thr3ads.net - samba - [Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable [Jan 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Jan-31 12:06 UTC

[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

On Mon, 2022-01-31 at 14:55 +0300, Alex wrote:> > > One last thing. I decided to try to use a system keytab
> > > (/etc/krb5.keytab) instead of a specially generated user keytab
> > > (like
> > > above) like Rowland advised recently, and I can't get it to
work:
> > > [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l
1d
> > > -k
> > > /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
> > You could use /etc/krb5.keytab, but you would have to add the
> > required
> > principal to it. I also have never run the above command, it just
> > works
> > for myself:
> 
> I forgot to list keys from the system keytab, sorry. Here they are:
> [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm-
> corp.abisoft.spb.ru
>    2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc)
>    2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5)
>    2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-
> 96)
>    2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-
> 96)
>    2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac)
> 
> So, the principal is there.
> 
> > adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt 
> > Ticket cache: FILE:/tmp/nslcd.tkt
> > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM
> 
> How did you obtain the ticket in the cache? 
Try reading this:
https://wiki.samba.org/index.php/Nslcd

I have it working in a VM, running Debian 11
If you are trying to add the 'host/fqdn' principal to a keytab, then
there isn't much point, it is in the standard /etc/krb5.keytab

Rowland

Alex

2022-Jan-31 14:05 UTC

head link

[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Rowland,
>> 
>> How did you obtain the ticket in the cache? 
> Try reading this:
> https://wiki.samba.org/index.php/Nslcd
I did read it.
> I have it working in a VM, running Debian 11
> If you are trying to add the 'host/fqdn' principal to a keytab,
then
> there isn't much point, it is in the standard /etc/krb5.keytab
I don't quite understand, sorry. Here's an example of joining a fresh
Centos 7 VM to the AD domain:
[root at testad ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- ABISOFT
Joined 'TESTAD' to dns domain 'abisoft.biz'

[root at testad etc]# klist -k /etc/krb5.keytab -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)
   1 host/TESTAD at ABISOFT.BIZ (des-cbc-crc)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
   1 host/TESTAD at ABISOFT.BIZ (des-cbc-md5)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 host/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 host/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
   1 host/TESTAD at ABISOFT.BIZ (arcfour-hmac)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-crc)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-md5)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ
(aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ
(aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (arcfour-hmac)
   1 TESTAD$@ABISOFT.BIZ (des-cbc-crc)
   1 TESTAD$@ABISOFT.BIZ (des-cbc-md5)
   1 TESTAD$@ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 TESTAD$@ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 TESTAD$@ABISOFT.BIZ (arcfour-hmac)

[root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd -U -k
./krb5cc_test
Kerberos initialization for host/testad.abisoft.biz at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/testad.abisoft.biz at
ABISOFT.BIZ' not found in Kerberos database

Samba log:
[2022/01/31 17:02:43.178888,  3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- host/testad.abisoft.biz at ABISOFT.BIZ: no such entry
found in hdb

[root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b
"cn=testad,CN=Computers,DC=abisoft,DC=biz"
dn: CN=TESTAD,CN=Computers,DC=abisoft,DC=biz
...
sAMAccountName: TESTAD$
sAMAccountType: 805306369
dNSHostName: testad.abisoft.biz
servicePrincipalName: HOST/TESTAD.abisoft.biz
servicePrincipalName: RestrictedKrbHost/TESTAD.abisoft.biz
servicePrincipalName: HOST/TESTAD
servicePrincipalName: RestrictedKrbHost/TESTAD
...

So, the entry exists in host's keytab as well as in the AD.

What's wrong here?

-- 
Best regards,
Alex

samba - Jan 2022 - Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable