Alex
2022-Jan-27 12:01 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hello Louis, Samba is already handling the system's keytab (/etc/krb5.keytab), but for some reason this error comes up when I try to acquire a TGT with k5start: [root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd -vvv Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ k5start: error getting credentials: Client 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database [root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' 2 DES cbc mode with CRC-32 host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 DES cbc mode with RSA-MD5 host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 AES-128 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 AES-256 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ 2 ArcFour with HMAC/md5 host/vm-corp.abisoft.biz at ABISOFT.BIZ Any ideas why? The reason to use k5start is b/c some progs can't work with keytab file directly. For example, nslcd.> Im wondering why you dont use winbind for the keytabs setup and let samba handle it. > > Thats what i suggest. > Install winbind only.> Use : > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab> # renew the kerberos ticket > winbind refresh tickets = yes> Add the use that keytab or make separated keytab file as you do now.> You might have a reason to use k5start but i havent see it so far.>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex >> via samba >> Verzonden: donderdag 27 januari 2022 9:12 >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett >> Onderwerp: Re: [Samba] Kerberos authentication issue after >> upgrading from 4-14-stable to 4-15-stable >> >> Hello Andrew, >> >> > The big difference with 4.15 is likely to be that we disabled DES >> > encryption types recently, so if you followed an old guide >> that said to >> > force DES that would end badly. >> >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab >> Vno Type Principal >> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ >> [root at vm-corp etc]# >> >> There's no DES encryption as far as I see. Or I look at the >> wrong place? >> >> -- >> Best regards, >> Alex >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>-- Best regards, Alex
Rowland Penny
2022-Jan-27 12:43 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Thu, 2022-01-27 at 15:01 +0300, Alex via samba wrote:> Hello Louis, > > Samba is already handling the system's keytab (/etc/krb5.keytab), but > for some reason this error comes up when I try to acquire a TGT with > k5start: > [root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d > -k /tmp/krb5cc_test -U -o nslcd -vvv > Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ > k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ > k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ > k5start: error getting credentials: Client > 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database > > [root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep > 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' > 2 DES cbc mode with CRC-32 > host/vm-corp.abisoft.biz at ABISOFT.BIZ > 2 DES cbc mode with RSA-MD5 > host/vm-corp.abisoft.biz at ABISOFT.BIZ > 2 AES-128 CTS mode with 96-bit SHA-1 HMAC > host/vm-corp.abisoft.biz at ABISOFT.BIZ > 2 AES-256 CTS mode with 96-bit SHA-1 HMAC > host/vm-corp.abisoft.biz at ABISOFT.BIZ > 2 ArcFour with HMAC/md5 > host/vm-corp.abisoft.biz at ABISOFT.BIZ > > Any ideas why? > > The reason to use k5start is b/c some progs can't work with keytab > file directly. For example, nslcd.Where are you using nslcd ? By where, I mean on a Samba DC, or a Unix domain member, or a computer that isn't joined to the domain. Why are you using nslcd ? Rowland