Robert Marcano
2018-Jan-18 15:28 UTC
[Samba] Password change error when using mskutil to setup service keytab
When using mskutil in order to setup a keytab fail for Squid Kerberos authentication, it stops with an error: Error: Unable to set machine password for FIREWALL-K$: (2) Server error This is the output of the mskutil command: ########################################################## # msktutil -f -b "CN=COMPUTERS" -s HTTP/firewall.example.com -k /etc/squid/squid.keytab --computer-name FIREWALL-K --upn HTTP/ firewall.example.com --server dc.example.com --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 87 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-gjU224 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: FIREWALL-K$ -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=YES -- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=NO SASL/GSSAPI authentication started SASL username: admin at example.com SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=COM -- ldap_check_account: Checking that a computer account for FIREWALL-K$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x11000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = firewall.example.com -- ldap_check_account: Found User Principal: HTTP/firewall.example.com -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/firewall.example.com at EXAMPLE.COM -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 131607622799660050 Error: Unable to set machine password for FIREWALL-K$: (2) Server error Error: set_password failed -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context ########################################################## And this is written on log.samba ########################################################## [2018/01/18 15:18:51.613525, 0] ../source4/kdc/kpasswd-service.c:244(kpasswd_process) kpasswd_process: gensec_unwrap failed - NT_STATUS_ACCESS_DENIED ########################################################## Everything is run within "kinit administrator", For some reason changing the machine account password is failing with NT_STATUS_ACCESS_DENIED. Any help is appreciated. Running Samba Version 4.7.4. -- Robert Marcano
Maybe Matching Threads
Wisdom of the Ancients
