L.P.H. van Belle
2017-Jun-20  09:13 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai Baptiste, What you can try; Type: ktutil (enter) rkt /etc/krb5.keytab rkt /var/lib/samba/private/krb5.keytab list Now check if you see, host/server.internal.domain.tld at REALM host/server at REALM (same (both) for nfs/.. at REALM) And NETBIOSNAME$@REALM If you see all, you can write this back to a new file. wkt /etc/krb5.keytab.new1 And if needed you can also cleanup the keytab file before writing. Now choose, of dedicated keytab file = /etc/krb5.keytab Or use the samba default in /var/lib/samba/private/krb5.keytab In case of the samba default rm /etc/krb5.keytab ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf Some extra info on the keytab things. https://wiki.samba.org/index.php/Generating_Keytabs https://wiki.samba.org/index.php/Keytab_Extraction Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: dinsdag 20 juni 2017 10:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > Thanks for the help !!! > > 2017-06-19 23:58 GMT+02:00 Andrew Bartlett <abartlet at samba.org>: > > On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote: > >> Hello Samba team ! > >> > >> I'am in a very delicate situation. After an upgrade to > debian Stretch > >> my DRS stopped working. > > > > Have you ever had MIT krb5 installed, or is krb5kdc now running? > > > > Samba doesn't use /etc/krb5.keytab, so this may be related to some > > previous install (or may be related to how you are trying > to use NFS). > > > > > > I have checked, MIT kerberos is not installed, just the "krb5-user" > kerberos client package. > > >> > >> This seem to be a computer account problem. But I can't find any > >> problem in Kerberos : > >> > >> > >> -------------------------------- > >> # kinit -k FICHDC$ > >> # klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > > > > Can you do this against the secrets.keytab in Samba's private/ dir? > > > > You can reset the Samba machine account pw with > > ./source4/scripting/devel/chgtdcpass, but: > > - it wont be packaged so you will have to build Samba and > tell it to > > operate against the right paths > > - it shouldn't be needed, upgrades shouldn't break this, and > > understanding the root cause would be better > > > > Does 'samba-tool time -P' work? It is any different with > 'samba-tool > > time -P -k no'? (It seems you issue is related primarily > to kerberos > > and a keytab out of sync somehow). > > > > Yes you're right ! I need to understand the root of the > problem as I have some other DC to upgrade the same manner. > And you're right authentication with the private keytab does > not work. But strangely it works with /etc/krb5.keytab. > > -------------------------------- > -------------------------------- > ~# klist -e -k /var/lib/samba/private/secrets.keytab > Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > > > ~# kinit -V -k -t /var/lib/samba/private/secrets.keytab > FICHDC$ Using default cache: /tmp/krb5cc_0 Using principal: > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > Using keytab: /var/lib/samba/private/secrets.keytab > kinit: Preauthentication failed while getting initial credentials > > ~# samba-tool time -P > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered GENSEC backend > 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' > registered GENSEC backend 'spnego' registered GENSEC backend > 'schannel' registered GENSEC backend 'naclrpc_as_system' > registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC > backend 'ntlmssp' registered GENSEC backend > 'ntlmssp_resume_ccache' registered GENSEC backend > 'http_basic' registered GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered GENSEC backend > 'fake_gssapi_krb5' registered > resolve_lmhosts: Attempting lmhosts lookup for name > fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > Wrong username or password: kinit for > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > (Preauthentication failed) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: > NT_STATUS_LOGON_FAILURE Failed initial gensec_update with > mechanism spnego: NT_STATUS_LOGON_FAILURE > ERROR(runtime): uncaught exception - (-1073741715, > "Connection to SRVSVC pipe of server > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' > failed: NT_STATUS_LOGON_FAILURE") > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > line 59, in run > self.outf.write(net.time(server_name)+"\n") > > ~# samba-tool time -P -k no > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered GENSEC backend > 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' > registered GENSEC backend 'spnego' registered GENSEC backend > 'schannel' registered GENSEC backend 'naclrpc_as_system' > registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC > backend 'ntlmssp' registered GENSEC backend > 'ntlmssp_resume_ccache' registered GENSEC backend > 'http_basic' registered GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered GENSEC backend > 'fake_gssapi_krb5' registered > resolve_lmhosts: Attempting lmhosts lookup for name > fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > ERROR(runtime): uncaught exception - (-1073741715, > "Connection to SRVSVC pipe of server > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' > failed: NT_STATUS_LOGON_FAILURE") > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > line 59, in run > self.outf.write(net.time(server_name)+"\n") > > ~# klist -e -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > > ~# kinit -k -t /etc/krb5.keytab FICHDC$ > > -------------------------------- > -------------------------------- > > I don't know what is "KVNO". But on the "/etc/krb5.keytab" > there is "1" and "2" FICHDC$ principals entries. But on > "/var/lib/samba/private/secret.keytab" there is only "1". > > And on the samba log file I have : > > -------------------------------- > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): Failed to find > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in > keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > -------------------------------- > > How "/var/lib/samba/private/secrets.keytab" is updated by samba ? > > Thank you very much for the help ! > > Baptiste. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Jun-20  09:37 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 11:13:25 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: If you check what the OP posted from: klist -e -k /var/lib/samba/private/secrets.keytab There is this in reference to his DC: 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) Amongst his previous output was this: GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) I can see FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in the output above, but I do not see 'arcfour-hmac-md5' Rowland
Andrew Bartlett
2017-Jun-20  10:31 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 2017-06-20 at 11:13 +0200, L.P.H. van Belle via samba wrote:> Now choose, of > dedicated keytab file = /etc/krb5.keytabTo be clear, this parameter is not used in the AD DC. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Prunk Dump
2017-Jun-20  10:52 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
2017-06-20 11:37 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 20 Jun 2017 11:13:25 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > If you check what the OP posted from: > > klist -e -k /var/lib/samba/private/secrets.keytab > > There is this in reference to his DC: > > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) > > Amongst his previous output was this: > > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): > Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > > I can see FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in the output above, > but I do not see 'arcfour-hmac-md5' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI have regenerated one keytab for "FICHDC$" and "HOST/fichdc" principals and copied the keytab file in both "/etc/krb5.keytab" and "/var/lib/samba/private/secrets.keytab" by security (I have made backup of old keytab files). But authentication with machine account still not works : ---------------------------- ~# samba-tool domain exportkeytab /tmp/krb5.keytab --principal="FICHDC$" ~# samba-tool domain exportkeytab /tmp/krb5.keytab --principal="HOST/fichdc" ~# klist -e -k /tmp/krb5.keytab Keytab name: FILE:/tmp/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) ~# cp /tmp/krb5.keytab /etc/krb5.keytab ~# cp /tmp/krb5.keytab /var/lib/samba/private/secrets.keytab ~# systemctl restart samba-ad-dc ~# samba-tool time -P ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - (-1073741715, "Connection to SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed: NT_STATUS_LOGON_FAILURE") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", line 59, in run self.outf.write(net.time(server_name)+"\n") ---------------------------- The possible problem is that "KVNO" is still at "2" and there is no "aes128-cts-hmac-sha1-96" and "aes256-cts-hmac-sha1-96" encryption. But I don't how to generate there encryptions with samba tool. What account need to be put in "net ads enctypes set <ACCOUNTNAME>" ? Thank you very much for your help !!! Baptiste.
L.P.H. van Belle
2017-Jun-20  11:19 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai Andrew, Thanks, for that info, i didnt know that. Just a thought.. Separate the config paramters per type, makes it much better readable. Like : man smb.conf.ad man smb.conf.member man smb.conf for all paramters. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Andrew Bartlett [mailto:abartlet at samba.org] > Verzonden: dinsdag 20 juni 2017 12:31 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > On Tue, 2017-06-20 at 11:13 +0200, L.P.H. van Belle via samba wrote: > > Now choose, of > > dedicated keytab file = /etc/krb5.keytab > > To be clear, this parameter is not used in the AD DC. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > >
Rowland Penny
2017-Jun-20  11:22 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 22:31:02 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Tue, 2017-06-20 at 11:13 +0200, L.P.H. van Belle via samba wrote: > > Now choose, of > > dedicated keytab file = /etc/krb5.keytab > > To be clear, this parameter is not used in the AD DC. > > Thanks, > > Andrew Bartlett >Shouldn't that be 'this parameter should not be added to smb.conf on an AD DC.' You can have a keytab called 'krb5.keytab' in /etc, it just isn't used in authentication by the AD DC. Just trying to clarify this ;-) Rowland