Alex
2022-Jan-28 07:29 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Andrew, Right after sending you pcaps and emails, I started to look at the wiki links Louis sent me yesterday, and I found that "samba-tool domain exportkeytab" command, so I went ahead and created a keytab for padl user on the DC. Then I copied that file back to vm-corp and tried to get new TGTs via k5start - and that worked!! And it works for the old 4.14 Samba! So, that's the solution - thank you all very much! However, if we could triage why the old way of generating keytab is not working anymore, it'd be helpful to better understand what's going on under the hood. See below.>> My issue is that k5start isn't able to get even the 1st ticket. Do >> you use system's keytab or create a user keytab for this test case? >> Can you show what "net ads keytab list ..." outputs? >>> Just one thought before the weekend:> Can you remind me how the keytab was obtained?I used to use this procedure to generate the keytab file for padl user: # ktutil addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC Password: ..... (here I put padl's domain account password) wkt /usr/local/etc/padl.keytab My recent attempts were to add AES encryption, so I added two more entries with: addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96 addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96 But that didn't help, error was: Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96> RC4 tickets work sometimes in places where AES does not because AES > tickets are salted, and if you use the wrong salt it all goes very > badly.> A keytab extracted using 'samba-tool domain exportkeytab' (there is an > option to extract just one principal) will always have the correct > salt, and all the right keys, as this is a direct copy from the DB.That makes sense! But why adding keys via ktutil has stopped working? -- Best regards, Alex
Andrew Bartlett
2022-Jan-30 21:25 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Fri, 2022-01-28 at 10:29 +0300, Alex via samba wrote:> Andrew, > > Right after sending you pcaps and emails, I started to look at the > wiki links Louis sent me yesterday, and I found that "samba-tool > domain exportkeytab" command, so I went ahead and created a keytab > for padl user on the DC. Then I copied that file back to vm-corp and > tried to get new TGTs via k5start - and that worked!! And it works > for the old 4.14 Samba! So, that's the solution - thank you all very > much! > > However, if we could triage why the old way of generating keytab is > not working anymore, it'd be helpful to better understand what's > going on under the hood. See below.It will be the salt, it isn't the same on the server as you have specified to your tool creating the keytab. If the account is a proper computer account in AD (compared to a normal user that has an SPN) the salt is different, for example. This will trip more people up as we increasingly work to deprecate RC4 cryptography. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions