samba - Dec 2016 - Problem with keytab: "Client not found in Kerberos database"

On Tue, 20 Dec 2016 13:50:40 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> Rowland Perry wrote:
> > >/imdap config AD : backend = rid /> >/ > /> How did
you 'fix'
> > >this, on face value, there is nothing wrong with that line.
> 
> 
> "imdap" is not "idmap"
> 
> (so now you understand why I missed it after staring at it so long :-)
Oh yes ;-)


> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi 
> authentication. The krb5 module requires a cleartext password, but 
> MSCHAP does not pass a cleartext password. (It is possible to use
> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
> cleartext password)
You might want to read this:

https://www.samba.org/samba/history/samba-4.5.0.html

Rowland

On 20/12/2016 14:10, Rowland Penny wrote:
>> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
>> authentication. The krb5 module requires a cleartext password, but
>> MSCHAP does not pass a cleartext password. (It is possible to use
>> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
>> cleartext password)
> You might want to read this:
>
> https://www.samba.org/samba/history/samba-4.5.0.html
I'm not sure which section you mean is relevant. Maybe this:

"When doing a PKINIT based Kerberos logon the KDC adds the
required PAC_CREDENTIAL_INFO element to the authorization data.
That means the NTHASH is shared between the PKINIT based client and
the domain controller, which allows the client to do NTLM based
authentication on behalf of the user."

That sounds cool, but I can already use ntlm_auth to validate the MSCHAP 
passwords. Modifying FreeRADIUS to be able to do this via Kerberos 
doesn't gain me much.

The other thing which I'd already noticed was the server-side storage of 
GPG-encrypted plaintext passwords. It doesn't make a difference to 
MSCHAP, but it'll be useful if I end up using an auth method which 
requires the server to have the cleartext password (e.g. EAP-PWD)

Cheers,

Brian.

On Wed, 21 Dec 2016 15:26:41 +0000
Brian Candler <b.candler at pobox.com> wrote:
> On 20/12/2016 14:10, Rowland Penny wrote:
> >> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for
wifi
> >> authentication. The krb5 module requires a cleartext password, but
> >> MSCHAP does not pass a cleartext password. (It is possible to use
> >> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send
a
> >> cleartext password)
> > You might want to read this:
> >
> > https://www.samba.org/samba/history/samba-4.5.0.html
> 
> I'm not sure which section you mean is relevant. Maybe this:
> 
> "When doing a PKINIT based Kerberos logon the KDC adds the
> required PAC_CREDENTIAL_INFO element to the authorization data.
> That means the NTHASH is shared between the PKINIT based client and
> the domain controller, which allows the client to do NTLM based
> authentication on behalf of the user."
> 
> That sounds cool, but I can already use ntlm_auth to validate the
> MSCHAP passwords. Modifying FreeRADIUS to be able to do this via
> Kerberos doesn't gain me much.
> 
> The other thing which I'd already noticed was the server-side storage
> of GPG-encrypted plaintext passwords. It doesn't make a difference to 
> MSCHAP, but it'll be useful if I end up using an auth method which 
> requires the server to have the cleartext password (e.g. EAP-PWD)
> 
> Cheers,
> 
> Brian.
> 
No, I meant the info at the top that now states that MSCHAP probably
wont work without modifying smb.conf.

Rowland

> No, I meant the info at the top that now states that MSCHAP probably
 > wont work without modifying smb.conf.

Thank you. You will have saved me a ton of head scratching :-)