samba - Dec 2016 - Problem with keytab: "Client not found in Kerberos database"

I am trying to use a keytab for a client machine to authenticate to 
Samba's own LDAP server.

The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2 
compiled from source.

The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been 
joined directly to the Samba domain ("net ads join"). I have also 
extracted a keytab ("net ads keytab create -P") which created 
/etc/krb5.keytab.

Now if I try to authenticate, I can get a TGT, but I can't actually 
authenticate to the LDAP server:

root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b 
'dc=ad,dc=example,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Client not found in Kerberos database)

root at wrn-radtest:~# cat /tmp/trace.out
[17919] 1482170475.951771: ccselect module realm chose cache 
FILE:/tmp/krb5cc_0 with client principal 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET for server principal 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET
[17919] 1482170475.951821: Getting credentials 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET using ccache FILE:/tmp/krb5cc_0
[17919] 1482170475.951863: Retrieving 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with 
result: -1765328243/Matching credential not found
[17919] 1482170475.951900: Retrieving 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with 
result: 0/Success
[17919] 1482170475.951907: Starting with TGT for client realm: 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
[17919] 1482170475.951912: Requesting tickets for 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals on
[17919] 1482170475.951929: Generated subkey for TGS request: rc4-hmac/5B25
[17919] 1482170475.951946: etypes requested in TGS request: aes256-cts, 
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.952023: Encoding request body and padata into FAST 
request
[17919] 1482170475.952068: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.952489: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.952708: Sending initial UDP request to dgram 
192.168.5.86:88
[17919] 1482170475.958164: Received answer (107 bytes) from dgram 
192.168.5.86:88
[17919] 1482170475.958397: Response was not from master KDC
[17919] 1482170475.958420: TGS request result: -1765328378/Client not 
found in Kerberos database
[17919] 1482170475.958429: Requesting tickets for 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals off
[17919] 1482170475.958448: Generated subkey for TGS request: rc4-hmac/D306
[17919] 1482170475.958464: etypes requested in TGS request: aes256-cts, 
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.958500: Encoding request body and padata into FAST 
request
[17919] 1482170475.958537: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.958782: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.958937: Sending initial UDP request to dgram 
192.168.5.86:88
[17919] 1482170475.963625: Received answer (107 bytes) from dgram 
192.168.5.86:88
[17919] 1482170475.963784: Response was not from master KDC
[17919] 1482170475.963803: TGS request result: -1765328378/Client not 
found in Kerberos database

But if I kinit with a real user, it works fine:

root at wrn-radtest:~# kinit brian

...

root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h 
wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base
SASL/GSSAPI authentication started
SASL username: brian at AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=net> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
... etc

Any ideas what's going on, or where else I can look?

Aside: What I'm actually trying to do is to get freeradius to 
authenticate using a keytab in order to do LDAP queries, which I've had 
working with FreeIPA before and am now trying to replicate with Samba in 
a different environment.

Thanks,

Brian.

P.S. Here are the config files from the client machine:

--- /etc/krb5.conf ---

[libdefaults]
     default_realm = AD.EXAMPLE.NET
     dns_lookup_realm = false
     dns_lookup_kdc = true

# I added this but it didn't make a difference
[domain_realm]
     .ad.example.net = AD.EXAMPLE.NET

--- /etc/samba/smb.conf ---

[global]
        security = ADS
        workgroup = AD
        realm = AD.EXAMPLE.NET
        kerberos method = secrets and keytab

        log file = /var/log/samba/%m.log
        log level = 1

        username map = /etc/samba/user.map

        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        imdap config AD : backend = rid
        idmap config AD : range = 100000-999999

        idmap config * : backend = autorid
        idmap config * : range = 1000000-9999999
        idmap config * : rangesize = 100000


The keytab itself looks OK to me:

root at wrn-radtest:~# net ads keytab list
Vno  Type                                        Principal
   2  des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
   2  des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET

And FWIW, here's the LDAP entry for the computer which was generated 
when it joined:

root at wrn-dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb 
'(cn=wrn-radtest)'
# record 1
dn: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: wrn-radtest
instanceType: 4
whenCreated: 20161219120818.0Z
uSNCreated: 5055
name: wrn-radtest
objectGUID: db8fd9f5-4be3-4886-a459-71858010f4fa
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 515
objectSid: S-1-5-21-1073172920-2372885959-993370794-1109
accountExpires: 9223372036854775807
sAMAccountName: wrn-radtest$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=example,DC  net
isCriticalSystemObject: FALSE
userAccountControl: 69632
pwdLastSet: 131266228999887560
dNSHostName: wrn-radtest.ad.example.net
servicePrincipalName: HOST/WRN-RADTEST
servicePrincipalName: HOST/wrn-radtest.ad.example.net
logonCount: 1
lastLogon: 131266508988047120
lastLogonTimestamp: 131266508988047120
whenChanged: 20161219195459.0Z
uSNChanged: 7842
distinguishedName: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net

I did a "net ads leave" and "net ads join", but it
hasn't made a difference.

