Alex
2022-Jan-26 12:22 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hello Stefan, Thanks for your reply! The permissions are correct and they didn't change during the Samba upgrade: [root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab -rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytab The user does have a password. How to disable preauth?> I only now this error-message from openldap together with kerberos. > There it means: Either the permission of the keytab-file is wrong or the > user has no password set. Because you have preauth aktiv, the user must > have a password, without password preauth failed. Can you disabel > preauth? Just for testing or if the user has no password, set a random > password and try again.> Am 26.01.22 um 11:35 schrieb Alex via samba: >> Hello, >> >> There're two DCs backed by Samba (vm-dc3 and vm-dc4). I have a special AD user - padl - to provide SSO capability to corporate services (like apache, for example). Using this account I generated a keytab file which is used by other services: >> # ktutil >> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC >> Password: >> wkt /usr/local/etc/padl.keytab >> >> Based on this keytab, k5start daemon generates and updates a kerberos TGT: >> ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid >> >> Hence, for example, nslcd has this config options set: >> sasl_mech GSSAPI >> krb5_ccname /tmp/krb5cc_nslcd >> >> Everything worked well until I upgraded Samba from 4.14 to 4.15. The new samba has stopped authenticating padl user from the keytab file (password authentication still works well). >> >> Here is how it looks like when I restart k5start daemon to re-get the TGT on one of the corporate servers: >> [root at vm-corp etc]# systemctl restart k5start at nslcd.service >> >> Good: >> [root at vm-dc4 var]# samba -V >> Version 4.14.11 >> [root at vm-dc4 var]# tail -f log.samba | grep padl >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49197 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:44742 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: ENC-TS Pre-authentication succeeded -- padl at ABISOFT.BIZ using arcfour-hmac-md5 >> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Wed, 26 Jan 2022 12:27:57.383462 MSK] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.26.200.32:44742] became [ABISOFT]\[padl] [S-1-5-21-3729968760-1240331958-298020672-1205]. local host [NULL] >> {"timestamp": "2022-01-26T12:27:57.383593+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d14d44263a13476", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:44742", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "padl at ABISOFT.BIZ", "workstation": null, "becameAccount": "padl", "becameDomain": "ABISOFT", "becameSid": "S-1-5-21-3729968760-1240331958-298020672-1205", "mappedAccount": "padl", "mappedDomain": "ABISOFT", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 6872}} >> authsam_account_ok: Checking SMB password for user padl at ABISOFT.BIZ >> logon_hours_ok: No hours restrictions for user padl at ABISOFT.BIZ >> DSDB Change [Modify] at [Wed, 26 Jan 2022 12:27:57.388268 MSK] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=padl,CN=Users,DC=abisoft,DC=biz] attributes [replace: lastLogon [132876628773839510] replace: logonCount [18445]] >> {"timestamp": "2022-01-26T12:27:57.388513+0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=padl,CN=Users,DC=abisoft,DC=biz", "transactionId": "303b11dc-52d2-411b-8dc1-c2a1079c46f8", "sessionId": "84b8f2a0-4e9c-4696-bbb6-4a5df8d8de8c", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "132876628773839510"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "18445"}]}]}}}} >> >> Bad: >> [root at vm-dc4 samba]# samba -V >> Version 4.15.4 >> [root at vm-dc4 var]# tail -f log.samba | grep padl >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49563 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:42889 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:41471 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:40522 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:51879 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >> >> Any ideas what's going on and how to get that fixed? I've downgraded back to 4.14 so far, but that's a just temporary workaround. >> >> Please, help! >>-- Best regards, Alex
Stefan Kania
2022-Jan-26 20:00 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Am 26.01.22 um 13:22 schrieb Alex:> Hello Stefan, > > Thanks for your reply! > > The permissions are correct and they didn't change during the Samba upgrade: > [root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab > -rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytabI just set up a new debian11 with k5start together with OpenLDAP and I also had the permission to "600 root root" and it did not work. With the new version of k5start you must set the owner to the user who should use the keytab so in you setup it should belong to padl and 600 as permission is required, but you already have it set to 600. As I told you before, I only use it with openldap together with MIT-Kerberos and there you disable preauth on the kerberos server in kdc.conf I never did it on a Samba-DC. So that's what I would check next.