Rowland Penny
2017-Jun-20 11:22 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 22:31:02 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Tue, 2017-06-20 at 11:13 +0200, L.P.H. van Belle via samba wrote: > > Now choose, of > > dedicated keytab file = /etc/krb5.keytab > > To be clear, this parameter is not used in the AD DC. > > Thanks, > > Andrew Bartlett >Shouldn't that be 'this parameter should not be added to smb.conf on an AD DC.' You can have a keytab called 'krb5.keytab' in /etc, it just isn't used in authentication by the AD DC. Just trying to clarify this ;-) Rowland
Prunk Dump
2017-Jun-20 15:54 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hello thanks again for the help ! I have analysed samba logs more closely. I'am very worried. I have three DC (fichdc, fichds01, fichds02) but here I talk just about fichdc's logs. -> Almost every times, "AS-REQ" fail for the 3 DCs with something like this : ---------------- Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.20:59818 for krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Client sent patypes: encrypted-timestamp Kerberos: Looking for PKINIT pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Looking for ENC-TS pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Failed to decrypt PA-DATA -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (enctype arcfour-hmac-md5) error Decrypt integrity check failed Kerberos: Failed to decrypt PA-DATA -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR ---------------- -> Sometimes "AS-REQ" return "PREAUTH-REQUIRED" like this : ---------------- Kerberos: AS-REQ FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.21:36076 for krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: No preauth found, returning PREAUTH-REQUIRED -- FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR ---------------- -> And sometimes, strangely, it works : ---------------- Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.20:43320 for krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: Looking for ENC-TS pa-data -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR Kerberos: ENC-TS Pre-authentication succeeded -- FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using arcfour-hmac-md5 Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' Kerberos: AS-REQ authtime: 2017-06-20T15:43:15 starttime: unset endtime: 2017-06-21T01:43:15 renew till: 2017-06-21T15:43:15 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 20, 19, des3-cbc-sha1, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok ---------------- -> "TGS-REQ" always works : ---------------- Kerberos: TGS-REQ FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from ipv4:172.16.0.21:40972 for ldap/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2017-06-20T15:43:39 starttime: 2017-06-20T15:43:39 endtime: 2017-06-21T01:43:39 renew till: 2017-06-21T15:43:39 ---------------- -> And the most important. Bind to other DC always fail : ---------------- Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] NT_STATUS_LOGON_FAILURE ---------------- I someone have an Idea of the origin of the problem ? An Idea of what can I do ? Baptiste.
Rowland Penny
2017-Jun-20 16:12 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 20 Jun 2017 17:54:09 +0200 Prunk Dump via samba <samba at lists.samba.org> wrote:> Hello thanks again for the help ! > > I have analysed samba logs more closely. I'am very worried. I have > three DC (fichdc, fichds01, fichds02) but here I talk just about > fichdc's logs. >How did you upgrade 'jessie' to 'stretch' and why ? Did all the Samba packages get upgraded (this includes things like talloc, tevent etc) Rowland
Reasonably Related Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch