Rowland Penny
2022-Jan-31 14:18 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
On Mon, 2022-01-31 at 17:05 +0300, Alex wrote:> Rowland, > > > > How did you obtain the ticket in the cache? > > Try reading this: > > https://wiki.samba.org/index.php/Nslcd > > I did read it.Please read it again.> > > I have it working in a VM, running Debian 11 > > If you are trying to add the 'host/fqdn' principal to a keytab, > > then > > there isn't much point, it is in the standard /etc/krb5.keytab > > I don't quite understand, sorry. Here's an example of joining a fresh > Centos 7 VM to the AD domain: > [root at testad ~]# net ads join -U administrator > Enter administrator's password: > Using short domain name -- ABISOFT > Joined 'TESTAD' to dns domain 'abisoft.biz' > > [root at testad etc]# klist -k /etc/krb5.keytab -e > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- ---------------------------------------------------------------- > ---------- > 1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)As you can see, 'host/fqdn' is in the standard keytab> 1 host/TESTAD at ABISOFT.BIZ (des-cbc-crc) > 1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5) > 1 host/TESTAD at ABISOFT.BIZ (des-cbc-md5) > 1 host/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) > 1 host/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) > 1 host/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) > 1 host/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) > 1 host/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac) > 1 host/TESTAD at ABISOFT.BIZ (arcfour-hmac) > 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc) > 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-crc) > 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5) > 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-md5) > 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts- > hmac-sha1-96) > 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96) > 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts- > hmac-sha1-96) > 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96) > 1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac) > 1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (arcfour-hmac) > 1 TESTAD$@ABISOFT.BIZ (des-cbc-crc) > 1 TESTAD$@ABISOFT.BIZ (des-cbc-md5) > 1 TESTAD$@ABISOFT.BIZ (aes128-cts-hmac-sha1-96) > 1 TESTAD$@ABISOFT.BIZ (aes256-cts-hmac-sha1-96) > 1 TESTAD$@ABISOFT.BIZ (arcfour-hmac) > > [root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd > -U -k ./krb5cc_testPlease stop doing that, I have never run that command and nslcd works for myself, mind you I do not use the hosts ticket Let me try and break my test setup by trying to use the host ticket. Rowland
Alex
2022-Jan-31 14:30 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
>> > Try reading this: >> > https://wiki.samba.org/index.php/Nslcd >> >> I did read it. > Please read it again.OK..>> [root at testad etc]# klist -k /etc/krb5.keytab -e >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- ---------------------------------------------------------------- >> ---------- >> 1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)> As you can see, 'host/fqdn' is in the standard keytabExactly. It was auto-created when testad VM has joined the AD.>> [root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd >> -U -k ./krb5cc_test> Please stop doing that, I have never run that command and nslcd works > for myself, mind you I do not use the hosts ticketWhy?? nslcd in Centos does not have /etc/default/nslcd file with all that keytab stuff setup (which is perfectly outlined in your wiki article). So, I have to somehow generate a kerberos cache file which nslcd will be able to use.> Let me try and break my test setup by trying to use the host ticket.Thanks! -- Best regards, Alex