Hello,
I noticed within last Centos7 samba (4.10) issues with joining
computers to AD. Which was no problem in previous versions (and is
working with samba present in Ubuntu 16.04 - 4.3)
I'm joining my clients to Active directory for example domain.org, with
DNS subdomain base.domain.org
The issue is that the client is joined and keytab generated for FQDN:
client.domain.org instead of client.base.domain.org
Is this a new feature or some kind of bug? Also thank you in advance
for any imput!
/usr/bin/net ads join -k
createupn='host/client.base.domain.org at DOMAIN.ORG'
osName='Linux'
osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux'
-d1
-Ujoin
Enter join's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'CLIENT'
domain_name : *
domain_name : 'DOMAIN.ORG'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : 'Auth/Machines/Servers/Linux'
admin_account : 'join'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : 'CentOS 7'
os_name : 'Linux'
os_servicepack : NULL
create_upn : 0x01 (1)
upn : 'host/client.base.domain.org at DOMAIN.ORG'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
libnet_join_precreate_machine_acct: Machine account successfully
created
join: struct secrets_domain_infoB
version : SECRETS_DOMAIN_INFO_VERSION_1 (1)
reserved : 0x00000000 (0)
info : union secrets_domain_infoU(case 1)
info1 : *
info1: struct secrets_domain_info1
reserved_flags : 0x0000000000000000 (0)
join_time : Fri Oct 2 04:38:44 PM 2020 CEST
computer_name : 'CLIENT'
account_name : 'CLIENT$'
secure_channel_type : SEC_CHAN_WKSTA (2)
domain_info: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'DOMAIN'
dns_domain: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'domain.org'
dns_forest: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'domain.org'
domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce
sid : *
sid : S-1-5-21-3784930729-2365486616-1008349783
trust_flags : 0x0000001a (26)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
1: NETR_TRUST_FLAG_PRIMARY
1: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000040 (64)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
reserved_routing : NULL
supported_enc_types : 0x0000001f (31)
1: KERB_ENCTYPE_DES_CBC_CRC
1: KERB_ENCTYPE_DES_CBC_MD5
1: KERB_ENCTYPE_RC4_HMAC_MD5
1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
0: KERB_ENCTYPE_FAST_SUPPORTED
0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
0: KERB_ENCTYPE_CLAIMS_SUPPORTED
0:
KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
salt_principal : *
salt_principal : 'host/client.domain.org at DOMAIN.ORG
'
password_last_change : Fri Oct 2 04:38:44 PM 2020 CEST
password_changes : 0x0000000000000001 (1)
next_change : NULL
password : *
password: struct secrets_domain_info1_password
change_time : Fri Oct 2 04:38:44 PM 2020 CEST
change_server : 'it-czbrn-pdc102.domain.org'
cleartext_blob : DATA_BLOB length=448
nt_hash: struct samr_Password
hash: ARRAY(16): <REDACTED SECRET VALUES>
salt_data : *
salt_data :
'DOMAIN.ORGhostclient.domain.org'
default_iteration_count : 0x00001000 (4096)
num_keys : 0x0004 (4)
keys: ARRAY(4)
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000012 (18)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=32
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000011 (17)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000017 (23)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000003 (3)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=8
old_password : *
old_password: struct secrets_domain_info1_password
change_time : Tue Sep 29 10:46:45 AM 2020 CEST
change_server : 'it-czbrn-pdc102.domain.org'
cleartext_blob : DATA_BLOB length=440
nt_hash: struct samr_Password
hash: ARRAY(16): <REDACTED SECRET VALUES>
salt_data : *
salt_data :
'DOMAIN.ORGhostclient.domain.org'
default_iteration_count : 0x00001000 (4096)
num_keys : 0x0004 (4)
keys: ARRAY(4)
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000012 (18)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=32
