Christian Naumer
2025-Feb-18 11:48 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi all, I have been trying to use the new options "sync machine password to keytab" and "client ldap sasl wrapping" in Samba 4.21 together with "client ldap sasl wrapping" When this is set: client ldap sasl wrapping = ldaps (or starttls) tls cafile = tls/ca.pem tls verify peer = ca_and_name sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password And I do a: net ads changetrustpw I get this: Changing password for principal: host$@DOMAIN.COM gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access ldap/dc2.domain.com failed: Preauthentication failed: NT_STATUS_LOGON_FAILURE pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned Invalid credentials secrets_finish_password_change: Sync of machine password failed. Password change failed: An internal error occurred. The keytab is still updated with the new KVNO and the machine password in AD is updated. However the new KVNO is appended to the keytab. There are two new KVNOs in the keytab as if the password was updated twice. When I remove the ldaps/startrls options from the smb.confI get this result: Changing password for principal: host$@DOMAIN.COM Password change for principal host$@DOMAIN.COM succeeded. The keytab is updated with the new KVNO and the machine password in AD is updated. In the keytab there are then always 3 KVNOs the current and the two previous ones. Additional info. If I wait for the machine password to timeout and winbind changes the password. This "works" as far as the keytab has only one additional KVNO and all other KVNOs more then the current and the last two are removed. However the error gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access ldap/dc2.domain.com failed: Preauthentication failed: NT_STATUS_LOGON_FAILURE is still logged. Should I file a bug for this? I can reproduce this also on a Debian 12 system. Regards Christian Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the release this morning. Here is the rest of the global section: [global] netbios name = HOST server string = Daten security = ADS realm = HQ.DOMAIN.COM workgroup = DOMAIN-02 disable netbios = yes smb ports = 445 interfaces = eth0 bind interfaces only = yes server min protocol = SMB2 client min protocol = SMB2 log level = 1 auth_audit:5 client ldap sasl wrapping = starttls tls cafile = tls/ca.pem tls verify peer = ca_and_name logging = syslog only sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password writeable =YES map acl inherit = yes store dos attributes = yes inherit acls = Yes vfs objects = acl_xattr full_audit full_audit:success = pwrite write unlinkat renameat full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = none apply group policies = yes username map = /etc/samba/smbusers interfaces = lo eth0 bind interfaces only = Yes ##idmap## # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 1000000-2000000 # idmap config for domain DOMAIN-02 idmap config DOMAIN-02:backend = ad idmap config DOMAIN-02:range = 500-65555 idmap config DOMAIN-02:unix_nss_info = yes idmap config DOMAIN-02:schema_mode = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes machine password timeout = 604800 winbind reconnect delay = 5 winbind refresh tickets = yes min domain uid = 500
Christian Naumer
2025-Feb-18 12:38 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi all, some additional info. If I supply a CRL file in the smb.conf like this: #tls verify peer = ca_and_name tls crlfile = tls/root.crl.pem And comment "tls verify peer" which then uses the default "tls verify peer = as_strict_as_possible" the "gensec_gse_client_prepare_ccache" error is not logged during "normal" password change. However, the behaviour of "net ads changetrustpw" is still the same. Any thoughts on this? Regards Christian Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:> Hi all, > I have been trying to use the new options "sync machine password to > keytab" and "client ldap sasl wrapping" in Samba 4.21 together with > "client ldap sasl wrapping" > > When this is set: > > client ldap sasl wrapping = ldaps (or starttls) > tls cafile = tls/ca.pem > tls verify peer = ca_and_name > sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > > > > And I do a: > > net ads changetrustpw > > > I get this: > > > Changing password for principal: host$@DOMAIN.COM > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned > Invalid credentials > secrets_finish_password_change: Sync of machine password failed. > Password change failed: An internal error occurred. > > > The keytab is still updated with the new KVNO and the machine password > in AD is updated. However the new KVNO is appended to the keytab. There > are two new KVNOs in the keytab as if the password was updated twice. > > > When I remove the ldaps/startrls options from the smb.confI get this > result: > > Changing password for principal: host$@DOMAIN.COM > Password change for principal host$@DOMAIN.COM succeeded. > > > The keytab is updated with the new KVNO and the machine password in AD > is updated. In the keytab there are then always 3 KVNOs the current and > the two previous ones. > > Additional info. If I wait for the machine password to timeout and > winbind changes the password. This "works" as far as the keytab has only > one additional KVNO and all other KVNOs more then the current and the > last two are removed. However the error > > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > > is still logged. > > Should I file a bug for this? I can reproduce this also on a Debian 12 > system. > > Regards > > Christian > > > > > > Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the > release this morning. > > Here is the rest of the global section: > > [global] > ??????? netbios name = HOST > ??????? server string = Daten > ??????? security = ADS > ??????? realm = HQ.DOMAIN.COM > ??????? workgroup = DOMAIN-02 > ??????? disable netbios = yes > ??????? smb ports = 445 > ??????? interfaces = eth0 > ??????? bind interfaces only = yes > ??????? server min protocol = SMB2 > ??????? client min protocol = SMB2 > ??????? log level = 1 auth_audit:5 > ??????? client ldap sasl wrapping = starttls > ??????? tls cafile = tls/ca.pem > ??????? tls verify peer = ca_and_name > ??????? logging = syslog only > ??????? sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > ??????? writeable =YES > ??????? map acl inherit = yes > ??????? store dos attributes = yes > ??????? inherit acls = Yes > ??????? vfs objects = acl_xattr full_audit > ??????? full_audit:success = pwrite write unlinkat renameat > ??????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > ??????? full_audit:priority = NOTICE > ??????? full_audit:facility = local7 > ??????? full_audit:failure = none > ??????? apply group policies = yes > ??????? username map = /etc/samba/smbusers > > ??????? interfaces = lo eth0 > ??????? bind interfaces only = Yes > ??????? ##idmap## > ??????? # Default idmap config used for BUILTIN and local windows > accounts/groups > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-2000000 > > ??????? # idmap config for domain DOMAIN-02 > ??????? idmap config DOMAIN-02:backend = ad > ??????? idmap config DOMAIN-02:range = 500-65555 > ??????? idmap config DOMAIN-02:unix_nss_info = yes > ??????? idmap config DOMAIN-02:schema_mode = rfc2307 > ??????? winbind enum users = yes > ??????? winbind enum groups = yes > ??????? winbind use default domain = Yes > ??????? machine password timeout = 604800 > ??????? winbind reconnect delay = 5 > ??????? winbind refresh tickets = yes > ??????? min domain uid = 500 > > > >