Alex
2022-Jan-26 10:35 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hello, There're two DCs backed by Samba (vm-dc3 and vm-dc4). I have a special AD user - padl - to provide SSO capability to corporate services (like apache, for example). Using this account I generated a keytab file which is used by other services: # ktutil addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC Password: wkt /usr/local/etc/padl.keytab Based on this keytab, k5start daemon generates and updates a kerberos TGT: ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid Hence, for example, nslcd has this config options set: sasl_mech GSSAPI krb5_ccname /tmp/krb5cc_nslcd Everything worked well until I upgraded Samba from 4.14 to 4.15. The new samba has stopped authenticating padl user from the keytab file (password authentication still works well). Here is how it looks like when I restart k5start daemon to re-get the TGT on one of the corporate servers: [root at vm-corp etc]# systemctl restart k5start at nslcd.service Good: [root at vm-dc4 var]# samba -V Version 4.14.11 [root at vm-dc4 var]# tail -f log.samba | grep padl Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49197 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:44742 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: ENC-TS Pre-authentication succeeded -- padl at ABISOFT.BIZ using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Wed, 26 Jan 2022 12:27:57.383462 MSK] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.26.200.32:44742] became [ABISOFT]\[padl] [S-1-5-21-3729968760-1240331958-298020672-1205]. local host [NULL] {"timestamp": "2022-01-26T12:27:57.383593+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d14d44263a13476", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:44742", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "padl at ABISOFT.BIZ", "workstation": null, "becameAccount": "padl", "becameDomain": "ABISOFT", "becameSid": "S-1-5-21-3729968760-1240331958-298020672-1205", "mappedAccount": "padl", "mappedDomain": "ABISOFT", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 6872}} authsam_account_ok: Checking SMB password for user padl at ABISOFT.BIZ logon_hours_ok: No hours restrictions for user padl at ABISOFT.BIZ DSDB Change [Modify] at [Wed, 26 Jan 2022 12:27:57.388268 MSK] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=padl,CN=Users,DC=abisoft,DC=biz] attributes [replace: lastLogon [132876628773839510] replace: logonCount [18445]] {"timestamp": "2022-01-26T12:27:57.388513+0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=padl,CN=Users,DC=abisoft,DC=biz", "transactionId": "303b11dc-52d2-411b-8dc1-c2a1079c46f8", "sessionId": "84b8f2a0-4e9c-4696-bbb6-4a5df8d8de8c", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "132876628773839510"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "18445"}]}]}}}} Bad: [root at vm-dc4 samba]# samba -V Version 4.15.4 [root at vm-dc4 var]# tail -f log.samba | grep padl Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49563 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:42889 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:41471 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:40522 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:51879 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ Any ideas what's going on and how to get that fixed? I've downgraded back to 4.14 so far, but that's a just temporary workaround. Please, help! -- Best regards, Alex Alex
Stefan Kania
2022-Jan-26 11:57 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
I only now this error-message from openldap together with kerberos. There it means: Either the permission of the keytab-file is wrong or the user has no password set. Because you have preauth aktiv, the user must have a password, without password preauth failed. Can you disabel preauth? Just for testing or if the user has no password, set a random password and try again. Am 26.01.22 um 11:35 schrieb Alex via samba:> Hello, > > There're two DCs backed by Samba (vm-dc3 and vm-dc4). I have a special AD user - padl - to provide SSO capability to corporate services (like apache, for example). Using this account I generated a keytab file which is used by other services: > # ktutil > addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC > Password: > wkt /usr/local/etc/padl.keytab > > Based on this keytab, k5start daemon generates and updates a kerberos TGT: > ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid > > Hence, for example, nslcd has this config options set: > sasl_mech GSSAPI > krb5_ccname /tmp/krb5cc_nslcd > > Everything worked well until I upgraded Samba from 4.14 to 4.15. The new samba has stopped authenticating padl user from the keytab file (password authentication still works well). > > Here is how it looks like when I restart k5start daemon to re-get the TGT on one of the corporate servers: > [root at vm-corp etc]# systemctl restart k5start at nslcd.service > > Good: > [root at vm-dc4 var]# samba -V > Version 4.14.11 > [root at vm-dc4 var]# tail -f log.samba | grep padl > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49197 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:44742 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: ENC-TS Pre-authentication succeeded -- padl at ABISOFT.BIZ using arcfour-hmac-md5 > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Wed, 26 Jan 2022 12:27:57.383462 MSK] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.26.200.32:44742] became [ABISOFT]\[padl] [S-1-5-21-3729968760-1240331958-298020672-1205]. local host [NULL] > {"timestamp": "2022-01-26T12:27:57.383593+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d14d44263a13476", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:44742", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "padl at ABISOFT.BIZ", "workstation": null, "becameAccount": "padl", "becameDomain": "ABISOFT", "becameSid": "S-1-5-21-3729968760-1240331958-298020672-1205", "mappedAccount": "padl", "mappedDomain": "ABISOFT", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 6872}} > authsam_account_ok: Checking SMB password for user padl at ABISOFT.BIZ > logon_hours_ok: No hours restrictions for user padl at ABISOFT.BIZ > DSDB Change [Modify] at [Wed, 26 Jan 2022 12:27:57.388268 MSK] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=padl,CN=Users,DC=abisoft,DC=biz] attributes [replace: lastLogon [132876628773839510] replace: logonCount [18445]] > {"timestamp": "2022-01-26T12:27:57.388513+0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=padl,CN=Users,DC=abisoft,DC=biz", "transactionId": "303b11dc-52d2-411b-8dc1-c2a1079c46f8", "sessionId": "84b8f2a0-4e9c-4696-bbb6-4a5df8d8de8c", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "132876628773839510"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "18445"}]}]}}}} > > Bad: > [root at vm-dc4 samba]# samba -V > Version 4.15.4 > [root at vm-dc4 var]# tail -f log.samba | grep padl > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49563 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:42889 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:41471 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:40522 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:51879 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ > Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ > > Any ideas what's going on and how to get that fixed? I've downgraded back to 4.14 so far, but that's a just temporary workaround. > > Please, help! >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html