samba - Apr 2017 - kerberos got crazy after ubuntu upgrade from 14.04 to 16.04

Hi!

I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
stayed the same, but then some crazy miracles started to
happen. 4.3.11+dfsg-0ubuntu0.16.04.6

I cannot log in now with my Windows machines, yet I can view the files on
Linux using smbclient.

My smb.conf
[global]
        workgroup = Gsomething
        realm = BIURO.domain
        netbios name = PDC
        security = auto
        server role = active directory domain controller
        dns forwarder = 192.168.0.252
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
        server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
        client use spnego = yes
        map acl inherit = Yes
        hosts allow = ALL
        max open files = 57000

        vfs objects = acl_xattr, full_audit

        full_audit:prefix = %u|%I|%m|%S
        full_audit:success = mkdir rename unlink rmdir pwrite
        full_audit:failure = none
        full_audit:facility = local7
        full_audit:priority = NOTICE

        log level = 1
tls enabled  = yes
tls keyfile  = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile   = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
server signing = auto
ldap server require strong auth = no
raw NTLMv2 auth = yes
client ipc signing = auto
client ldap sasl wrapping = plain

idmap config GPMV : backend = ad
idmap config GPMV : range = 1000-9999999
map untrusted to domain = Yes
winbind enum groups = yes
winbind enum users = yes

store dos attributes = yes

kerberos method = secrets and keytab
usershare max shares = 0

encrypt passwords = yes
password server = pdc.biuro.domain

[netlogon]
        path = /var/local/samba/var/lib/samba/netlogon
        read only = No

(and then come the shares)

My krb5.conf:

[logging]
        default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = BIURO.domain
dns_lookup_realm = false
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
allow_weak_crypto = true

[realms]
BIURO.domain = {
kdc = pdc.biuro.domain
admin_server = pdc.biuro.domain
}

this is what kerberos throws in auth.log when I try to log in with a
win2008 client:

Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31
Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, Client
not found in Kerberos database
Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain, Client not found in Kerberos database
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain Client not found in Kerberos database
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
LDAP/pdc.biuro.domain/biuro.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15

samba does not log anything funny, apart from winbind exiting with
"1". I
guess this is due to the fact that I have winbind in server services.

wbinfo -u works
getent passwd works

kinit Administrator FAILS
kinit: Client 'Administrator at BIURO.domain' not found in Kerberos
database
while getting initial credentials

kinit admin/admin succeeds

any sugestions?

shouldn't I have kdc in server services?

On Sun, 23 Apr 2017 09:39:53 +0200
Jakub Kulesza via samba <samba at lists.samba.org> wrote:
> Hi!
> 
> I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
> stayed the same, but then some crazy miracles started to
> happen. 4.3.11+dfsg-0ubuntu0.16.04.6
> 
You haven't got a PDC, you have an AD DC

Can I suggest you remove these lines:

        security = auto
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver, winreg, srvsvc
        client use spnego = yes
        map acl inherit = Yes
        hosts allow = ALL
        server signing = auto
        raw NTLMv2 auth = yes
        client ipc signing = auto
        client ldap sasl wrapping = plain
        idmap config GPMV : backend = ad
        idmap config GPMV : range = 1000-9999999
        map untrusted to domain = Yes
        store dos attributes = yes
        kerberos method = secrets and keytab
        usershare max shares = 0
        encrypt passwords = yes
        password server = pdc.biuro.domain

Change this :

vfs objects = acl_xattr, full_audit

To:

vfs objects = full_audit

But put it into a share!

Also finally, there is this:
server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd

I suggest you remove this as well because you have all the default
settings and 'winbind' & 'winbindd'

Rowland

OK, I've deleted everything what Rowland suggested. THANKS

Now smb.conf looks like this

[global]
workgroup = GPMV
realm = BIURO.domain
netbios name = PDC
server role = active directory domain controller
dns forwarder = 192.168.0.252
max open files = 57000

full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

log level = 1
tls enabled  = yes
tls keyfile  = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile   = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no
winbind enum groups = yes
winbind enum users = yes

[netlogon]
  path = /var/local/samba/var/lib/samba/netlogon
#path = /var/lib/samba/sysvol/biuro.domain/scripts
read only = No
guest ok = yes

The result - the same. logging on a win2008 with user jkadmin gives the
following:

Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: jkadmin at biuro.domain.pl for krbtgt/
biuro.domain.pl at biuro.domain.pl, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for LDAP/
pdc.biuro.domain.pl/biuro.domain.pl at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15

funny thing, with ads testjoin

# net ads testjoin -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=192.168.0.251 bcast=192.168.0.255
netmask=255.255.255.0
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
resolve_hosts: Attempting host lookup for name pdc.biuro.gpm-vindexus.pl
<0x20>
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
Join to domain is not valid: Logon failure
return code = -1

2017-04-23 10:32 GMT+02:00 Rowland Penny <rpenny at samba.org>:
> On Sun, 23 Apr 2017 09:39:53 +0200
> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
>
> > Hi!
> >
> > I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
> > stayed the same, but then some crazy miracles started to
> > happen. 4.3.11+dfsg-0ubuntu0.16.04.6
> >
>
> You haven't got a PDC, you have an AD DC
>
> Can I suggest you remove these lines:
>
>         security = auto
>         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, winreg, srvsvc
>         client use spnego = yes
>         map acl inherit = Yes
>         hosts allow = ALL
>         server signing = auto
>         raw NTLMv2 auth = yes
>         client ipc signing = auto
>         client ldap sasl wrapping = plain
>         idmap config GPMV : backend = ad
>         idmap config GPMV : range = 1000-9999999
>         map untrusted to domain = Yes
>         store dos attributes = yes
>         kerberos method = secrets and keytab
>         usershare max shares = 0
>         encrypt passwords = yes
>         password server = pdc.biuro.domain
>
> Change this :
>
> vfs objects = acl_xattr, full_audit
>
> To:
>
> vfs objects = full_audit
>
> But put it into a share!
>
> Also finally, there is this:
> server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
> ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
>
> I suggest you remove this as well because you have all the default
> settings and 'winbind' & 'winbindd'
>
> Rowland
>
>
>

On Sun, 2017-04-23 at 09:39 +0200, Jakub Kulesza via samba
wrote:
> this is what kerberos throws in auth.log when I try to log in with a
> win2008 client:
> 
> Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31
> Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135
> 3})
> 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV,
> Client
> not found in Kerberos database
> Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15
> Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> -135})
> 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
> Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
> Apr 23 09:17:56 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24
> -135})
> 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
> krbtgt/BIURO.domain at BIURO.domain, Client not found in Kerberos
> database
> Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
> Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> -135})
> 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
> Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
> Apr 23 09:17:57 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24
> -135})
> 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
> krbtgt/BIURO.domain at BIURO.domain Client not found in Kerberos
> database
> Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
> Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> -135})
> 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> LDAP/pdc.biuro.domain/biuro.domain at BIURO.domain, Bad encryption type
> Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Somehow you have started MIT krb5 and not Samba on your server.  It is
handling port 88 (kerberos) and is very confused.

Stop the MIT KDC process, and restart samba.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Andrew, thanks for answering. My ubuntu shows this:

# systemctl | grep kr
  krb5-admin-server.service                         loaded active running
Kerberos 5 Admin Server
  krb5-kdc.service                                  loaded active running
Kerberos 5 Key Distribution Center

Should I disable both?

2017-04-23 12:39 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2017-04-23 at 09:39 +0200, Jakub Kulesza via samba wrote:
> > this is what kerberos throws in auth.log when I try to log in with a
> > win2008 client:
> >
> > Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31
> > Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135
> > 3})
> > 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at
GPMV,
> > Client
> > not found in Kerberos database
> > Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15
> > Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> > -135})
> > 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> > krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
> > Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
> > Apr 23 09:17:56 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24
> > -135})
> > 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
> > krbtgt/BIURO.domain at BIURO.domain, Client not found in Kerberos
> > database
> > Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
> > Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> > -135})
> > 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> > krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
> > Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
> > Apr 23 09:17:57 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24
> > -135})
> > 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
> > krbtgt/BIURO.domain at BIURO.domain Client not found in Kerberos
> > database
> > Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
> > Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24
> > -135})
> > 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
> > LDAP/pdc.biuro.domain/biuro.domain at BIURO.domain, Bad encryption
type
> > Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
>
> Somehow you have started MIT krb5 and not Samba on your server.  It is
> handling port 88 (kerberos) and is very confused.
>
> Stop the MIT KDC process, and restart samba.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>