MARTIN boris
2014-May-09 08:01 UTC
[Samba] samba4 : [kerberos part kinit work but no kpasswd
hi, ? i have recently installed a samba 4 in a DC role. The distribution is a debian jessie/sid, the version of samba is 4.1.7. The server is globally working but there is some litle trouble. on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following ? root at station:/var/log/samba# kinit Password for administrator at TOTO.FR: root at station:/var/log/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at TOTO.FR Valid starting?????? Expires????????????? Service principal 09/05/2014 09:23:42? 09/05/2014 19:23:42? krbtgt/TOTO.FR at TOTO.FR ??? renew until 10/05/2014 09:23:38 root at station:/var/log/samba# kpasswd [10 sec later ....] kpasswd: Cannot contact any KDC for requested realm getting initial ticket ? ? the smb.conf file is the following : ? [global] ??????? workgroup = TOTO ??????? realm = TOTO.FR ??????? netbios name = station ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns ??????? idmap_ldb:use rfc2307 = yes ??????? dns forwarder = 129.20.128.39 ??????? allow dns updates = nonsecure #?????? winbind rpc only = yes ??????? log level = 4 ??????? ntp signd socket directory = /var/lib/samba/ntp_signd [netlogon] ??????? path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts ??????? read only = No [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No [demo] ??????? path = /share/demo ??????? read only = no ? and the krb5.conf is the following : ? [logging] ??? default = FILE:/var/log/krb5.log [libdefaults] ??????? default_realm = TOTO.FR ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. ??????? krb4_config = /etc/krb.conf ??????? krb4_realms = /etc/krb.realms ??????? kdc_timesync = 1 ??????? ccache_type = 4 ??????? forwardable = true ??????? proxiable = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 ? ????? v4_instance_resolve = false ??????? v4_name_convert = { ??????????????? host = { ??????????????????????? rcmd = host ??????????????????????? ftp = ftp ??????????????? } ??????????????? plain = { ??????????????????????? something = something-else ??????????????? } ??????? } ??????? fcc-mit-ticketflags = true [realms] ??????? IETR.UNIV-RENNES1.FR = { ??????????????? kdc = admin.toto.fr:88 ??????????????? admin_server = admin.toto.fr ??????? } ... ? [domain_realm] ??????? .mit.edu = ATHENA.MIT.EDU ??????? mit.edu = ATHENA.MIT.EDU ??????? .media.mit.edu = MEDIA-LAB.MIT.EDU ??????? media.mit.edu = MEDIA-LAB.MIT.EDU ??????? .csail.mit.edu = CSAIL.MIT.EDU ??????? csail.mit.edu = CSAIL.MIT.EDU ??????? .whoi.edu = ATHENA.MIT.EDU ??????? whoi.edu = ATHENA.MIT.EDU ??????? .stanford.edu = stanford.edu ??????? .slac.stanford.edu = SLAC.STANFORD.EDU ??????? .toronto.edu = UTORONTO.CA ??????? .utoronto.ca = UTORONTO.CA ??????? .toto.fr= TOTO.FR [login] ??????? krb4_convert = true ??????? krb4_get_tickets = false ? the tcp dump for a failed attempt of kpasswd give the folllowing : ? client -> station Kerberos AS-REQ MSG Type : AS-REQ(10) Server Name(principal): kadmin/changepw Encryption type rc4-hmac ? station-> client BER Error : Empty choice was found ... ? and the log on the server side gives ? ?Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype ?arcfour-hmac-md5) error Decrypt integrity check failed ?Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ ? it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble. ? So my questions are : ? - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ? - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ? - does any one see what i can do to fix this mess ? ? ? best regards
Rowland Penny
2014-May-09 08:28 UTC
[Samba] samba4 : [kerberos part kinit work but no kpasswd
On 09/05/14 09:01, MARTIN boris wrote:> hi, > > > > i have recently installed a samba 4 in a DC role. > > The distribution is a debian jessie/sid, the version of samba is 4.1.7. > > The server is globally working but there is some litle trouble. > > on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following > > > > root at station:/var/log/samba# kinit > Password for administrator at TOTO.FR: > > root at station:/var/log/samba# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at TOTO.FR > > Valid starting Expires Service principal > 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR > renew until 10/05/2014 09:23:38 > > root at station:/var/log/samba# kpasswd > > [10 sec later ....] > > kpasswd: Cannot contact any KDC for requested realm getting initial ticket > > > > > > the smb.conf file is the following : > > > > [global] > workgroup = TOTO > realm = TOTO.FR > netbios name = station > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns > idmap_ldb:use rfc2307 = yes > dns forwarder = 129.20.128.39 > allow dns updates = nonsecure > # winbind rpc only = yes > log level = 4 > ntp signd socket directory = /var/lib/samba/ntp_signd > [netlogon] > path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [demo] > path = /share/demo > read only = no > > > > and the krb5.conf is the following : > > > > [logging] > default = FILE:/var/log/krb5.log > [libdefaults] > default_realm = TOTO.FR > dns_lookup_realm = false > dns_lookup_kdc = true > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > > > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > > > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > IETR.UNIV-RENNES1.FR = { > kdc = admin.toto.fr:88 > admin_server = admin.toto.fr > } > ... > > > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > .toto.fr= TOTO.FR > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > the tcp dump for a failed attempt of kpasswd give the folllowing : > > > > client -> station Kerberos AS-REQ > > MSG Type : AS-REQ(10) > > Server Name(principal): kadmin/changepw > > Encryption type rc4-hmac > > > > station-> client BER Error : Empty choice was found ... > > > > and the log on the server side gives > > > > Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype > arcfour-hmac-md5) error Decrypt integrity check failed > > Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ > > > > it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble. > > > > So my questions are : > > > > - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ? > > - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ? > > - does any one see what i can do to fix this mess ? > > > > > > best regardsThis sort of works for me, but all I have in /etc/krb5.conf is this: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true root at dc1:~# kinit kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while getting initial credentials root at dc1:~# kinit Administrator Password for Administrator at EXAMPLE.COM: root at dc1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at EXAMPLE.COM Valid starting Expires Service principal 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/05/14 09:06:33 root at dc1:~# kpasswd Password for Administrator at EXAMPLE.COM: Enter new password: Enter it again: Password change rejected: Try a more complex password, or contact your administrator. NOTE: I deliberately used a non complex password. What do you have in /etc/resolv.conf ? is the nameserver line set to either your samba 4's ipaddress or 127.0.0.1 ? Rowland