samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

On Fri, 2022-01-28 at 09:51 +0300, Alex via samba wrote:
> Thanks Rowland.
> 
> 
> 
> My issue is that k5start isn't able to get even the 1st ticket. Do
> you use system's keytab or create a user keytab for this test case?
> Can you show what "net ads keytab list ..." outputs?
> 
Just one thought before the weekend:

Can you remind me how the keytab was obtained?

RC4 tickets work sometimes in places where AES does not because AES
tickets are salted, and if you use the wrong salt it all goes very
badly.

A keytab extracted using 'samba-tool domain exportkeytab' (there is an
option to extract just one principal) will always have the correct
salt, and all the right keys, as this is a direct copy from the DB.

I'll look over the .pcap when I get a chance.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Andrew,

Right after sending you pcaps and emails, I started to look at the wiki links
Louis sent me yesterday, and I found that "samba-tool domain
exportkeytab" command, so I went ahead and created a keytab for padl user
on the DC. Then I copied that file back to vm-corp and tried to get new TGTs via
k5start - and that worked!! And it works for the old 4.14 Samba! So, that's
the solution - thank you all very much!

However, if we could triage why the old way of generating keytab is not working
anymore, it'd be helpful to better understand what's going on under the
hood. See below.
>> My issue is that k5start isn't able to get even the 1st ticket. Do
>> you use system's keytab or create a user keytab for this test case?
>> Can you show what "net ads keytab list ..." outputs?
>> 
> Just one thought before the weekend:
> Can you remind me how the keytab was obtained?
I used to use this procedure to generate the keytab file for padl user:
# ktutil
addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
Password: ..... (here I put padl's domain account password)
wkt /usr/local/etc/padl.keytab

My recent attempts were to add AES encryption, so I added two more entries with:
addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96

But that didn't help, error was:
Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> RC4 tickets work sometimes in places where AES does not because AES
> tickets are salted, and if you use the wrong salt it all goes very
> badly.
> A keytab extracted using 'samba-tool domain exportkeytab' (there is
an
> option to extract just one principal) will always have the correct
> salt, and all the right keys, as this is a direct copy from the DB.
That makes sense! But why adding keys via ktutil has stopped working?

-- 
Best regards,
Alex

Hai Ales, 

Great to hear it now all works. 

If i may ask, can/did you document your steps for this setup with kstart? 
This might be one thats very handy to have in the wiki. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: vrijdag 28 januari 2022 8:30
> Aan: Andrew Bartlett; Rowland Penny via samba; Rowland Penny
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> Andrew,
> 
> Right after sending you pcaps and emails, I started to look 
> at the wiki links Louis sent me yesterday, and I found that 
> "samba-tool domain exportkeytab" command, so I went ahead and 
> created a keytab for padl user on the DC. Then I copied that 
> file back to vm-corp and tried to get new TGTs via k5start - 
> and that worked!! And it works for the old 4.14 Samba! So, 
> that's the solution - thank you all very much!
> 
> However, if we could triage why the old way of generating 
> keytab is not working anymore, it'd be helpful to better 
> understand what's going on under the hood. See below.
> 
> >> My issue is that k5start isn't able to get even the 1st
ticket. Do
> >> you use system's keytab or create a user keytab for this test
case?
> >> Can you show what "net ads keytab list ..." outputs?
> >> 
> 
> > Just one thought before the weekend:
> 
> > Can you remind me how the keytab was obtained?
> 
> I used to use this procedure to generate the keytab file for 
> padl user:
> # ktutil
> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
> Password: ..... (here I put padl's domain account password)
> wkt /usr/local/etc/padl.keytab
> 
> My recent attempts were to add AES encryption, so I added two 
> more entries with:
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
> 
> But that didn't help, error was:
> Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ 
> (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity 
> check failed for checksum type hmac-sha1-96-aes256, key type 
> aes256-cts-hmac-sha1-96
> 
> > RC4 tickets work sometimes in places where AES does not because AES
> > tickets are salted, and if you use the wrong salt it all goes very
> > badly.
> 
> > A keytab extracted using 'samba-tool domain exportkeytab' 
> (there is an
> > option to extract just one principal) will always have the correct
> > salt, and all the right keys, as this is a direct copy from the DB.
> 
> That makes sense! But why adding keys via ktutil has stopped working?
> 
> -- 
> Best regards,
> Alex
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>