Alex
2022-Jan-27 06:54 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Stefan,>> The permissions are correct and they didn't change during the Samba upgrade: >> [root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab >> -rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytab > I just set up a new debian11 with k5start together with OpenLDAP and I > also had the permission to "600 root root" and it did not work. With the > new version of k5start you must set the owner to the user who should use > the keytab so in you setup it should belong to padl and 600 as > permission is required, but you already have it set to 600.As I said before, no changes were made besides upgrading Samba on the domain controllers (and vm-corp is not a DC). So, these permissions work w/o issues when the DC is Samba 4.14. Anyway, thanks for trying to help! -- Best regards, Alex
Andrew Bartlett
2022-Jan-27 07:29 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Thu, 2022-01-27 at 09:54 +0300, Alex via samba wrote:> Stefan, > > > > The permissions are correct and they didn't change during the > > > Samba upgrade: > > > [root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab > > > -rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytab > > I just set up a new debian11 with k5start together with OpenLDAP > > and I > > also had the permission to "600 root root" and it did not work. > > With the > > new version of k5start you must set the owner to the user who > > should use > > the keytab so in you setup it should belong to padl and 600 as > > permission is required, but you already have it set to 600. > > As I said before, no changes were made besides upgrading Samba on the > domain controllers (and vm-corp is not a DC). So, these permissions > work w/o issues when the DC is Samba 4.14. > > Anyway, thanks for trying to help!The big difference with 4.15 is likely to be that we disabled DES encryption types recently, so if you followed an old guide that said to force DES that would end badly. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions