Christian Naumer
2025-Feb-18 11:48 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi all,
I have been trying to use the new options "sync machine password to
keytab" and "client ldap sasl wrapping" in Samba 4.21 together
with
"client ldap sasl wrapping"
When this is set:
client ldap sasl wrapping = ldaps (or starttls)
tls cafile = tls/ca.pem
tls verify peer = ca_and_name
sync machine password to keytab =
/etc/krb5.keytab:sync_spns:sync_kvno:machine_password
And I do a:
net ads changetrustpw
I get this:
Changing password for principal: host$@DOMAIN.COM
gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access
ldap/dc2.domain.com failed: Preauthentication failed:
NT_STATUS_LOGON_FAILURE
pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned
Invalid credentials
secrets_finish_password_change: Sync of machine password failed.
Password change failed: An internal error occurred.
The keytab is still updated with the new KVNO and the machine password
in AD is updated. However the new KVNO is appended to the keytab. There
are two new KVNOs in the keytab as if the password was updated twice.
When I remove the ldaps/startrls options from the smb.confI get this result:
Changing password for principal: host$@DOMAIN.COM
Password change for principal host$@DOMAIN.COM succeeded.
The keytab is updated with the new KVNO and the machine password in AD
is updated. In the keytab there are then always 3 KVNOs the current and
the two previous ones.
Additional info. If I wait for the machine password to timeout and
winbind changes the password. This "works" as far as the keytab has
only
one additional KVNO and all other KVNOs more then the current and the
last two are removed. However the error
gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access
ldap/dc2.domain.com failed: Preauthentication failed:
NT_STATUS_LOGON_FAILURE
is still logged.
Should I file a bug for this? I can reproduce this also on a Debian 12
system.
Regards
Christian
Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the
release this morning.
Here is the rest of the global section:
[global]
netbios name = HOST
server string = Daten
security = ADS
realm = HQ.DOMAIN.COM
workgroup = DOMAIN-02
disable netbios = yes
smb ports = 445
interfaces = eth0
bind interfaces only = yes
server min protocol = SMB2
client min protocol = SMB2
log level = 1 auth_audit:5
client ldap sasl wrapping = starttls
tls cafile = tls/ca.pem
tls verify peer = ca_and_name
logging = syslog only
sync machine password to keytab =
/etc/krb5.keytab:sync_spns:sync_kvno:machine_password
writeable =YES
map acl inherit = yes
store dos attributes = yes
inherit acls = Yes
vfs objects = acl_xattr full_audit
full_audit:success = pwrite write unlinkat renameat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:priority = NOTICE
full_audit:facility = local7
full_audit:failure = none
apply group policies = yes
username map = /etc/samba/smbusers
interfaces = lo eth0
bind interfaces only = Yes
##idmap##
# Default idmap config used for BUILTIN and local windows
accounts/groups
idmap config *:backend = tdb
idmap config *:range = 1000000-2000000
# idmap config for domain DOMAIN-02
idmap config DOMAIN-02:backend = ad
idmap config DOMAIN-02:range = 500-65555
idmap config DOMAIN-02:unix_nss_info = yes
idmap config DOMAIN-02:schema_mode = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
machine password timeout = 604800
winbind reconnect delay = 5
winbind refresh tickets = yes
min domain uid = 500
Christian Naumer
2025-Feb-18 12:38 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi all, some additional info. If I supply a CRL file in the smb.conf like this: #tls verify peer = ca_and_name tls crlfile = tls/root.crl.pem And comment "tls verify peer" which then uses the default "tls verify peer = as_strict_as_possible" the "gensec_gse_client_prepare_ccache" error is not logged during "normal" password change. However, the behaviour of "net ads changetrustpw" is still the same. Any thoughts on this? Regards Christian Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:> Hi all, > I have been trying to use the new options "sync machine password to > keytab" and "client ldap sasl wrapping" in Samba 4.21 together with > "client ldap sasl wrapping" > > When this is set: > > client ldap sasl wrapping = ldaps (or starttls) > tls cafile = tls/ca.pem > tls verify peer = ca_and_name > sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > > > > And I do a: > > net ads changetrustpw > > > I get this: > > > Changing password for principal: host$@DOMAIN.COM > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned > Invalid credentials > secrets_finish_password_change: Sync of machine password failed. > Password change failed: An internal error occurred. > > > The keytab is still updated with the new KVNO and the machine password > in AD is updated. However the new KVNO is appended to the keytab. There > are two new KVNOs in the keytab as if the password was updated twice. > > > When I remove the ldaps/startrls options from the smb.confI get this > result: > > Changing password for principal: host$@DOMAIN.COM > Password change for principal host$@DOMAIN.COM succeeded. > > > The keytab is updated with the new KVNO and the machine password in AD > is updated. In the keytab there are then always 3 KVNOs the current and > the two previous ones. > > Additional info. If I wait for the machine password to timeout and > winbind changes the password. This "works" as far as the keytab has only > one additional KVNO and all other KVNOs more then the current and the > last two are removed. However the error > > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > > is still logged. > > Should I file a bug for this? I can reproduce this also on a Debian 12 > system. > > Regards > > Christian > > > > > > Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the > release this morning. > > Here is the rest of the global section: > > [global] > ??????? netbios name = HOST > ??????? server string = Daten > ??????? security = ADS > ??????? realm = HQ.DOMAIN.COM > ??????? workgroup = DOMAIN-02 > ??????? disable netbios = yes > ??????? smb ports = 445 > ??????? interfaces = eth0 > ??????? bind interfaces only = yes > ??????? server min protocol = SMB2 > ??????? client min protocol = SMB2 > ??????? log level = 1 auth_audit:5 > ??????? client ldap sasl wrapping = starttls > ??????? tls cafile = tls/ca.pem > ??????? tls verify peer = ca_and_name > ??????? logging = syslog only > ??????? sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > ??????? writeable =YES > ??????? map acl inherit = yes > ??????? store dos attributes = yes > ??????? inherit acls = Yes > ??????? vfs objects = acl_xattr full_audit > ??????? full_audit:success = pwrite write unlinkat renameat > ??????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > ??????? full_audit:priority = NOTICE > ??????? full_audit:facility = local7 > ??????? full_audit:failure = none > ??????? apply group policies = yes > ??????? username map = /etc/samba/smbusers > > ??????? interfaces = lo eth0 > ??????? bind interfaces only = Yes > ??????? ##idmap## > ??????? # Default idmap config used for BUILTIN and local windows > accounts/groups > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-2000000 > > ??????? # idmap config for domain DOMAIN-02 > ??????? idmap config DOMAIN-02:backend = ad > ??????? idmap config DOMAIN-02:range = 500-65555 > ??????? idmap config DOMAIN-02:unix_nss_info = yes > ??????? idmap config DOMAIN-02:schema_mode = rfc2307 > ??????? winbind enum users = yes > ??????? winbind enum groups = yes > ??????? winbind use default domain = Yes > ??????? machine password timeout = 604800 > ??????? winbind reconnect delay = 5 > ??????? winbind refresh tickets = yes > ??????? min domain uid = 500 > > > >