samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Andrew, Rowland,
>> However, if we could triage why the old way of generating keytab is
>> not working anymore, it'd be helpful to better understand
what's
>> going on under the hood. See below.
> It will be the salt, it isn't the same on the server as you have
> specified to your tool creating the keytab.
> If the account is a proper computer account in AD (compared to a normal
> user that has an SPN) the salt is different, for example.
> This will trip more people up as we increasingly work to deprecate RC4
> cryptography. 
I think I managed to find a source of the issue (thanks for the salt idea!). The
padl user was created in 2004 and since then its password has never been
updated. Today I updated its password and now creating a keytab via ktutil with
AES encryption seems to work:
[root at vm-corp tmp]# ktutil
ktutil:  addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
Password for padl at ABISOFT.BIZ:
ktutil:  wkt ./test.keytab

[root at vm-corp tmp]# klist -k ./test.keytab -e
Keytab name: FILE:./test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)

[root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k
/tmp/krb5cc_test2 -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
[root at vm-corp tmp]#

Ta-da! :)

One last thing. I decided to try to use a system keytab (/etc/krb5.keytab)
instead of a specially generated user keytab (like above) like Rowland advised
recently, and I can't get it to work:
[root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k
/tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at
ABISOFT.BIZ' not found in Kerberos database

Samba's log:
[2022/01/31 14:12:51.776200,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ from
ipv4:172.26.200.32:54074 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
[2022/01/31 14:12:51.779602,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry
found in hdb
[2022/01/31 14:12:51.779727,  2]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ] at [Mon, 31 Jan 2022
14:12:51.779695 MSK] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation
[(null)] remote host [ipv4:172.26.200.32:54074] mapped to [(null)]\[(null)].
local host [NULL]
  {"timestamp": "2022-01-31T14:12:51.779899+0300",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4625, "logonId": "a2891bb833e6ef27",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": null,
"remoteAddress": "ipv4:172.26.200.32:54074",
"serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null, "clientAccount":
"host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ", "workstation":
null, "becameAccount": null, "becameDomain": null,
"becameSid": null, "mappedAccount": null,
"mappedDomain": null, "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": null,
"duration": 3855}}

So, it says there's no such entry in the AD. Let's check:
[root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b
"cn=vm-corp,cn=Computers,dc=abisoft,dc=biz" | grep
host/vm-corp.abisoft.spb.ru
SASL/GSSAPI authentication started
SASL username: padl at ABISOFT.BIZ
SASL SSF: 0
servicePrincipalName: host/vm-corp.abisoft.spb.ru

It's there!

Could you please explain why it's not working? What's wrong?

-- 
Best regards,
Alex

On Mon, 2022-01-31 at 14:18 +0300, Alex wrote:
> Andrew, Rowland,
> 
> > > 
> 
> I think I managed to find a source of the issue (thanks for the salt
> idea!). The padl user was created in 2004 and since then its password
> has never been updated. Today I updated its password and now creating
> a keytab via ktutil with AES encryption seems to work:
> [root at vm-corp tmp]# ktutil
> ktutil:  addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-
> hmac-sha1-96
> Password for padl at ABISOFT.BIZ:
> ktutil:  wkt ./test.keytab
> 
> [root at vm-corp tmp]# klist -k ./test.keytab -e
> Keytab name: FILE:./test.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
> 
> [root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k
> /tmp/krb5cc_test2 -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> [root at vm-corp tmp]#
> 
> Ta-da! :)
> 
> One last thing. I decided to try to use a system keytab
> (/etc/krb5.keytab) instead of a specially generated user keytab (like
> above) like Rowland advised recently, and I can't get it to work:
> [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k
> /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
You could use /etc/krb5.keytab, but you would have to add the required
principal to it. I also have never run the above command, it just works
for myself:

adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt 
Ticket cache: FILE:/tmp/nslcd.tkt
Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
31/01/22 09:20:04  31/01/22 19:20:04  
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
31/01/22 10:17:01  31/01/22 19:20:04  
ldap/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM

adminuser at deb11:~$ getent passwd rowland
rowland:*:10000:513:Rowland Penny::/bin/bash

Rowland