Alex
2022-Jan-31 11:55 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
>> One last thing. I decided to try to use a system keytab >> (/etc/krb5.keytab) instead of a specially generated user keytab (like >> above) like Rowland advised recently, and I can't get it to work: >> [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k >> /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru> You could use /etc/krb5.keytab, but you would have to add the required > principal to it. I also have never run the above command, it just works > for myself:I forgot to list keys from the system keytab, sorry. Here they are: [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm-corp.abisoft.spb.ru 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac) So, the principal is there.> adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt > Ticket cache: FILE:/tmp/nslcd.tkt > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COMHow did you obtain the ticket in the cache? I've tried to create the keytab via exportkeytab on the DC and that also doesn't work: [root at vm-dc4 var]# samba-tool domain exportkeytab vm-corp.keytab --principal=host/vm-corp.abisoft.spb.ru ... Export one principal to vm-corp.keytab Unsupported keytype ignored - type 3 Unsupported keytype ignored - type 1 sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012 ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (18) and version (2) sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0011 ../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (17) and version (2) sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017 ../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [17] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ. ../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (23) and version (2) [root at vm-dc4 var]# klist -k vm-corp.keytab -e Keytab name: FILE:vm-corp.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (DEPRECATED:arcfour-hmac) [root at vm-dc4 var]# scp vm-corp.keytab vm-corp:/tmp Password: vm-corp.keytab 100% 276 11.7KB/s 00:00 [root at vm-corp tmp]# /usr/bin/k5start -f ./vm-corp.keytab -L -l 1d -k /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ' not found in Kerberos database Samba log entry is the same: [2022/01/31 14:54:31.830366, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry found in hdb Any ideas? -- Best regards, Alex
Rowland Penny
2022-Jan-31 12:06 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Mon, 2022-01-31 at 14:55 +0300, Alex wrote:> > > One last thing. I decided to try to use a system keytab > > > (/etc/krb5.keytab) instead of a specially generated user keytab > > > (like > > > above) like Rowland advised recently, and I can't get it to work: > > > [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d > > > -k > > > /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru > > You could use /etc/krb5.keytab, but you would have to add the > > required > > principal to it. I also have never run the above command, it just > > works > > for myself: > > I forgot to list keys from the system keytab, sorry. Here they are: > [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm- > corp.abisoft.spb.ru > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1- > 96) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1- > 96) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac) > > So, the principal is there. > > > adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt > > Ticket cache: FILE:/tmp/nslcd.tkt > > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM > > How did you obtain the ticket in the cache?Try reading this: https://wiki.samba.org/index.php/Nslcd I have it working in a VM, running Debian 11 If you are trying to add the 'host/fqdn' principal to a keytab, then there isn't much point, it is in the standard /etc/krb5.keytab Rowland