samba - Nov 2017 - samba rotates keytabs without telling apache

Hello!

Our organization has since June had problems with samba on our web server
incrementing keytab version numbers every month - precisely every month. Since
apache2 with mod_auth_kerb isn't made aware of this, all our web sites go
503.
The manual solution has been exporting new keytabs and reloading apache, but we
haven't figured out why the KVNOS are incremented in the first place.

Some googling suggests "kerberos method = secrets and keytab", but
this has not
resolved the problem. Is this a known issue? Any suggestions for debugging? The
log level has been 1 while this has been happening. It is now set to 2, but
since there is month until next problem nothing interesting has showed up in
the logs (log.smbd) yet.

KDC packages: Debian stretch 9.1, linux 4.9.0-3-amd64, samba
2:4.5.8+dfsg-2+deb9u1+b1
Web server packages: Debian stretch 9.1, linux 4.11.8, samba 2:4.5.12+dfsg-2
(different version unintentionally)

Web server smb.conf:

[global]
  workgroup = DOMAIN
  realm = AD.DOMAIN.COM
  security = ads
  kerberos method = secrets and keytab
  log level = 2

-- 
Herman Øie Kolden
ITK, Samfundet

On Wed, 22 Nov 2017 13:07:09 +0100
Herman Øie Kolden via samba <samba at lists.samba.org> wrote:
> Hello!
> 
> Our organization has since June had problems with samba on our web
> server incrementing keytab version numbers every month - precisely
> every month. Since apache2 with mod_auth_kerb isn't made aware of
> this, all our web sites go 503. The manual solution has been
> exporting new keytabs and reloading apache, but we haven't figured
> out why the KVNOS are incremented in the first place.
> 
> Some googling suggests "kerberos method = secrets and keytab",
but
> this has not resolved the problem. Is this a known issue? Any
> suggestions for debugging? The log level has been 1 while this has
> been happening. It is now set to 2, but since there is month until
> next problem nothing interesting has showed up in the logs (log.smbd)
> yet.
> 
> KDC packages: Debian stretch 9.1, linux 4.9.0-3-amd64, samba
> 2:4.5.8+dfsg-2+deb9u1+b1 Web server packages: Debian stretch 9.1,
> linux 4.11.8, samba 2:4.5.12+dfsg-2 (different version
> unintentionally)
> 
> Web server smb.conf:
> 
> [global]
>   workgroup = DOMAIN
>   realm = AD.DOMAIN.COM
>   security = ads
>   kerberos method = secrets and keytab
>   log level = 2
> 
Is that the entire '[global]' portion of smb.conf ?
There doesn't seem to be anything with reference to authentication, are
you using sssd ?
If you are then can I suggest you try asking on the sssd-users mailing.

If you aren't using sssd, can we see the entire '[global]' portion
and
does it include 'winbind refresh tickets = yes' ?

Rowland

On Wed, Nov 22, 2017 at 12:53:11PM +0000, Rowland Penny via samba wrote:
> Is that the entire '[global]' portion of smb.conf ?
> There doesn't seem to be anything with reference to authentication, are
> you using sssd ?
> If you are then can I suggest you try asking on the sssd-users mailing.
You're right, this is the entire [global], and we use sssd. The problem
seems to have been ad_maximum_machine_account_password_age which
defaults to 30 days. 

Thanks for mentioning sssd!

-- 
Herman Øie Kolden
ITK, Samfundet

On Wed, 2017-11-22 at 13:07 +0100, Herman Øie Kolden via samba
wrote:
> Hello!
> 
> Our organization has since June had problems with samba on our web server
> incrementing keytab version numbers every month - precisely every month.
Since
> apache2 with mod_auth_kerb isn't made aware of this, all our web sites
go 503.
> The manual solution has been exporting new keytabs and reloading apache,
but we
> haven't figured out why the KVNOS are incremented in the first place.
Samba, for security, changes the machine account password periodically.
  

The issue, I think, is that you have a distinct keytab for apache,
rather than a link to the Samba one.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba