MARTIN boris
2014-May-09 08:01 UTC
[Samba] samba4 : [kerberos part kinit work but no kpasswd
hi,
?
i have recently installed a samba 4 in a DC role.
The distribution is a debian jessie/sid, the version of samba is 4.1.7.
The server is globally working but there is some litle trouble.
on the server itself, i can do a kinit without probleme but if i try a kpasswsd,
i obtain the following
?
root at station:/var/log/samba# kinit
Password for administrator at TOTO.FR:
root at station:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TOTO.FR
Valid starting?????? Expires????????????? Service principal
09/05/2014 09:23:42? 09/05/2014 19:23:42? krbtgt/TOTO.FR at TOTO.FR
??? renew until 10/05/2014 09:23:38
root at station:/var/log/samba# kpasswd
[10 sec later ....]
kpasswd: Cannot contact any KDC for requested realm getting initial ticket
?
?
the smb.conf file is the following :
?
[global]
??????? workgroup = TOTO
??????? realm = TOTO.FR
??????? netbios name = station
??????? server role = active directory domain controller
??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
??????? idmap_ldb:use rfc2307 = yes
??????? dns forwarder = 129.20.128.39
??????? allow dns updates = nonsecure
#?????? winbind rpc only = yes
??????? log level = 4
??????? ntp signd socket directory = /var/lib/samba/ntp_signd
[netlogon]
??????? path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
??????? read only = No
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = No
[demo]
??????? path = /share/demo
??????? read only = no
?
and the krb5.conf is the following :
?
[logging]
??? default = FILE:/var/log/krb5.log
[libdefaults]
??????? default_realm = TOTO.FR
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
??????? krb4_config = /etc/krb.conf
??????? krb4_realms = /etc/krb.realms
??????? kdc_timesync = 1
??????? ccache_type = 4
??????? forwardable = true
??????? proxiable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc
des-cbc-md5
?
????? v4_instance_resolve = false
??????? v4_name_convert = {
??????????????? host = {
??????????????????????? rcmd = host
??????????????????????? ftp = ftp
??????????????? }
??????????????? plain = {
??????????????????????? something = something-else
??????????????? }
??????? }
??????? fcc-mit-ticketflags = true
[realms]
??????? IETR.UNIV-RENNES1.FR = {
??????????????? kdc = admin.toto.fr:88
??????????????? admin_server = admin.toto.fr
??????? }
...
?
[domain_realm]
??????? .mit.edu = ATHENA.MIT.EDU
??????? mit.edu = ATHENA.MIT.EDU
??????? .media.mit.edu = MEDIA-LAB.MIT.EDU
??????? media.mit.edu = MEDIA-LAB.MIT.EDU
??????? .csail.mit.edu = CSAIL.MIT.EDU
??????? csail.mit.edu = CSAIL.MIT.EDU
??????? .whoi.edu = ATHENA.MIT.EDU
??????? whoi.edu = ATHENA.MIT.EDU
??????? .stanford.edu = stanford.edu
??????? .slac.stanford.edu = SLAC.STANFORD.EDU
??????? .toronto.edu = UTORONTO.CA
??????? .utoronto.ca = UTORONTO.CA
??????? .toto.fr= TOTO.FR
[login]
??????? krb4_convert = true
??????? krb4_get_tickets = false
?
the tcp dump for a failed attempt of kpasswd give the folllowing :
?
client -> station Kerberos AS-REQ
MSG Type : AS-REQ(10)
Server Name(principal): kadmin/changepw
Encryption type rc4-hmac
?
station-> client BER Error : Empty choice was found ...
?
and the log on the server side gives
?
?Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
?arcfour-hmac-md5) error Decrypt integrity check failed
?Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
?
it seems to me like a crypting negociation failure between the client and the
server, all the enctypes line in the krb5.conf was not there initialy and are a
(fail) attempt to fix the trouble.
?
So my questions are :
?
- is there any way for me to know what kind of encoding samba4/kerberos expect
on the server side ?
- what is the location of the credential for all the user on the server side ?
are they stored in the ldap part of samba4 ?
- does any one see what i can do to fix this mess ?
?
?
best regards
Rowland Penny
2014-May-09 08:28 UTC
[Samba] samba4 : [kerberos part kinit work but no kpasswd
On 09/05/14 09:01, MARTIN boris wrote:> hi, > > > > i have recently installed a samba 4 in a DC role. > > The distribution is a debian jessie/sid, the version of samba is 4.1.7. > > The server is globally working but there is some litle trouble. > > on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following > > > > root at station:/var/log/samba# kinit > Password for administrator at TOTO.FR: > > root at station:/var/log/samba# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at TOTO.FR > > Valid starting Expires Service principal > 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR > renew until 10/05/2014 09:23:38 > > root at station:/var/log/samba# kpasswd > > [10 sec later ....] > > kpasswd: Cannot contact any KDC for requested realm getting initial ticket > > > > > > the smb.conf file is the following : > > > > [global] > workgroup = TOTO > realm = TOTO.FR > netbios name = station > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns > idmap_ldb:use rfc2307 = yes > dns forwarder = 129.20.128.39 > allow dns updates = nonsecure > # winbind rpc only = yes > log level = 4 > ntp signd socket directory = /var/lib/samba/ntp_signd > [netlogon] > path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [demo] > path = /share/demo > read only = no > > > > and the krb5.conf is the following : > > > > [logging] > default = FILE:/var/log/krb5.log > [libdefaults] > default_realm = TOTO.FR > dns_lookup_realm = false > dns_lookup_kdc = true > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > > > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > > > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > IETR.UNIV-RENNES1.FR = { > kdc = admin.toto.fr:88 > admin_server = admin.toto.fr > } > ... > > > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > .toto.fr= TOTO.FR > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > the tcp dump for a failed attempt of kpasswd give the folllowing : > > > > client -> station Kerberos AS-REQ > > MSG Type : AS-REQ(10) > > Server Name(principal): kadmin/changepw > > Encryption type rc4-hmac > > > > station-> client BER Error : Empty choice was found ... > > > > and the log on the server side gives > > > > Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype > arcfour-hmac-md5) error Decrypt integrity check failed > > Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ > > > > it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble. > > > > So my questions are : > > > > - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ? > > - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ? > > - does any one see what i can do to fix this mess ? > > > > > > best regardsThis sort of works for me, but all I have in /etc/krb5.conf is this: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true root at dc1:~# kinit kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while getting initial credentials root at dc1:~# kinit Administrator Password for Administrator at EXAMPLE.COM: root at dc1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at EXAMPLE.COM Valid starting Expires Service principal 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/05/14 09:06:33 root at dc1:~# kpasswd Password for Administrator at EXAMPLE.COM: Enter new password: Enter it again: Password change rejected: Try a more complex password, or contact your administrator. NOTE: I deliberately used a non complex password. What do you have in /etc/resolv.conf ? is the nameserver line set to either your samba 4's ipaddress or 127.0.0.1 ? Rowland