error. > > > Download the script and run it on both your DC's and post the > > output > > into a reply to this. > > Here they are, thanks:#### FIRST DC ##### > Config collected --- 2022-07-14-13:50 ----------- > > Hostname: dc-contabo > DNS Domain: wdc.domain.it > Realm: WDC.DOMAIN.IT > FQDN: dc-contabo.wdc.domain.it > ipaddress: 75.119.x.y 192.168.8.1 10.8.0.1It would be better if your DC only used one IP address.> > ----------- > > > > Checking file: /etc/hosts > > 127.0.0.1 localhost > #127.0.1.1 vmi.contaboserver.net vmi > > # The following lines are desirable for IPv6 capable hosts > #::1 localhost ip6-localhost ip6-loopback > #ff02::1 ip6-allnodes > #ff02::2 ip6-allrouters > 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo > 192.168.1.206 dclan.wdc.domain.it dclan > > ----------- > > Checking file: /etc/resolv.conf > > search wdc.domain.it > nameserver 127.0.0.1Do not use 127.0.0.1, use the DC's ipaddress> > ----------- > > Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, > sample output: > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > _kerberos._tcp.wdc.domain.it service = 0 100 88 dc- > contabo.wdc.domain.it. > > ----------- > > 'kinit Administrator' password checked failed. > Wrong password or kerberos REALM problems.This is possibly because you are using 127.0.0.1 in /etc/resolv.conf> > ----------- > > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = WDC.DOMAIN.IT > dns_lookup_kdc = true > dns_lookup_realm = falseThat is all you need, nothing else.> # TEST > udp_preference_limit=1 > > ----------- > > > Detected bind DLZ enabled.. > > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > dlz "domain.it" { > # For BIND 9.9.0 > database "dlopen /usr/lib/x86_64-linux- > gnu/samba/bind9/dlz_bind9_10.so";I feel sure that last line isn't correct, check your bind9 version.> > > Samba DNS zone list check : > wdc.domain.it > _msdcs.wdc.domain.itYou do not seem to have a reverse zone, whilst this isn't strictly required, it does help.> > ----------- > > #### SECOND DC ##### > Config collected --- 2022-07-14-13:52 ----------- > > Hostname: dc-lan > DNS Domain: wdc.domain.it > Realm: WDC.DOMAIN.IT > FQDN: dc-lan.wdc.domain.it > ipaddress: 192.168.1.206 > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > > 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo > 192.168.1.206 dc-lan.wdc.domain.it dclanYou should only have this DC's data in /etc/hosts , dns should supply everything else.> > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local clients to > the > # internal DNS stub resolver of systemd-resolved. This file lists all > # configured search domains. > # > # Run "resolvectl status" to see details about the uplink DNS servers > # currently in use. > # > # Third party programs must not access this file directly, but only > through the > # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a > different way, > # replace this symlink by a static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the supported > modes of > # operation for /etc/resolv.conf. > > nameserver 127.0.0.53 > options edns0 trust-ad > search wdc.domain.it domainI normally remove systemd-resolved but if it is set up correctly, it will work.> > ----------- > > systemd stub resolver detected, running command : systemd-resolve -- > status > > ----------- > > Global > LLMNR setting: no > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > Current DNS Server: 192.168.8.1 > DNS Servers: 192.168.8.1 > DNS Domain: wdc.domain.it > DNSSEC NTA: 10.in-addr.arpa > 16.172.in-addr.arpa > 168.192.in-addr.arpa > 17.172.in-addr.arpa > 18.172.in-addr.arpa > 19.172.in-addr.arpa > 20.172.in-addr.arpa > 21.172.in-addr.arpa > 22.172.in-addr.arpa > 23.172.in-addr.arpa > 24.172.in-addr.arpa > 25.172.in-addr.arpa > 26.172.in-addr.arpa > 27.172.in-addr.arpa > 28.172.in-addr.arpa > 29.172.in-addr.arpa > 30.172.in-addr.arpa > 31.172.in-addr.arpa > corp > d.f.ip6.arpa > home > internal > intranet > lan > local > private > test > > Link 2 (ens18) > Current Scopes: DNS > DefaultRoute setting: yes > LLMNR setting: yes > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > Current DNS Server: 192.168.8.1 > DNS Servers: 192.168.8.1 > DNS Domain: wdc.domain.it > domain > > ----------- > > Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, > sample output: > Server: 127.0.0.53 > Address: 127.0.0.53#53It should be using the ipaddress of the first DC, until it has joined, then it should use its own ipaddress.> > Non-authoritative answer: > _kerberos._tcp.wdc.domain.it service = 0 100 88 dc- > contabo.wdc.domain.it. > > Authoritative answers can be found from: > > ----------- > > 'kinit Administrator' password checked failed. > Wrong password or kerberos REALM problems. > > -----------Rowland
Lorenzo Milesi