Regards,

Brian.

L.P.H. van Belle wrote:
 > start with fixing the overlapping idmap config.
 > that wont help.

I don't think they are overlapping: I used 100,000-999,999 for rid and 
1,000,000 to 9,999,999 for autorid.

 > check again if host.fqdn a and ptr exists in the dns.

# dig +short wrn-radtest.ad.example.net. a
192.168.5.83
# dig +short -x 192.168.5.83
wrn-radtest.ad.example.net.

 > check resolv.conf

Points to two nearby instances of pdns recursor, which in turn forward 
domains "ad.example.net" and "5.168.192.in-addr.arpa" to the
Samba servers.

 > make sure your primary domain is listed first.

It only has "ad.example.net" in the search section.

 > you left and rejoined the domain, so you can try regenerateing your 
keytab file also.

Yep, did that, no difference.

Rowland Penny wrote:

 > No, start by using the correct thing for '*':
 >
 >  idmap config * : backend = tdb
 >  idmap config * : range = 1000000-9999999

I wasn't aware that the default *had* to be tdb; the manpage at
https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
gives examples which don't use tdb at all, e.g.

[global]
	security = ads
	workgroup = CUSTOMER
	realm = CUSTOMER.COM

	idmap config * : backend = autorid
	idmap config * : range = 1000000-1999999


Is it really wrong to use autorid for this?

Anyway: I have followed your advice, switched to tdb, left and rejoined 
domain, and regenerated the keytab. The problem is still there.

While doing this I found one stupid problem which was visible in my 
original post:

         imdap config AD : backend = rid


Arrgh!!!  (I noticed this because getent passwd 'AD\brian' started 
returning a tdb-assigned ID 1000000 instead of the RID-based ID)

But after fixing that (and net cache flush and restarting winbind), 
still no joy:

root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
DNS Update for wrn-radtest.ad.example.net failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
root at wrn-radtest:~# rm /etc/krb5.keytab
root at wrn-radtest:~# net ads keytab create -P
root at wrn-radtest:~# kdestroy
root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -b 'dc=ad,dc=example,dc=net'
-h
wrn-dc1.ad.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Client not found in Kerberos database)

root at wrn-radtest:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET

Valid starting       Expires              Service principal
12/20/2016 09:52:51  12/20/2016 19:52:51 
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
     renew until 12/21/2016 09:52:51

I assume the DNS update error on re-joining is just because there was an 
existing DNS entry. Indeed: if I leave the domain, remove the DNS 
record, and then join again, there is no error:

root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
root at wrn-radtest:~#

But still I can't use the keytab ticket for LDAP auth.

To be honest: I think the UID mapping is a red herring. If I underestand 
correctly, mapping RID to unix UID is something which is local to the 
client system. I can't see how it would affect our Kerberos ticket being 
accepted by the LDAP server.

I will keep digging...

Thanks,

Brian.

