samba - Jul 2020 - krb5_kt_start_seq_get failed (Permission denied)

On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message
"krb5_kt_start_seq_get failed (Permission denied)" during any attempt
of
user authentication.
In result a user is authenticated successfully. But what does this message
mean?

My krb5.keytab has permissions 600 by default.
If I change its permissions to 644 the error message goes.

On 23/07/2020 06:28, Yakov Revyakin via samba wrote:
> On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message
> "krb5_kt_start_seq_get failed (Permission denied)" during any
attempt of
> user authentication.
> In result a user is authenticated successfully. But what does this message
> mean?
>
> My krb5.keytab has permissions 600 by default.
> If I change its permissions to 644 the error message goes.
For some reason, the keytab cannot be read, yet the '600' is correct, 
who owns it ? it should be 'root' (user 0)

Can we see your smb.conf and can you also tell us what OS you are using ?

Rowland

Ubuntu 18.04 LTS

root is owner

In case of 644
d at uc-sm18:~$ sudo ls -la /etc/krb5.keytab
-rw-r--r-- 1 root root 1122 Jul 17 13:16 /etc/krb5.keytab

[global]
   workgroup = SVITLA3
   security = ADS
   realm = SVITLA3.ROOM

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind enum users = yes
   winbind enum groups = yes

   winbind offline logon = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/%m.log
   log level = 1 auth:9 kerberos:9 winbind:9
   debug timestamp = no

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config SVITLA3:backend = ad
   idmap config SVITLA3:schema_mode = rfc2307
   idmap config SVITLA3:range = 20000-29999
   idmap config SVITLA3:unix_nss_info = yes

   template shell = /bin/bash
   template homedir = /home/%U


On Thu, 23 Jul 2020 at 11:10, Rowland penny via samba <samba at
lists.samba.org>
wrote:
> On 23/07/2020 06:28, Yakov Revyakin via samba wrote:
> > On a DOMAIN Linux member in log.wb_DOMAIN I can see the error message
> > "krb5_kt_start_seq_get failed (Permission denied)" during
any attempt of
> > user authentication.
> > In result a user is authenticated successfully. But what does this
> message
> > mean?
> >
> > My krb5.keytab has permissions 600 by default.
> > If I change its permissions to 644 the error message goes.
>
> For some reason, the keytab cannot be read, yet the '600' is
correct,
> who owns it ? it should be 'root' (user 0)
>
> Can we see your smb.conf and can you also tell us what OS you are using ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Try this : 

    #source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262

Add in /etc/krb5.conf in [libdefaults]
   ignore_k5login = true 

Did it help? 

If (as in my case) root is not allowed in the user homdirs it can validateon 
$HOME/.k5login
Above fixed it for me.

I only cant tell based on the config if this applies to you. 
Its a simple thing to try. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Yakov Revyakin via samba
> Verzonden: donderdag 23 juli 2020 11:20
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] krb5_kt_start_seq_get failed 
> (Permission denied)
> 
> Ubuntu 18.04 LTS
> 
> root is owner
> 
> In case of 644
> d at uc-sm18:~$ sudo ls -la /etc/krb5.keytab
> -rw-r--r-- 1 root root 1122 Jul 17 13:16 /etc/krb5.keytab
> 
> [global]
>    workgroup = SVITLA3
>    security = ADS
>    realm = SVITLA3.ROOM
> 
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind enum users = yes
>    winbind enum groups = yes
> 
>    winbind offline logon = yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
>    log file = /var/log/samba/%m.log
>    log level = 1 auth:9 kerberos:9 winbind:9
>    debug timestamp = no
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
> 
>    idmap config SVITLA3:backend = ad
>    idmap config SVITLA3:schema_mode = rfc2307
>    idmap config SVITLA3:range = 20000-29999
>    idmap config SVITLA3:unix_nss_info = yes
> 
>    template shell = /bin/bash
>    template homedir = /home/%U
> 
> 
> On Thu, 23 Jul 2020 at 11:10, Rowland penny via samba 
> <samba at lists.samba.org>
> wrote:
> 
> > On 23/07/2020 06:28, Yakov Revyakin via samba wrote:
> > > On a DOMAIN Linux member in log.wb_DOMAIN I can see the 
> error message
> > > "krb5_kt_start_seq_get failed (Permission denied)"
during
> any attempt of
> > > user authentication.
> > > In result a user is authenticated successfully. But what does
this
> > message
> > > mean?
> > >
> > > My krb5.keytab has permissions 600 by default.
> > > If I change its permissions to 644 the error message goes.
> >
> > For some reason, the keytab cannot be read, yet the '600' 
> is correct,
> > who owns it ? it should be 'root' (user 0)
> >
> > Can we see your smb.conf and can you also tell us what OS 
> you are using ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>