Mateo Duffour
2022-Apr-07 15:39 UTC
[Samba] Samba AD DC on a trust relationship with IdM - kpasswd not working porperly
Hi, We've updated our Samba server version to 4.16.0 and we're getting this error now (when trying to login with any user): Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error constructing AP-REQ armor: Server krbtgt/ADTEST.xxx.xxx.xx at IDMPRU.xxx.xxx.xx not found in Kerberos database Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error constructing AP-REQ armor: Server krbtgt/ADTEST.xxx.xxx.xx at IDMPRU.xxx.xxx.xx not found in Kerberos database Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=usu7 at adtest.xxx.xxx.xx Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): received for user usu7 at adtest.xxx.xxx.xx: 4 (System error) Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: Authentication failure for usu7 at adtest.xxx.xxx.xx from 10.9.9.4 Any help is appreciated, regards. Lic. Mateo Duffour Unidad Inform?tica 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la informaci?n adjunta al mismo est? dirigido exclusivamente a su destinatario. Puede contener informaci?n confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibi? este e-mail por error, por favor, s?rvase notificarle a quien se lo envi? y borrar el original. Cualquier otro uso del e-mail por Ud. est? prohibido. From: "Denis CARDON" <dcardon at tranquil.it> To: "Mateo Duffour" <mduffour at fnr.gub.uy>, "samba" <samba at lists.samba.org> Cc: "Juan Andr?s Ghigliazza" <aghigliazza at fnr.gub.uy> Sent: Wednesday, 30 March, 2022 13:05:10 Subject: Re: [Samba] Samba AD DC on a trust relationship with IdM - kpasswd not working porperly Hi Mateo, Le 30/03/2022 ? 16:51, Mateo Duffour via samba a ?crit : From: "Mateo Duffour" <mduffour at fnr.gub.uy> To: "samba" <samba at lists.samba.org> Cc: "Juan Andr?s Ghigliazza" <aghigliazza at fnr.gub.uy> Sent: Wednesday, 30 March, 2022 10:53:38 Subject: Samba AD DC on a trust relationship with IdM - kpasswd not working porperly Hi, We are experiencing a problem on our installation of Samba AD DC that it's on a trust relationship with an IdM server. We are having issues when executing kpasswd on a user account of Samba AD DC from the IdM Server as described here https://bugzilla.samba.org/show_bug.cgi?id=15021 I just answer on the bugzilla entry. Your kpasswd is expecting FAST support which has been added in samba 4.16. So you either have to disable FAST or upgrade first. Cheers, Denis BQ_BEGIN Any help is appreciated, regards Lic. Mateo Duffour Unidad Inform?tica 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la informaci?n adjunta al mismo est? dirigido exclusivamente a su destinatario. Puede contener informaci?n confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibi? este e-mail por error, por favor, s?rvase notificarle a quien se lo envi? y borrar el original. Cualquier otro uso del e-mail por Ud. est? prohibido. BQ_END
Rowland Penny
2022-Apr-07 15:54 UTC
[Samba] Samba AD DC on a trust relationship with IdM - kpasswd not working porperly
On Thu, 2022-04-07 at 12:39 -0300, Mateo Duffour via samba wrote:> Hi, > > We've updated our Samba server version to 4.16.0 and we're getting > this error now (when trying to login with any user): > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server > krbtgt/ADTEST.xxx.xxx.xx at IDMPRU.xxx.xxx.xx not found in Kerberos > database > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server > krbtgt/ADTEST.xxx.xxx.xx at IDMPRU.xxx.xxx.xx not found in Kerberos > database > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=10.9.9.4 user=usu7 at adtest.xxx.xxx.xx > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: > pam_sss(sshd:auth): received for user usu7 at adtest.xxx.xxx.xx: 4 > (System error) > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: > Authentication failure for usu7 at adtest.xxx.xxx.xx from 10.9.9.4 > > Any help is appreciated, regards.None of that appears to be coming from Samba, could it be coming from sssd ? If so, I suggest you ask on the sssd-users mailing list. Rowland