On Tue, 20 Dec 2016 10:13:14 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> L.P.H. van Belle wrote:
>
>  > check resolv.conf
> 
> Points to two nearby instances of pdns recursor, which in turn
> forward domains "ad.example.net" and
"5.168.192.in-addr.arpa" to the
> Samba servers.
Can I suggest you stop doing this, point your domain member at the DC
only.
> 
> Rowland Penny wrote:
> 
>  > No, start by using the correct thing for '*':
>  >
>  >  idmap config * : backend = tdb
>  >  idmap config * : range = 1000000-9999999
> 
> I wasn't aware that the default *had* to be tdb; the manpage at
> https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
> gives examples which don't use tdb at all, e.g.
> 
> [global]
> 	security = ads
> 	workgroup = CUSTOMER
> 	realm = CUSTOMER.COM
> 
> 	idmap config * : backend = autorid
> 	idmap config * : range = 1000000-1999999
> 
> 
> Is it really wrong to use autorid for this?
Best practice is to use 'tdb', there is no need to actually know the
IDs for any of the '*' domain users & groups. 'tdb' is known
to work.
> 
> Anyway: I have followed your advice, switched to tdb, left and
> rejoined domain, and regenerated the keytab. The problem is still
> there.
When you join the domain with 'kerberos method = secrets and keytab',
you should get a keytab created without having to manually create it.
> 
> While doing this I found one stupid problem which was visible in my 
> original post:
> 
>          imdap config AD : backend = rid
> 
> 
> Arrgh!!!  (I noticed this because getent passwd 'AD\brian' started 
> returning a tdb-assigned ID 1000000 instead of the RID-based ID)
> 
> But after fixing that (and net cache flush and restarting winbind), 
> still no joy:
How did you 'fix' this, on face value, there is nothing wrong with that
line.

Rowland

I finally found it, thanks to a clue from 
https://wiki.archlinux.org/index.php/Active_Directory_Integration

This works:

kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'

These don't work:

kinit -k -t /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
kinit -k -t /etc/krb5.keytab host/wrn-radtest

That is: the keytab contains three different principals:

root at wrn-radtest:~# net ads keytab list
Vno  Type                                        Principal
   2  des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
   2  des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET

I can get a TGT for any of them, and by default kinit chooses the 
first.  But the LDAP server won't talk to me unless I choose the 
'WRN-RADTEST$' principal.

Now I just need to work out how to get freeradius to choose the right 
principal - but at worst I should be able to make a new keytab which 
doesn't have the other two.

Regards,

Brian.

Hai, 

Maybe something like this in freeradius but im not 100% sure here. 
Im also working on my freeradius skills here, its hard.. :-/ ( for me .. ) 

I used this site:
http://deployingradius.com/documents/configuration/active_directory.html 
for the basics and start with a working set. 
Now im trying to get rid of ntlm_auth and switch to ldaps or kerberos. 

This is what i found, dont know if thats exact what your looking for. 

( module ) 
krb5 {
        keytab = /etc/freeradius/keytab 
        service_principal = radius/radius.example.com
}
authenticate {
        Auth-Type PAP {
                krb5
        }
        Auth-Type Kerberos {
                krb5
        }
}


For my squid server i needed the correct SPN also. 
For that ive added these to the environment file to load.

KRB5_KTNAME=/etc/squid/keytab.PROXY
export KRB5_KTNAME 
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE

And the SPN which squid needs ( the only one ) is in keytab.PROXY
The CA root cert merged in /etc/ssl/certs/ca-certificates.crt to make sure my
ldaps work ok.

I hope this helps you a bit. 
And if you got it working i would be very nice to post it here for when i
working on freeradius again.

;-) 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Brian Candler
via
> samba
> Verzonden: dinsdag 20 december 2016 11:57
> Aan: samba
> Onderwerp: Re: [Samba] Problem with keytab: "Client not found in
Kerberos
> database"
> 
> I finally found it, thanks to a clue from
> https://wiki.archlinux.org/index.php/Active_Directory_Integration
> 
> This works:
> 
> kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'
> 
> These don't work:
> 
> kinit -k -t /etc/krb5.keytab
> kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
> kinit -k -t /etc/krb5.keytab host/wrn-radtest
> 
> That is: the keytab contains three different principals:
> 
> root at wrn-radtest:~# net ads keytab list
> Vno  Type                                        Principal
>    2  des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
>    2  des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
>    2  aes128-cts-hmac-sha1-96 host/wrn-
> radtest.ad.example.net at AD.EXAMPLE.NET
>    2  aes256-cts-hmac-sha1-96 host/wrn-
> radtest.ad.example.net at AD.EXAMPLE.NET
>    2  arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
>    2  des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
>    2  des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
>    2  aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
>    2  aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
>    2  arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
>    2  des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
>    2  des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
>    2  aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
>    2  aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
>    2  arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
> 
> I can get a TGT for any of them, and by default kinit chooses the
> first.  But the LDAP server won't talk to me unless I choose the
> 'WRN-RADTEST$' principal.
> 
> Now I just need to work out how to get freeradius to choose the right
> principal - but at worst I should be able to make a new keytab which
> doesn't have the other two.
> 
> Regards,
> 
> Brian.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba