thr3ads.net - samba - [Samba] Kerberos kinit not running [Jul 2022]

If this information is useful, please help other people find it:
Share via:

L. van Belle

2022-Jul-20 07:56 UTC

[Samba] Kerberos kinit not running

3 points.. 

Did you set a PTR record for the servers? if not do so.

In krb5.conf 
Restore the debian default, its suffient. 
This is all you need for a normal AD-AD/Kerberos domain basicly.

[libdefaults]
        default_realm = CALORO.M
        dns_lookup_kdc = yes
        dns_lookup_realm = no
        ticket_lifetime = 24h

And show /etc/resolv.conf 
is the primary DNSDomain the first resolving domain? 

Run these. 
apt remove --autoremove --purge krb5-kdc  
apt satisfy winbind samba

that should do it. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Maurizio Caloro
via
> samba
> Verzonden: dinsdag 19 juli 2022 22:56
> Aan: Rowland Penny via samba <samba at lists.samba.org>
> Onderwerp: Re: [Samba] Kerberos kinit not running
> 
> 
> Am 19.07.2022 um 22:32 schrieb Rowland Penny via samba:
> > On Tue, 2022-07-19 at 22:09 +0200, Maurizio Caloro via samba wrote:
> >> ? krb5-kdc.service - Kerberos 5 Key Distribution Center
> >>        Loaded: loaded (/lib/systemd/system/krb5-kdc.service;
enabled;
> >> vendor preset: enabled)
> > Turn this off and remove it, you are running two kdc's, the
Heimdal one
> > built into Samba and the MIT kdc.
> >
> > Rowland
> 
> thanks for quick help, krb5-kdc are gone
>    -->rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key
> server (KDC)
> 
> or i need to delete all this?
> 
> # dpkg -l | grep krb5*
> ii  krb5-config    2.6+nmu1    all    Configuration files for Kerberos
> Version 5
> rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key server (KDC)
> ii  krb5-locales    1.18.3-6+deb11u1    all internationalization support
> for MIT Kerberos
> ii  krb5-multidev:amd64    1.18.3-6+deb11u1    amd64 development files
> for MIT Kerberos without Heimdal conflict
> ii  krb5-user    1.18.3-6+deb11u1    amd64    basic programs to
> authenticate using MIT Kerberos
> ii  libgssapi-krb5-2:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
> runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64    7.7.0+dfsg-2    amd64    Heimdal
> Kerberos - libraries
> ii  libkrb5-3:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos runtime
> libraries
> ii  libkrb5-dev:amd64    1.18.3-6+deb11u1    amd64    headers and
> development libraries for MIT Kerberos
> ii  libkrb5support0:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
> runtime libraries - Support library
> 
> but styl the same
> 
> # kinit Administrator at CALORO.M
> kinit: Client 'Administrator at CALORO.M' not found in Kerberos
database
> while getting initial credentials
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Maurizio Caloro

2022-Jul-20 19:53 UTC

head link

[Samba] Kerberos kinit not running

hello Louis

Thanks first for your answer and your Script to implement Samba !!
i have now installed from scratch debian 11 installation, but the same 
result.

the Samba 4.15.7 setup are build with BIND

samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
Password for [CALORO\maurizio]:
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
881,
in run
 ??? res = dns_conn.DnssrvOperation2(client_version, 0, server, None,

--

# cat /etc/krb5.conf
[libdefaults]
 ??????? default_realm = CALORO.M
 ??????? dns_lookup_kdc = yes
 ??????? dns_lookup_realm = no
 ??????? ticket_lifetime = 24h

--

# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

# cat /etc/resolv.conf
domain CALORO.M
search CALORO.M
nameserver 192.168.10.254

# dpkg -l | grep krb5
ii? krb5-config??????????????????? 2.6+nmu1 all????????? Configuration 
files for Kerberos Version 5
ii? krb5-locales?????????????????? 1.18.3-6+deb11u1 all????????? 
internationalization support for MIT Kerberos
ii? krb5-user????????????????????? 1.18.3-6+deb11u1 amd64??????? basic 
programs to authenticate using MIT Kerberos
ii? libgssapi-krb5-2:amd64???????? 1.18.3-6+deb11u1 amd64??????? MIT 
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64??????????????? 1.18.3-6+deb11u1 amd64??????? MIT 
Kerberos runtime libraries
ii? libkrb5support0:amd64????????? 1.18.3-6+deb11u1 amd64??????? MIT 
Kerberos runtime libraries - Support library

bind running
ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN: 
loaded serial 1
Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded serial 1
Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
Jul 20 20:41:17 TestAD named[536]: all zones loaded
Jul 20 20:41:17 TestAD named[536]: running
Jul 20 20:41:18 TestAD named[536]: timed out resolving './DNSKEY/IN': 
8.8.8.8#53
Jul 20 20:41:19 TestAD named[536]: timed out resolving 
'0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
Jul 20 20:41:19 TestAD named[536]: timed out resolving 
'0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for zone 
. is now trusted (acceptance timer complete)

Samba-ad-dc running
Jul 20 20:41:17 TestAD samba[538]:?? binary_smbd_main: samba: using 
'prefork' process model
Jul 20 20:41:17 TestAD systemd[1]: Started Samba AD Daemon.
Jul 20 20:41:17 TestAD winbindd[661]: [2022/07/20 20:41:17.476249,? 0] 
../../source3/winbindd/winbindd.c:1722(main)
Jul 20 20:41:17 TestAD winbindd[661]:?? winbindd version 4.15.7-Debian 
started.
Jul 20 20:41:17 TestAD winbindd[661]:?? Copyright Andrew Tridgell and 
the Samba Team 1992-2021
Jul 20 20:41:17 TestAD smbd[633]: [2022/07/20 20:41:17.523870,? 0] 
../../source3/smbd/server.c:1734(main)
Jul 20 20:41:17 TestAD smbd[633]:?? smbd version 4.15.7-Debian started.
Jul 20 20:41:17 TestAD smbd[633]:?? Copyright Andrew Tridgell and the 
Samba Team 1992-2021
Jul 20 20:41:17 TestAD winbindd[661]: [2022/07/20 20:41:17.586761,? 0] 
../../source3/winbindd/winbindd_cache.c:3085(initialize_winbin>
Jul 20 20:41:17 TestAD winbindd[661]:?? initialize_winbindd_cache: 
clearing cache and re-creating with version number 2
--

# kinit maurizio
kinit: Client 'maurizio at CALORO.M' not found in Kerberos database
while
getting initial credentials

# kinit maurizio at CALORO.M
kinit: Client 'maurizio at CALORO.M' not found in Kerberos database
while
getting initial credentials

# kinit administrator at CALORO.M
kinit: Client 'administrator at CALORO.M' not found in Kerberos database
while getting initial credentials

--


Am 20.07.2022 um 09:56 schrieb L. van Belle via samba:> 3 points..
>
> Did you set a PTR record for the servers? if not do so.
>
> In krb5.conf
> Restore the debian default, its suffient.
> This is all you need for a normal AD-AD/Kerberos domain basicly.
>
> [libdefaults]
>          default_realm = CALORO.M
>          dns_lookup_kdc = yes
>          dns_lookup_realm = no
>          ticket_lifetime = 24h
>
> And show /etc/resolv.conf
> is the primary DNSDomain the first resolving domain?
>
> Run these.
> apt remove --autoremove --purge krb5-kdc
> apt satisfy winbind samba
>
> that should do it.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba <samba-bounces at lists.samba.org> Namens Maurizio
Caloro via
>> samba
>> Verzonden: dinsdag 19 juli 2022 22:56
>> Aan: Rowland Penny via samba <samba at lists.samba.org>
>> Onderwerp: Re: [Samba] Kerberos kinit not running
>>
>>
>> Am 19.07.2022 um 22:32 schrieb Rowland Penny via samba:
>>> On Tue, 2022-07-19 at 22:09 +0200, Maurizio Caloro via samba wrote:
>>>> ? krb5-kdc.service - Kerberos 5 Key Distribution Center
>>>>         Loaded: loaded (/lib/systemd/system/krb5-kdc.service;
enabled;
>>>> vendor preset: enabled)
>>> Turn this off and remove it, you are running two kdc's, the
Heimdal one
>>> built into Samba and the MIT kdc.
>>>
>>> Rowland
>> thanks for quick help, krb5-kdc are gone
>>     -->rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key
>> server (KDC)
>>
>> or i need to delete all this?
>>
>> # dpkg -l | grep krb5*
>> ii  krb5-config    2.6+nmu1    all    Configuration files for Kerberos
>> Version 5
>> rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key server
(KDC)
>> ii  krb5-locales    1.18.3-6+deb11u1    all internationalization
support
>> for MIT Kerberos
>> ii  krb5-multidev:amd64    1.18.3-6+deb11u1    amd64 development files
>> for MIT Kerberos without Heimdal conflict
>> ii  krb5-user    1.18.3-6+deb11u1    amd64    basic programs to
>> authenticate using MIT Kerberos
>> ii  libgssapi-krb5-2:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
>> runtime libraries - krb5 GSS-API Mechanism
>> ii  libkrb5-26-heimdal:amd64    7.7.0+dfsg-2    amd64    Heimdal
>> Kerberos - libraries
>> ii  libkrb5-3:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
runtime
>> libraries
>> ii  libkrb5-dev:amd64    1.18.3-6+deb11u1    amd64    headers and
>> development libraries for MIT Kerberos
>> ii  libkrb5support0:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
>> runtime libraries - Support library
>>
>> but styl the same
>>
>> # kinit Administrator at CALORO.M
>> kinit: Client 'Administrator at CALORO.M' not found in Kerberos
database
>> while getting initial credentials
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

samba - Jul 2022 - Kerberos kinit not running

[Samba] Kerberos kinit not running

[Samba] Kerberos kinit not running