Yakov Revyakin
2020-Jul-23 05:28 UTC
[Samba] krb5_kt_start_seq_get failed (Permission denied)
On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message "krb5_kt_start_seq_get failed (Permission denied)" during any attempt of user authentication. In result a user is authenticated successfully. But what does this message mean? My krb5.keytab has permissions 600 by default. If I change its permissions to 644 the error message goes.
Rowland penny
2020-Jul-23 08:09 UTC
[Samba] krb5_kt_start_seq_get failed (Permission denied)
On 23/07/2020 06:28, Yakov Revyakin via samba wrote:> On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message > "krb5_kt_start_seq_get failed (Permission denied)" during any attempt of > user authentication. > In result a user is authenticated successfully. But what does this message > mean? > > My krb5.keytab has permissions 600 by default. > If I change its permissions to 644 the error message goes.For some reason, the keytab cannot be read, yet the '600' is correct, who owns it ? it should be 'root' (user 0) Can we see your smb.conf and can you also tell us what OS you are using ? Rowland
Yakov Revyakin
2020-Jul-23 09:19 UTC
[Samba] krb5_kt_start_seq_get failed (Permission denied)
Ubuntu 18.04 LTS root is owner In case of 644 d at uc-sm18:~$ sudo ls -la /etc/krb5.keytab -rw-r--r-- 1 root root 1122 Jul 17 13:16 /etc/krb5.keytab [global] workgroup = SVITLA3 security = ADS realm = SVITLA3.ROOM winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind enum users = yes winbind enum groups = yes winbind offline logon = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/%m.log log level = 1 auth:9 kerberos:9 winbind:9 debug timestamp = no idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SVITLA3:backend = ad idmap config SVITLA3:schema_mode = rfc2307 idmap config SVITLA3:range = 20000-29999 idmap config SVITLA3:unix_nss_info = yes template shell = /bin/bash template homedir = /home/%U On Thu, 23 Jul 2020 at 11:10, Rowland penny via samba <samba at lists.samba.org> wrote:> On 23/07/2020 06:28, Yakov Revyakin via samba wrote: > > On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message > > "krb5_kt_start_seq_get failed (Permission denied)" during any attempt of > > user authentication. > > In result a user is authenticated successfully. But what does this > message > > mean? > > > > My krb5.keytab has permissions 600 by default. > > If I change its permissions to 644 the error message goes. > > For some reason, the keytab cannot be read, yet the '600' is correct, > who owns it ? it should be 'root' (user 0) > > Can we see your smb.conf and can you also tell us what OS you are using ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2020-Jul-23 09:35 UTC
[Samba] krb5_kt_start_seq_get failed (Permission denied)
Try this :
#source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
Add in /etc/krb5.conf in [libdefaults]
ignore_k5login = true
Did it help?
If (as in my case) root is not allowed in the user homdirs it can validateon
$HOME/.k5login
Above fixed it for me.
I only cant tell based on the config if this applies to you.
Its a simple thing to try.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Yakov Revyakin via samba
> Verzonden: donderdag 23 juli 2020 11:20
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] krb5_kt_start_seq_get failed
> (Permission denied)
>
> Ubuntu 18.04 LTS
>
> root is owner
>
> In case of 644
> d at uc-sm18:~$ sudo ls -la /etc/krb5.keytab
> -rw-r--r-- 1 root root 1122 Jul 17 13:16 /etc/krb5.keytab
>
> [global]
> workgroup = SVITLA3
> security = ADS
> realm = SVITLA3.ROOM
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind offline logon = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/%m.log
> log level = 1 auth:9 kerberos:9 winbind:9
> debug timestamp = no
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config SVITLA3:backend = ad
> idmap config SVITLA3:schema_mode = rfc2307
> idmap config SVITLA3:range = 20000-29999
> idmap config SVITLA3:unix_nss_info = yes
>
> template shell = /bin/bash
> template homedir = /home/%U
>
>
> On Thu, 23 Jul 2020 at 11:10, Rowland penny via samba
> <samba at lists.samba.org>
> wrote:
>
> > On 23/07/2020 06:28, Yakov Revyakin via samba wrote:
> > > On a DOMAIN Linux member in log.wb_DOMAIN I can see the
> error message
> > > "krb5_kt_start_seq_get failed (Permission denied)"
during
> any attempt of
> > > user authentication.
> > > In result a user is authenticated successfully. But what does
this
> > message
> > > mean?
> > >
> > > My krb5.keytab has permissions 600 by default.
> > > If I change its permissions to 644 the error message goes.
> >
> > For some reason, the keytab cannot be read, yet the '600'
> is correct,
> > who owns it ? it should be 'root' (user 0)
> >
> > Can we see your smb.conf and can you also tell us what OS
> you are using ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>