Rowland Penny
2022-Jan-31 12:06 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Mon, 2022-01-31 at 14:55 +0300, Alex wrote:> > > One last thing. I decided to try to use a system keytab > > > (/etc/krb5.keytab) instead of a specially generated user keytab > > > (like > > > above) like Rowland advised recently, and I can't get it to work: > > > [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d > > > -k > > > /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru > > You could use /etc/krb5.keytab, but you would have to add the > > required > > principal to it. I also have never run the above command, it just > > works > > for myself: > > I forgot to list keys from the system keytab, sorry. Here they are: > [root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm- > corp.abisoft.spb.ru > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1- > 96) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1- > 96) > 2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac) > > So, the principal is there. > > > adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt > > Ticket cache: FILE:/tmp/nslcd.tkt > > Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM > > How did you obtain the ticket in the cache?Try reading this: https://wiki.samba.org/index.php/Nslcd I have it working in a VM, running Debian 11 If you are trying to add the 'host/fqdn' principal to a keytab, then there isn't much point, it is in the standard /etc/krb5.keytab Rowland
Alex
2022-Jan-31 14:05 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Rowland,>> >> How did you obtain the ticket in the cache?> Try reading this: > https://wiki.samba.org/index.php/NslcdI did read it.> I have it working in a VM, running Debian 11 > If you are trying to add the 'host/fqdn' principal to a keytab, then > there isn't much point, it is in the standard /etc/krb5.keytabI don't quite understand, sorry. Here's an example of joining a fresh Centos 7 VM to the AD domain: [root at testad ~]# net ads join -U administrator Enter administrator's password: Using short domain name -- ABISOFT Joined 'TESTAD' to dns domain 'abisoft.biz' [root at testad etc]# klist -k /etc/krb5.keytab -e Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc) 1 host/TESTAD at ABISOFT.BIZ (des-cbc-crc) 1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5) 1 host/TESTAD at ABISOFT.BIZ (des-cbc-md5) 1 host/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 1 host/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 1 host/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 1 host/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 1 host/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac) 1 host/TESTAD at ABISOFT.BIZ (arcfour-hmac) 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc) 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-crc) 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5) 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-md5) 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac) 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (arcfour-hmac) 1 TESTAD$@ABISOFT.BIZ (des-cbc-crc) 1 TESTAD$@ABISOFT.BIZ (des-cbc-md5) 1 TESTAD$@ABISOFT.BIZ (aes128-cts-hmac-sha1-96) 1 TESTAD$@ABISOFT.BIZ (aes256-cts-hmac-sha1-96) 1 TESTAD$@ABISOFT.BIZ (arcfour-hmac) [root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd -U -k ./krb5cc_test Kerberos initialization for host/testad.abisoft.biz at ABISOFT.BIZ k5start: error getting credentials: Client 'host/testad.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database Samba log: [2022/01/31 17:02:43.178888, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: UNKNOWN -- host/testad.abisoft.biz at ABISOFT.BIZ: no such entry found in hdb [root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b "cn=testad,CN=Computers,DC=abisoft,DC=biz" dn: CN=TESTAD,CN=Computers,DC=abisoft,DC=biz ... sAMAccountName: TESTAD$ sAMAccountType: 805306369 dNSHostName: testad.abisoft.biz servicePrincipalName: HOST/TESTAD.abisoft.biz servicePrincipalName: RestrictedKrbHost/TESTAD.abisoft.biz servicePrincipalName: HOST/TESTAD servicePrincipalName: RestrictedKrbHost/TESTAD ... So, the entry exists in host's keytab as well as in the AD. What's wrong here? -- Best regards, Alex