thr3ads.net - samba - [Samba] Kerberos fails in some cases [Mar 2019]

If this information is useful, please help other people find it:
Share via:

Sergio Belkin

2019-Mar-25 22:41 UTC

[Samba] Kerberos fails in some cases

Hi folks,
I can use kerberos to create or delete user, eg:

samba-tool user create test -k yes

however, if I want to perform a backup it fails:

samba-tool domain backup online --targetdir=/srv/backup
--server=192.168.50.40 -k yes
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit
request
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://192.168.50.40' with backend 'ldap':
LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
177, in _run
    return self.run(*args, **kwargs)
  File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
line 228, in run
    dns_backend='SAMBA_INTERNAL', targetdir=tmpdir)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509, in
join_clone
    include_secrets=include_secrets)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584, in
__init__
    dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in
__init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64, in
__init__
    options=options)
  File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in
__init__
    self.connect(url, flags, options)
  File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79, in
connect
    options=options)

What could be wrong?

I use samba 4.9.3 on Debian (Van Belle repo)

Thanks in advance!

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Sergio Belkin

2019-Mar-25 23:33 UTC

head link

[Samba] Kerberos fails in some cases

El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at gmail.com>)
escribió:
> Hi folks,
> I can use kerberos to create or delete user, eg:
>
> samba-tool user create test -k yes
>
> however, if I want to perform a backup it fails:
>
> samba-tool domain backup online --targetdir=/srv/backup
> --server=192.168.50.40 -k yes
> gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> negTokenInit request
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://192.168.50.40' with backend
'ldap': LDAP
> client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 177, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> line 228, in run
>     dns_backend='SAMBA_INTERNAL', targetdir=tmpdir)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1509, in
> join_clone
>     include_secrets=include_secrets)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1584, in
> __init__
>     dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98,
in
> __init__
>     credentials=ctx.creds, lp=ctx.lp)
>   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line
64, in
> __init__
>     options=options)
>   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line
115, in
> __init__
>     self.connect(url, flags, options)
>   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line
79, in
> connect
>     options=options)
>
> What could be wrong?
>
> I use samba 4.9.3 on Debian (Van Belle repo)
>
> Thanks in advance!
>
> --
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
>

I've found that is an error using IP address with kerberos, that's
wrong,
anyway, if I use hostname it prompts me for the password:

samba-tool domain backup online --targetdir=/srv/backup
--serversamba4.example.com  -k yes -d3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
samba4.example.com<0x20>
Password for [EXAMPLE\root]:

Don't understand why it cannot resolv samba4.example.com, because it can
outside of this command....

Please could you help me?


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Andrew Bartlett

2019-Mar-26 01:13 UTC

head link

[Samba] Kerberos fails in some cases

On Mon, 2019-03-25 at 20:33 -0300, Sergio Belkin via samba
wrote:> El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at
gmail.com>)
> escribió:
> 
> > Hi folks,
> > I can use kerberos to create or delete user, eg:
> > 
> > samba-tool user create test -k yes
> > 
> > however, if I want to perform a backup it fails:
> > 
> > samba-tool domain backup online --targetdir=/srv/backup
> > --server=192.168.50.40 -k yes
You can't do Kerberos to an IP address.

Kerberos is names based.

Sorry!

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Rowland Penny

2019-Mar-26 08:35 UTC

head link

[Samba] Kerberos fails in some cases

On Mon, 25 Mar 2019 20:33:44 -0300
Sergio Belkin via samba <samba at lists.samba.org> wrote:
> El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at
gmail.com>)
> escribió:
> 
> > Hi folks,
> > I can use kerberos to create or delete user, eg:
> >
> > samba-tool user create test -k yes
> >
> > however, if I want to perform a backup it fails:
> >
> > samba-tool domain backup online --targetdir=/srv/backup
> > --server=192.168.50.40 -k yes
> > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> > negTokenInit request
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_INVALID_PARAMETER Failed to connect to
> > 'ldap://192.168.50.40' with backend 'ldap': LDAP
client internal
> > error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception -
> > LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> >     return self.run(*args, **kwargs)
> >   File
> >
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> > line 228, in run dns_backend='SAMBA_INTERNAL',
targetdir=tmpdir)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1509,
> > in join_clone
> >     include_secrets=include_secrets)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1584,
> > in __init__
> >     dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 98, in
> > __init__
> >     credentials=ctx.creds, lp=ctx.lp)
> >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py",
line 64,
> > in __init__
> >     options=options)
> >   File "/usr/lib/python2.7/dist-packages/samba/__init__.py",
line
> > 115, in __init__
> >     self.connect(url, flags, options)
> >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py",
line 79,
> > in connect
> >     options=options)
> >
> > What could be wrong?
> >
> > I use samba 4.9.3 on Debian (Van Belle repo)
> >
> > Thanks in advance!
> >
> > --
> > --
> > Sergio Belkin
> > LPIC-2 Certified - http://www.lpi.org
> >  
> 
> 
> I've found that is an error using IP address with kerberos, that's
> wrong, anyway, if I use hostname it prompts me for the password:
> 
> samba-tool domain backup online --targetdir=/srv/backup --server>
samba4.example.com  -k yes -d3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4.example.com<0x20> Password for [EXAMPLE\root]:
> 
> Don't understand why it cannot resolv samba4.example.com, because it
> can outside of this command....
> 
> Please could you help me?
> 
> 
That isn't the problem ;-)
The problem is that you are not giving a domain user, so it is falling
back to the logged in user 'root' and this user cannot have a kerberos
ticket.
You need to 'kinit' as a domain user with the required rights,
'Administrator' for instance, then add '-U Administrator' to the
command.

Rowland

Reasonably Related Threads

Search for more possibly parallel threads

samba - Mar 2019 - Kerberos fails in some cases

[Samba] Kerberos fails in some cases

[Samba] Kerberos fails in some cases

[Samba] Kerberos fails in some cases

[Samba] Kerberos fails in some cases

Reasonably Related Threads