samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

>
https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2
> Its a 10y old post but read it, i think it might help you find the source
of your problem.
> That link gives back some old memories here, as wil for Rowland.. ;-) 
I will definitely check that thread, thank you! But we came to this after I put
extra encryption algorithms in the keytab. They do not work with the old Samba
as well, so I simply gonna leave a single entry in the keytab with ArcFour
encryption.

Once again. This works with Samba 4.14:
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
Vno  Type                                        Principal
  1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d
-k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
[root at vm-corp etc]# ^C

And does not work with Samba 4.15:
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d
-k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
k5start: error getting credentials: Pre-authentication failed: No key table
entry found for padl at ABISOFT.BIZ

It's not a problem with nslcd or anything like that. Something has changed
in 4.15 and I'd like to find out what and how to get things back to work..

Obviously the new Samba sends back something to k5start tool which it can't
match with the keytab entry. Here are tcpdump outputs for both cases:
v4.14:
18:22:03.617311 IP 172.26.200.32.43659 > 172.26.1.84.88:  v5
E..... at .@...... ...T...X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ....20220128152203Z....20220203152203Z......$...0.........................
18:22:03.622709 IP 172.26.1.84.88 > 172.26.200.32.43659:
E..... at .@..w...T... .X.....Y~..0................20220127152203Z....    
~..........ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ.+.)Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ.M.K0I0        .........0      .........0     
.........0.........     0.0......0.........
<here goes further communication>

v4.15:
18:22:40.781201 IP 172.26.200.32.57417 > 172.26.1.84.88:  v5
E....;@. at .O/... ...T.I.X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ....20220128152240Z....20220203152240Z....P.....0.........................
18:22:40.832462 IP 172.26.1.84.88 > 172.26.200.32.57417:
E..8.. at .@.A&...T...
.X.I.$u.~...0.................20220127152240Z................ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ.
0........0...krbtgt..ABISOFT.BIZ.+.)Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ.i.g0e0  .........0      .........0     
.........0B......;.90705......&.$ABISOFT.BIZnslcdmy
<no further communication happened>
>> -----Oorspronkelijk bericht-----
>> Van: Alex [mailto:samba at abisoft.biz] 
>> Verzonden: donderdag 27 januari 2022 15:03
>> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
>> Onderwerp: Re: [Samba] Kerberos authentication issue after 
>> upgrading from 4-14-stable to 4-15-stable
>> 
>> >> Any ideas why?
>> > No, sorry, thats one i dont know, except that k5start might 
>> look in a different place which does not exist. 
>> 
>> I checked that - it does read the file I specified.
>> 
>> >> The reason to use k5start is b/c some progs can't work
with
>> >> keytab file directly. For example, nslcd.
>> 
>> > Aha..  But wait, if samba is already handle-ing it. 
>> > Why not this way.. 
>> 
>> > (example for kerberos auth in squid ) 
>> > kinit Administrator
>> 
>> > export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
>> 
>> > net ads_update keytab ADD HTTP/$(hostname -f)
>> 
>> > chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > Adjust it to you needs for nlscd but it shows how todo it. 
>> > I think what will work also. 
>> 
>> B/c (as I said) nslcd is not able to work thru a keytab file. 
>> It only supports ready-to-use TGT:
>> sasl_mech       GSSAPI
>> krb5_ccname /tmp/krb5cc_nslcd
>> 
>> 
>> -- 
>> Best regards,
>> Alex
>> 
>> 




-- 
Best regards,
Alex

On Thu, 2022-01-27 at 18:30 +0300, Alex via samba wrote:
> >
https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2
> > Its a 10y old post but read it, i think it might help you find the
> > source of your problem. 
> > That link gives back some old memories here, as wil for Rowland..
> > ;-) 
> 
> I will definitely check that thread, thank you! But we came to this
> after I put extra encryption algorithms in the keytab. They do not
> work with the old Samba as well, so I simply gonna leave a single
> entry in the keytab with ArcFour encryption.
> 
> Once again. This works with Samba 4.14:
> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> Vno  Type                                        Principal
>   1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
> [root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L
> -l 1d -k /tmp/krb5cc_test -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> [root at vm-corp etc]# ^C
> 
> And does not work with Samba 4.15:
> [root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L
> -l 1d -k /tmp/krb5cc_test -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> k5start: error getting credentials: Pre-authentication failed: No key
> table entry found for padl at ABISOFT.BIZ
> 
> It's not a problem with nslcd or anything like that. Something has
> changed in 4.15 and I'd like to find out what and how to get things
> back to work..
You have correctly managed to work past the noise and deduced that if
the client stays the same but the change in the server version gives a
different result, that they server change is the issue.  

(Yes, sometimes the fix is to change the client, eg change to NTLMv2
because NTLM was disabled, but you get my point).

A full .pcap file might be illuminating, as might just looking at the
difference in the server logs, but skilled as I am, I can't parse
Kerberos packets by eye.

We did change some kerberos encryption ordering in 4.15, and fixed it
in a later version, are you running the latest release?

My feeling certainly is that the account has an AES key, and so Samba
is expecting an AES encrypted enc-ts challenge, or at least your client
is wanting to provide that but only has an RC4 key.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions