Alex
2022-Jan-28 06:51 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
> If it is of any help, I now have nslcd working on Debian 11 with Samba > 4.15.4 , just have to wait until tomorrow to see if kstart renews the > ticket.Thanks Rowland. My issue is that k5start isn't able to get even the 1st ticket. Do you use system's keytab or create a user keytab for this test case? Can you show what "net ads keytab list ..." outputs? -- Best regards, Alex
Andrew Bartlett
2022-Jan-28 07:02 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Fri, 2022-01-28 at 09:51 +0300, Alex via samba wrote:> Thanks Rowland. > > > > My issue is that k5start isn't able to get even the 1st ticket. Do > you use system's keytab or create a user keytab for this test case? > Can you show what "net ads keytab list ..." outputs? >Just one thought before the weekend: Can you remind me how the keytab was obtained? RC4 tickets work sometimes in places where AES does not because AES tickets are salted, and if you use the wrong salt it all goes very badly. A keytab extracted using 'samba-tool domain exportkeytab' (there is an option to extract just one principal) will always have the correct salt, and all the right keys, as this is a direct copy from the DB. I'll look over the .pcap when I get a chance. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Rowland Penny
2022-Jan-28 08:48 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Fri, 2022-01-28 at 09:51 +0300, Alex wrote:> > If it is of any help, I now have nslcd working on Debian 11 with > > Samba > > 4.15.4 , just have to wait until tomorrow to see if kstart renews > > the > > ticket. > > Thanks Rowland. > > My issue is that k5start isn't able to get even the 1st ticket. Do > you use system's keytab or create a user keytab for this test case? > Can you show what "net ads keytab list ..." outputs? >I didn't even try using k5start to get the initial ticket, but it is working for myself on Debian 11 with Samba 4.15.4 adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt Ticket cache: FILE:/tmp/nslcd.tkt Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 28/01/22 00:19:54 28/01/22 10:19:54 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM 28/01/22 01:17:01 28/01/22 10:19:54 ldap/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM As you can see the ticket was renewed at 00:19:54 this morning and if I check, k5start is running. adminuser at deb11:~$ ps ax | grep k5start 149296 ? Ss 0:00 /usr/bin/k5start -b -p /var/run/nslcd/k5start_nslcd.pid -o nslcd -g nslcd -m 600 -f /etc/krb5.nslcd.keytab -K 60 -u nslcd-ad -k /tmp/nslcd.tkt 754183 pts/1 S+ 0:00 grep k5start Rowland