Rowland Penny
2022-Jan-31 11:43 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Mon, 2022-01-31 at 14:18 +0300, Alex wrote:> Andrew, Rowland, > > > > > > I think I managed to find a source of the issue (thanks for the salt > idea!). The padl user was created in 2004 and since then its password > has never been updated. Today I updated its password and now creating > a keytab via ktutil with AES encryption seems to work: > [root at vm-corp tmp]# ktutil > ktutil: addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts- > hmac-sha1-96 > Password for padl at ABISOFT.BIZ: > ktutil: wkt ./test.keytab > > [root at vm-corp tmp]# klist -k ./test.keytab -e > Keytab name: FILE:./test.keytab > KVNO Principal > ---- ---------------------------------------------------------------- > ---------- > 1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) > > [root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k > /tmp/krb5cc_test2 -U -o nslcd > Kerberos initialization for padl at ABISOFT.BIZ > [root at vm-corp tmp]# > > Ta-da! :) > > One last thing. I decided to try to use a system keytab > (/etc/krb5.keytab) instead of a specially generated user keytab (like > above) like Rowland advised recently, and I can't get it to work: > [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k > /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ruYou could use /etc/krb5.keytab, but you would have to add the required principal to it. I also have never run the above command, it just works for myself: adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt Ticket cache: FILE:/tmp/nslcd.tkt Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 31/01/22 09:20:04 31/01/22 19:20:04 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM 31/01/22 10:17:01 31/01/22 19:20:04 ldap/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM adminuser at deb11:~$ getent passwd rowland rowland:*:10000:513:Rowland Penny::/bin/bash Rowland
Alex
2022-Jan-31 11:55 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
>> One last thing. I decided to try to use a system keytab >> (/etc/krb5.keytab) instead of a specially generated user keytab (like >> above) like Rowland advised recently, and I can't get it to work: >> [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k >> /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru> You could use /etc/krb5.keytab, but you would have to add the required > principal to it. I also have never run the above command, it just works > for myself:I forgot to list keys from the system keytab, sorry. Here they are: [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm-corp.abisoft.spb.ru 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac) So, the principal is there.> adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt > Ticket cache: FILE:/tmp/nslcd.tkt > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COMHow did you obtain the ticket in the cache? I've tried to create the keytab via exportkeytab on the DC and that also doesn't work: [root at vm-dc4 var]# samba-tool domain exportkeytab vm-corp.keytab --principal=host/vm-corp.abisoft.spb.ru ... Export one principal to vm-corp.keytab Unsupported keytype ignored - type 3 Unsupported keytype ignored - type 1 sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012 ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (18) and version (2) sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0011 ../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (17) and version (2) sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017 ../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [17] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (23) and version (2) [root at vm-dc4 var]# klist -k vm-corp.keytab -e Keytab name: FILE:vm-corp.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (DEPRECATED:arcfour-hmac) [root at vm-dc4 var]# scp vm-corp.keytab vm-corp:/tmp Password: vm-corp.keytab 100% 276 11.7KB/s 00:00 [root at vm-corp tmp]# /usr/bin/k5start -f ./vm-corp.keytab -L -l 1d -k /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ' not found in Kerberos database Samba log entry is the same: [2022/01/31 14:54:31.830366, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry found in hdb Any ideas? -- Best regards, Alex