Andrew Bartlett
2022-Jan-30 21:25 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Fri, 2022-01-28 at 10:29 +0300, Alex via samba wrote:> Andrew, > > Right after sending you pcaps and emails, I started to look at the > wiki links Louis sent me yesterday, and I found that "samba-tool > domain exportkeytab" command, so I went ahead and created a keytab > for padl user on the DC. Then I copied that file back to vm-corp and > tried to get new TGTs via k5start - and that worked!! And it works > for the old 4.14 Samba! So, that's the solution - thank you all very > much! > > However, if we could triage why the old way of generating keytab is > not working anymore, it'd be helpful to better understand what's > going on under the hood. See below.It will be the salt, it isn't the same on the server as you have specified to your tool creating the keytab. If the account is a proper computer account in AD (compared to a normal user that has an SPN) the salt is different, for example. This will trip more people up as we increasingly work to deprecate RC4 cryptography. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Alex
2022-Jan-31 11:18 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Andrew, Rowland,>> However, if we could triage why the old way of generating keytab is >> not working anymore, it'd be helpful to better understand what's >> going on under the hood. See below.> It will be the salt, it isn't the same on the server as you have > specified to your tool creating the keytab.> If the account is a proper computer account in AD (compared to a normal > user that has an SPN) the salt is different, for example.> This will trip more people up as we increasingly work to deprecate RC4 > cryptography.I think I managed to find a source of the issue (thanks for the salt idea!). The padl user was created in 2004 and since then its password has never been updated. Today I updated its password and now creating a keytab via ktutil with AES encryption seems to work: [root at vm-corp tmp]# ktutil ktutil: addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96 Password for padl at ABISOFT.BIZ: ktutil: wkt ./test.keytab [root at vm-corp tmp]# klist -k ./test.keytab -e Keytab name: FILE:./test.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) [root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k /tmp/krb5cc_test2 -U -o nslcd Kerberos initialization for padl at ABISOFT.BIZ [root at vm-corp tmp]# Ta-da! :) One last thing. I decided to try to use a system keytab (/etc/krb5.keytab) instead of a specially generated user keytab (like above) like Rowland advised recently, and I can't get it to work: [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ' not found in Kerberos database Samba's log: [2022/01/31 14:12:51.776200, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ from ipv4:172.26.200.32:54074 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ [2022/01/31 14:12:51.779602, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry found in hdb [2022/01/31 14:12:51.779727, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ] at [Mon, 31 Jan 2022 14:12:51.779695 MSK] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:172.26.200.32:54074] mapped to [(null)]\[(null)]. local host [NULL] {"timestamp": "2022-01-31T14:12:51.779899+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "a2891bb833e6ef27", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:54074", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 3855}} So, it says there's no such entry in the AD. Let's check: [root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b "cn=vm-corp,cn=Computers,dc=abisoft,dc=biz" | grep host/vm-corp.abisoft.spb.ru SASL/GSSAPI authentication started SASL username: padl at ABISOFT.BIZ SASL SSF: 0 servicePrincipalName: host/vm-corp.abisoft.spb.ru It's there! Could you please explain why it's not working? What's wrong? -- Best regards, Alex