2022-Jul-14 19:16 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
>> Hostname: dc-contabo >> DNS Domain: wdc.domain.it >> Realm: WDC.DOMAIN.IT >> FQDN: dc-contabo.wdc.domain.it >> ipaddress: 75.119.x.y 192.168.8.1 10.8.0.1 > > It would be better if your DC only used one IP address.Unfortunately it's not possible, that's why we added: interfaces = eth1 bind interfaces only = yes>> Checking file: /etc/resolv.conf >> >> search wdc.domain.it >> nameserver 127.0.0.1 > > Do not use 127.0.0.1, use the DC's ipaddressfixed>> dlz "domain.it" { >> # For BIND 9.9.0 >> database "dlopen /usr/lib/x86_64-linux- >> gnu/samba/bind9/dlz_bind9_10.so"; > > I feel sure that last line isn't correct, check your bind9 version.You are right, Ubuntu 20 runs Bind 9.16. Fixed and ran again samba_dnsupdate --verbose --use-samba-tool>> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo >> 192.168.1.206 dc-lan.wdc.domain.it dclan > > You should only have this DC's data in /etc/hosts , dns should supply > everything else.Fixed>> # operation for /etc/resolv.conf. >> >> nameserver 127.0.0.53 >> options edns0 trust-ad >> search wdc.domain.it domain > > I normally remove systemd-resolved but if it is set up correctly, it > will work.Removed, now it's: nameserver 192.168.8.1 search wdc.domain.it>> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, >> sample output: >> Server: 127.0.0.53 >> Address: 127.0.0.53#53 > > It should be using the ipaddress of the first DC, until it has joined, > then it should use its own ipaddress.root at dc-lan:~# nslookup -type=SRV _kerberos._tcp.wdc.domain.it Server: 192.168.8.1 Address: 192.168.8.1#53 _kerberos._tcp.wdc.domain.it service = 0 100 88 dc-contabo.wdc.domain.it. Is this better? Despite of the changes, kinit still fails. On the first DC, the kerberos auth seems to be successful: [2022/07/14 21:11:21.070280, 3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:54947 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT [2022/07/14 21:11:21.143807, 3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 150, 149 [2022/07/14 21:11:21.144053, 3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.144143, 3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.144239, 3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.457699, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:46237 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT [2022/07/14 21:11:21.464820, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 150, 149 [2022/07/14 21:11:21.464880, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.464889, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.464970, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT using aes256-cts-hmac-sha1-96 [2022/07/14 21:11:21.465052, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.465035 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:46237] became [WORKGROUPNAME]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL] {"timestamp": "2022-07-14T21:11:21.465191+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "25e4c2f5e696d0a9", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:46237", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 8034}} [2022/07/14 21:11:21.478771, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime: 2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21 [2022/07/14 21:11:21.478896, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2022/07/14 21:11:21.478927, 3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok [2022/07/14 21:11:21.544275, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:34060 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT [2022/07/14 21:11:21.556692, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 150, 149 [2022/07/14 21:11:21.556794, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.556972, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT [2022/07/14 21:11:21.557093, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT using aes256-cts-hmac-sha1-96 [2022/07/14 21:11:21.557150, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.557135 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:34060] became [WORKGROUPNAME]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL] {"timestamp": "2022-07-14T21:11:21.557303+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "905d4d6e8a570428", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:34060", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13429}} [2022/07/14 21:11:21.571677, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime: 2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21 [2022/07/14 21:11:21.571873, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2022/07/14 21:11:21.571936, 3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.