samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

On Thu, 2022-01-27 at 15:01 +0300, Alex via samba wrote:
> Hello Louis,
> 
> Samba is already handling the system's keytab (/etc/krb5.keytab), but
> for some reason this error comes up when I try to acquire a TGT with
> k5start:
> [root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d
> -k /tmp/krb5cc_test -U -o nslcd -vvv
> Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ
> k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ
> k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
> k5start: error getting credentials: Client 
> 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos
database
> 
> [root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep 
> 'host/vm-corp.abisoft.biz at ABISOFT.BIZ'
>   2  DES cbc mode with CRC-32                    
> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>   2  DES cbc mode with RSA-MD5                   
> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>   2  AES-128 CTS mode with 96-bit SHA-1 HMAC     
> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>   2  AES-256 CTS mode with 96-bit SHA-1 HMAC     
> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>   2  ArcFour with HMAC/md5                       
> host/vm-corp.abisoft.biz at ABISOFT.BIZ
> 
> Any ideas why?
> 
> The reason to use k5start is b/c some progs can't work with keytab
> file directly. For example, nslcd.
Where are you using nslcd ?
By where, I mean on a Samba DC, or a Unix domain member, or a computer
that isn't joined to the domain.
Why are you using nslcd ?

Rowland

>> The reason to use k5start is b/c some progs can't work with keytab
>> file directly. For example, nslcd.
> Where are you using nslcd ?
It's on a member server (vm-corp).
> By where, I mean on a Samba DC, or a Unix domain member, or a computer
> that isn't joined to the domain.
> Why are you using nslcd ?
I told you in our recent correspondence - that's kinda legacy system.
However, it worked pretty well before the last DC upgrade. I can probably try to
migrate it to winbindd but there're a lot of working services that might be
affected and I wouldn't really like to touch it w/o a need.

-- 
Best regards,
Alex

If forgot the links for you. 

https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Authenticating_other_services_against_Samba_AD 

https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD 

Maybe you already seen them, i dont know, but the openldap as proxy also shows
and nslcd example setup.
You can add the UPN on the user : nslcd-connect as show in that example. 

Greetz, 

Louis

Hello,

just as a side info: Ive had all kinds of weird problems when I 
accidently had nslcd installed on a domain joined member. After Rowland 
asking me to uninstall it and me doing it everything worked.

See this thread for more information on my situation then: 
https://lists.samba.org/archive/samba/2021-February/234577.html

Bye,
Matthias K?hne.

Am 27.01.22 um 13:43 schrieb Rowland Penny via samba:
> On Thu, 2022-01-27 at 15:01 +0300, Alex via samba wrote:
>> Hello Louis,
>>
>> Samba is already handling the system's keytab (/etc/krb5.keytab),
but
>> for some reason this error comes up when I try to acquire a TGT with
>> k5start:
>> [root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d
>> -k /tmp/krb5cc_test -U -o nslcd -vvv
>> Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ
>> k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ
>> k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>> k5start: error getting credentials: Client
>> 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos
database
>>
>> [root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep
>> 'host/vm-corp.abisoft.biz at ABISOFT.BIZ'
>>    2  DES cbc mode with CRC-32
>> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>>    2  DES cbc mode with RSA-MD5
>> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>>    2  AES-128 CTS mode with 96-bit SHA-1 HMAC
>> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>>    2  AES-256 CTS mode with 96-bit SHA-1 HMAC
>> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>>    2  ArcFour with HMAC/md5
>> host/vm-corp.abisoft.biz at ABISOFT.BIZ
>>
>> Any ideas why?
>>
>> The reason to use k5start is b/c some progs can't work with keytab
>> file directly. For example, nslcd.
> Where are you using nslcd ?
> By where, I mean on a Samba DC, or a Unix domain member, or a computer
> that isn't joined to the domain.
> Why are you using nslcd ?
>
> Rowland
>
>
>
>
>
-- 
Matthias K?hne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/