samba - Mar 2017 - Joining Samba4 to Win 2008 AD domain breaks other kerberos functions

I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.)


I am trying to join a Solaris 11 machine  to the domain for both Samba 
and other services.  For "unix" logins and ssh, Solaris 11 is
configured
to use LDAP for user and group lookup and kerberos for authentication.


The "kclient -T ms_ad" command joins the Solaris machine to the AD 
domain.    It even creates the /etc/krb5/krb5.keytab file with several 
service principal entries.    (I pasted this at the bottom of this 
e-mail.)  This allows me to ssh in to the machine using my kerberos 
password.


When I run "net ads join -S domaincontroller -U Administration" , the 
samba join appears to work.     However, I can no longer ssh in .

The log files shows

     sshd[12225]: [ID 537602 auth.error] PAM-KRB5 (auth): 
krb5_verify_init_creds failed: Key version number for principal in key 
table is incorrect


I ran kvno prior to "net join" to see if I could find any changes on
any
of the principals.   I did not find any.     However the "pwdLastSet" 
attribute was updated (which means, not surprisingly, that the samba 
"net ads join" changed machine's password when joining.      I
also
notice that the "msDS-SupportedEncryptionTypes" attribute is reset to
31
(i.e all encryption types.)   I had change it to 28 (to exclude DES)


I tried setting "kerberos method = secrets and keytab" in smb.conf,
but
did not help.      I would think solution might be to create a new 
krb5.keytab file on the AD server that has a single principal that can 
provide authentication for both unix logins and samba.     The kutil 
command in Windows makes it pretty much impossible to create a 
krb5.keytab file  with multiple service principals.


What service principal is Samba using ?   Assuming my machine is 
"client1" in the realm "MYREALM"  I would expect the
principal to be
"CLIENT1$@MYREALM."


If I set  "kerberos method = keytab" while samba try to create a
keytab ?


I appreciate any advice


Thanks














            root at client1:/etc/krb5# klist -ke

            Keytab name: FILE:/etc/krb5/krb5.keytab

            KVNO Principal

            ----
           
--------------------------------------------------------------------------

            2 host/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
            with 96-bit SHA-1 HMAC)

            2 host/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
            with 96-bit SHA-1 HMAC)

            2 host/client1.mydomain.com at MYREALM.COM (ArcFour with HMAC/md5)

            2 host/client1.mydomain.com at MYREALM.COM (DES cbc mode with
            RSA-MD5)

            2 nfs/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
            with 96-bit SHA-1 HMAC)

            2 nfs/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
            with 96-bit SHA-1 HMAC)

            2 nfs/client1.mydomain.com at MYREALM.COM (ArcFour with HMAC/md5)

            2 nfs/client1.mydomain.com at MYREALM.COM (DES cbc mode with
            RSA-MD5)

            2 HTTP/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
            with 96-bit SHA-1 HMAC)

            2 HTTP/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
            with 96-bit SHA-1 HMAC)

            2 HTTP/client1.mydomain.com at MYREALM.COM (ArcFour with HMAC/md5)

            2 HTTP/client1.mydomain.com at MYREALM.COM (DES cbc mode with
            RSA-MD5)

            2 root/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
            with 96-bit SHA-1 HMAC)

            2 root/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
            with 96-bit SHA-1 HMAC)

            2 root/client1.mydomain.com at MYREALM.COM (ArcFour with HMAC/md5)

            2 root/client1.mydomain.com at MYREALM.COM (DES cbc mode with
            RSA-MD5)

            2 cifs/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
            with 96-bit SHA-1 HMAC)

            2 cifs/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
            with 96-bit SHA-1 HMAC)

            2 cifs/client1.mydomain.com at MYREALM.COM (ArcFour with HMAC/md5)

            2 cifs/client1.mydomain.com at MYREALM.COM (DES cbc mode with
            RSA-MD5)

            2 CLIENT1$@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1
            HMAC)

            2 CLIENT1$@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1
            HMAC)

            2 CLIENT1$@MYREALM.COM (ArcFour with HMAC/md5)

            2 CLIENT1$@MYREALM.COM (DES cbc mode with RSA-MD5)

            2 host/CLIENT1 at MYREALM.COM (AES-256 CTS mode with 96-bit
            SHA-1 HMAC)

            2 host/CLIENT1 at MYREALM.COM (AES-128 CTS mode with 96-bit
            SHA-1 HMAC)

            2 host/CLIENT1 at MYREALM.COM (ArcFour with HMAC/md5)

            2 host/CLIENT1 at MYREALM.COM (DES cbc mode with RSA-MD5)

            2 cifs/CLIENT1 at MYREALM.COM (AES-256 CTS mode with 96-bit
            SHA-1 HMAC)

            2 cifs/CLIENT1 at MYREALM.COM (AES-128 CTS mode with 96-bit
            SHA-1 HMAC)

            2 cifs/CLIENT1 at MYREALM.COM (ArcFour with HMAC/md5)

            2 cifs/CLIENT1 at MYREALM.COM (DES cbc mode with RSA-MD5)

            root at client1:/etc/krb5#

Samba expects the keytab file as /etc/krb5.keytab.

Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab

When samba joins the domain it (probably) updates the machine password  
and then updates its krb5.keytab file.       When connecting via ssh, 
the system would use a keytab file that had the wrong kvno and probably 
the wrong password key.


The following symlink command fixed ssh logins

     ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab





On 03/09/17 17:42, Gaiseric Vandal wrote:
>
> I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.)
>
>
> I am trying to join a Solaris 11 machine  to the domain for both Samba 
> and other services.  For "unix" logins and ssh, Solaris 11 is 
> configured to use LDAP for user and group lookup and kerberos for 
> authentication.
>
>
> The "kclient -T ms_ad" command joins the Solaris machine to the
AD
> domain.    It even creates the /etc/krb5/krb5.keytab file with several 
> service principal entries.    (I pasted this at the bottom of this 
> e-mail.)  This allows me to ssh in to the machine using my kerberos 
> password.
>
>
> When I run "net ads join -S domaincontroller -U Administration" ,
the
> samba join appears to work.     However, I can no longer ssh in .
>
> The log files shows
>
>     sshd[12225]: [ID 537602 auth.error] PAM-KRB5 (auth): 
> krb5_verify_init_creds failed: Key version number for principal in key 
> table is incorrect
>
>
> I ran kvno prior to "net join" to see if I could find any changes
on
> any of the principals.   I did not find any. However the
"pwdLastSet"
> attribute was updated (which means, not surprisingly, that the samba 
> "net ads join" changed machine's password when joining.     
I also
> notice that the "msDS-SupportedEncryptionTypes" attribute is
reset to
> 31 (i.e all encryption types.)   I had change it to 28 (to exclude DES)
>
>
> I tried setting "kerberos method = secrets and keytab" in
smb.conf,
> but did not help.      I would think solution might be to create a new 
> krb5.keytab file on the AD server that has a single principal that can 
> provide authentication for both unix logins and samba.     The kutil 
> command in Windows makes it pretty much impossible to create a 
> krb5.keytab file  with multiple service principals.
>
>
> What service principal is Samba using ?   Assuming my machine is 
> "client1" in the realm "MYREALM"  I would expect the
principal to be
> "CLIENT1$@MYREALM."
>
>
> If I set  "kerberos method = keytab" while samba try to create a
keytab ?
>
>
> I appreciate any advice
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>             root at client1:/etc/krb5# klist -ke
>
>             Keytab name: FILE:/etc/krb5/krb5.keytab
>
>             KVNO Principal
>
>             ----
>            
--------------------------------------------------------------------------
>
>             2 host/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 host/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 host/client1.mydomain.com at MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 host/client1.mydomain.com at MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 nfs/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 nfs/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 nfs/client1.mydomain.com at MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 nfs/client1.mydomain.com at MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 HTTP/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 HTTP/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 HTTP/client1.mydomain.com at MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 HTTP/client1.mydomain.com at MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 root/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 root/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 root/client1.mydomain.com at MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 root/client1.mydomain.com at MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 cifs/client1.mydomain.com at MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 cifs/client1.mydomain.com at MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 cifs/client1.mydomain.com at MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 cifs/client1.mydomain.com at MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 CLIENT1$@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1
>             HMAC)
>
>             2 CLIENT1$@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1
>             HMAC)
>
>             2 CLIENT1$@MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 CLIENT1$@MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             2 host/CLIENT1 at MYREALM.COM (AES-256 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 host/CLIENT1 at MYREALM.COM (AES-128 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 host/CLIENT1 at MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 host/CLIENT1 at MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             2 cifs/CLIENT1 at MYREALM.COM (AES-256 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 cifs/CLIENT1 at MYREALM.COM (AES-128 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 cifs/CLIENT1 at MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 cifs/CLIENT1 at MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             root at client1:/etc/krb5#
>
>
>
>
>

On Thu, 16 Mar 2017 14:48:01 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> Samba expects the keytab file as /etc/krb5.keytab.
> 
> Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab
> 
> When samba joins the domain it (probably) updates the machine
> password and then updates its krb5.keytab file.       When connecting
> via ssh, the system would use a keytab file that had the wrong kvno
> and probably the wrong password key.
> 
> 
> The following symlink command fixed ssh logins
> 
>      ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab
> 
Did you try:

kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5/krb5.keytab

Rowland