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000011 (17)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000017 (23)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
keys: struct
secrets_domain_info1_kerberos_key
keytype : 0x00000003 (3)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=8
older_password : NULL
Kinit for CLIENT$@DOMAIN.ORG to access it-czbrn-pdc102.domain.org
failed: Preauthentication failed
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'CLIENT$'
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.org'
forest_name : 'domain.org'
dn :
'CN=CLIENT,OU=Linux,OU=Servers,OU=Machines,OU=Auth,DC=domain,DC=org'
domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce
domain_sid : *
domain_sid : S-1-5-21-3784930729-2365486616-1008349783
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
set_encryption_types : 0x0000001f (31)
krb5_salt : 'host/client.domain.org at DOMAIN.ORG'
result : WERR_OK
Using short domain name -- DOMAIN
Joined 'CLIENT' to dns domain 'domain.org'
kerberos_kinit_password CLIENT$@DOMAIN.ORG failed: Preauthentication
failed
DNS update failed: kinit failed: Preauthentication failed
[root at client ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
rdns = true
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
[domain_realm]
.domain.org = DOMAIN.ORG
domain.org = DOMAIN.ORG
[root at client ~]# cat /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.ORG
security = ads
kerberos method = secrets and keytab
client ipc signing = mandatory
client ldap sasl wrapping = seal
client signing = mandatory
client use spnego = yes
server min protocol = SMB2_10
client min protocol = SMB2
client max protocol = SMB3
[root at client ~]# hostname
client.base.domain.org
[root at client ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- -----------------------------------------------------------
----------
1 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG
2 2 restrictedkrbhost/CLIENT at DOMAIN.ORG
3 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG
4 2 restrictedkrbhost/CLIENT at DOMAIN.ORG
5 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG
6 2 restrictedkrbhost/CLIENT at DOMAIN.ORG
7 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG
8 2 restrictedkrbhost/CLIENT at DOMAIN.ORG
9 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG
10 2 restrictedkrbhost/CLIENT at DOMAIN.ORG
11 2 host/client.domain.org at DOMAIN.ORG
12 2 host/CLIENT at DOMAIN.ORG
13 2 host/client.domain.org at DOMAIN.ORG
14 2 host/CLIENT at DOMAIN.ORG
15 2 host/client.domain.org at DOMAIN.ORG
16 2 host/CLIENT at DOMAIN.ORG
17 2 host/client.domain.org at DOMAIN.ORG
18 2 host/CLIENT at DOMAIN.ORG
19 2 host/client.domain.org at DOMAIN.ORG
20 2 host/CLIENT at DOMAIN.ORG
21 2 CLIENT$@DOMAIN.ORG
22 2 CLIENT$@DOMAIN.ORG
23 2 CLIENT$@DOMAIN.ORG
24 2 CLIENT$@DOMAIN.ORG
25 2 CLIENT$@DOMAIN.ORG
ktutil: q
With Regards
Jan Zhanal
Rowland penny
2020-Oct-13 08:01 UTC
[Samba] [Fwd: Joining AD - wrong DNS name, wrong keytab]
On 13/10/2020 08:36, Jan Zh??al via samba wrote:> Hello, > I noticed within last Centos7 samba (4.10) issues with joining > computers to AD. Which was no problem in previous versions (and is > working with samba present in Ubuntu 16.04 - 4.3) > > I'm joining my clients to Active directory for example domain.org, with > DNS subdomain base.domain.org > The issue is that the client is joined and keytab generated for FQDN: > client.domain.org instead of client.base.domain.org > > Is this a new feature or some kind of bug? Also thank you in advance > for any imput!If it is a bug, it is a bug that has been fixed. I am actually surprised that you could join a computer with the wrong dns domain. Samba does not do subdomains (yet) Rowland
Maybe I wrote it misleading, its just a DNS name, not whole active directory subdomain. Jan> If it is a bug, it is a bug that has been fixed. I am actually > surprised > that you could join a computer with the wrong dns domain. > > Samba does not do subdomains (yet) > > Rowland