> > The user does have a password. > > How to disable preauth? > >> I only now this error-message from openldap together with kerberos. >> There it means: Either the permission of the keytab-file is wrong or the >> user has no password set. Because you have preauth aktiv, the user must >> have a password, without password preauth failed. Can you disabel >> preauth? Just for testing or if the user has no password, set a random >> password and try again. > >> Am 26.01.22 um 11:35 schrieb Alex via samba: >>> Hello, >>> >>> There're two DCs backed by Samba (vm-dc3 and vm-dc4). I have a special AD user - padl - to provide SSO capability to corporate services (like apache, for example). Using this account I generated a keytab file which is used by other services: >>> # ktutil >>> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC >>> Password: >>> wkt /usr/local/etc/padl.keytab >>> >>> Based on this keytab, k5start daemon generates and updates a kerberos TGT: >>> ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid >>> >>> Hence, for example, nslcd has this config options set: >>> sasl_mech GSSAPI >>> krb5_ccname /tmp/krb5cc_nslcd >>> >>> Everything worked well until I upgraded Samba from 4.14 to 4.15. The new samba has stopped authenticating padl user from the keytab file (password authentication still works well). >>> >>> Here is how it looks like when I restart k5start daemon to re-get the TGT on one of the corporate servers: >>> [root at vm-corp etc]# systemctl restart k5start at nslcd.service >>> >>> Good: >>> [root at vm-dc4 var]# samba -V >>> Version 4.14.11 >>> [root at vm-dc4 var]# tail -f log.samba | grep padl >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49197 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:44742 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: ENC-TS Pre-authentication succeeded -- padl at ABISOFT.BIZ using arcfour-hmac-md5 >>> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Wed, 26 Jan 2022 12:27:57.383462 MSK] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.26.200.32:44742] became [ABISOFT]\[padl] [S-1-5-21-3729968760-1240331958-298020672-1205]. local host [NULL] >>> {"timestamp": "2022-01-26T12:27:57.383593+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d14d44263a13476", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:44742", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "padl at ABISOFT.BIZ", "workstation": null, "becameAccount": "padl", "becameDomain": "ABISOFT", "becameSid": "S-1-5-21-3729968760-1240331958-298020672-1205", "mappedAccount": "padl", "mappedDomain": "ABISOFT", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 6872}} >>> authsam_account_ok: Checking SMB password for user padl at ABISOFT.BIZ >>> logon_hours_ok: No hours restrictions for user padl at ABISOFT.BIZ >>> DSDB Change [Modify] at [Wed, 26 Jan 2022 12:27:57.388268 MSK] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=padl,CN=Users,DC=abisoft,DC=biz] attributes [replace: lastLogon [132876628773839510] replace: logonCount [18445]] >>> {"timestamp": "2022-01-26T12:27:57.388513+0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=padl,CN=Users,DC=abisoft,DC=biz", "transactionId": "303b11dc-52d2-411b-8dc1-c2a1079c46f8", "sessionId": "84b8f2a0-4e9c-4696-bbb6-4a5df8d8de8c", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "132876628773839510"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "18445"}]}]}}}} >>> >>> Bad: >>> [root at vm-dc4 samba]# samba -V >>> Version 4.15.4 >>> [root at vm-dc4 var]# tail -f log.samba | grep padl >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49563 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:42889 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:41471 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:40522 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:51879 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ >>> Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ >>> Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ >>> >>> Any ideas what's going on and how to get that fixed? I've downgraded back to 4.14 so far, but that's a just temporary workaround. >>> >>> Please, help! >>> > > > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html
Andrew Bartlett
2022-Feb-01 00:00 UTC
[Samba] Advice regarding pre-authentication (was: Re: Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable)
On Wed, 2022-01-26 at 21:00 +0100, Stefan Kania via samba wrote:> As I told you before, I only use it with openldap together with > MIT-Kerberos and there you disable preauth on the kerberos server in > kdc.conf I never did it on a Samba-DC.Just looping back on this. NEVER disable pre-authentication. While for a service account with a strong random password it won't make a difference (the value protected by pre-authentication is just the same as the one tickets are encrypted to), this is a bad idea otherwise. Pre-authentication prevents offline password guessing attacks against a user's account, and should not be disabled. I make a point of this as Samba lore is strong, and ideas get copied around without full context and understanding of the consequences. Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions