Christian Naumer
2025-Feb-18 12:38 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi all, some additional info. If I supply a CRL file in the smb.conf like this: #tls verify peer = ca_and_name tls crlfile = tls/root.crl.pem And comment "tls verify peer" which then uses the default "tls verify peer = as_strict_as_possible" the "gensec_gse_client_prepare_ccache" error is not logged during "normal" password change. However, the behaviour of "net ads changetrustpw" is still the same. Any thoughts on this? Regards Christian Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:> Hi all, > I have been trying to use the new options "sync machine password to > keytab" and "client ldap sasl wrapping" in Samba 4.21 together with > "client ldap sasl wrapping" > > When this is set: > > client ldap sasl wrapping = ldaps (or starttls) > tls cafile = tls/ca.pem > tls verify peer = ca_and_name > sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > > > > And I do a: > > net ads changetrustpw > > > I get this: > > > Changing password for principal: host$@DOMAIN.COM > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned > Invalid credentials > secrets_finish_password_change: Sync of machine password failed. > Password change failed: An internal error occurred. > > > The keytab is still updated with the new KVNO and the machine password > in AD is updated. However the new KVNO is appended to the keytab. There > are two new KVNOs in the keytab as if the password was updated twice. > > > When I remove the ldaps/startrls options from the smb.confI get this > result: > > Changing password for principal: host$@DOMAIN.COM > Password change for principal host$@DOMAIN.COM succeeded. > > > The keytab is updated with the new KVNO and the machine password in AD > is updated. In the keytab there are then always 3 KVNOs the current and > the two previous ones. > > Additional info. If I wait for the machine password to timeout and > winbind changes the password. This "works" as far as the keytab has only > one additional KVNO and all other KVNOs more then the current and the > last two are removed. However the error > > gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access > ldap/dc2.domain.com failed: Preauthentication failed: > NT_STATUS_LOGON_FAILURE > > is still logged. > > Should I file a bug for this? I can reproduce this also on a Debian 12 > system. > > Regards > > Christian > > > > > > Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the > release this morning. > > Here is the rest of the global section: > > [global] > ??????? netbios name = HOST > ??????? server string = Daten > ??????? security = ADS > ??????? realm = HQ.DOMAIN.COM > ??????? workgroup = DOMAIN-02 > ??????? disable netbios = yes > ??????? smb ports = 445 > ??????? interfaces = eth0 > ??????? bind interfaces only = yes > ??????? server min protocol = SMB2 > ??????? client min protocol = SMB2 > ??????? log level = 1 auth_audit:5 > ??????? client ldap sasl wrapping = starttls > ??????? tls cafile = tls/ca.pem > ??????? tls verify peer = ca_and_name > ??????? logging = syslog only > ??????? sync machine password to keytab = /etc/ > krb5.keytab:sync_spns:sync_kvno:machine_password > ??????? writeable =YES > ??????? map acl inherit = yes > ??????? store dos attributes = yes > ??????? inherit acls = Yes > ??????? vfs objects = acl_xattr full_audit > ??????? full_audit:success = pwrite write unlinkat renameat > ??????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > ??????? full_audit:priority = NOTICE > ??????? full_audit:facility = local7 > ??????? full_audit:failure = none > ??????? apply group policies = yes > ??????? username map = /etc/samba/smbusers > > ??????? interfaces = lo eth0 > ??????? bind interfaces only = Yes > ??????? ##idmap## > ??????? # Default idmap config used for BUILTIN and local windows > accounts/groups > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-2000000 > > ??????? # idmap config for domain DOMAIN-02 > ??????? idmap config DOMAIN-02:backend = ad > ??????? idmap config DOMAIN-02:range = 500-65555 > ??????? idmap config DOMAIN-02:unix_nss_info = yes > ??????? idmap config DOMAIN-02:schema_mode = rfc2307 > ??????? winbind enum users = yes > ??????? winbind enum groups = yes > ??????? winbind use default domain = Yes > ??????? machine password timeout = 604800 > ??????? winbind reconnect delay = 5 > ??????? winbind refresh tickets = yes > ??????? min domain uid = 500 > > > >
Sami Hulkko
2025-Feb-18 14:21 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
My penny on it: ??????? tls enabled = Yes ??????? tls cafile = /var/lib/samba/private/tls/ca.crt ??????? tls certfile = /var/lib/samba/private/tls/dc.crt ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key Works and needs absolute paths. #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 opt out old ciphers is possible. SH On 18/02/2025 14:38, Christian Naumer via samba wrote:> Hi all, > some additional info. If I supply a CRL file in the smb.conf like this: > > #tls verify peer = ca_and_name > tls crlfile = tls/root.crl.pem > > And comment "tls verify peer" which then uses the default "tls verify > peer = as_strict_as_possible" > > the "gensec_gse_client_prepare_ccache" error is not logged during > "normal" password change. However, the behaviour of "net ads > changetrustpw" is still the same. > > Any thoughts on this? > > Regards > > Christian > > > Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >> Hi all, >> I have been trying to use the new options "sync machine password to >> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >> "client ldap sasl wrapping" >> >> When this is set: >> >> client ldap sasl wrapping = ldaps (or starttls) >> tls cafile = tls/ca.pem >> tls verify peer = ca_and_name >> sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> >> >> >> And I do a: >> >> net ads changetrustpw >> >> >> I get this: >> >> >> Changing password for principal: host$@DOMAIN.COM >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >> Invalid credentials >> secrets_finish_password_change: Sync of machine password failed. >> Password change failed: An internal error occurred. >> >> >> The keytab is still updated with the new KVNO and the machine >> password in AD is updated. However the new KVNO is appended to the >> keytab. There are two new KVNOs in the keytab as if the password was >> updated twice. >> >> >> When I remove the ldaps/startrls options from the smb.confI get this >> result: >> >> Changing password for principal: host$@DOMAIN.COM >> Password change for principal host$@DOMAIN.COM succeeded. >> >> >> The keytab is updated with the new KVNO and the machine password in >> AD is updated. In the keytab there are then always 3 KVNOs the >> current and the two previous ones. >> >> Additional info. If I wait for the machine password to timeout and >> winbind changes the password. This "works" as far as the keytab has >> only one additional KVNO and all other KVNOs more then the current >> and the last two are removed. However the error >> >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> >> is still logged. >> >> Should I file a bug for this? I can reproduce this also on a Debian >> 12 system. >> >> Regards >> >> Christian >> >> >> >> >> >> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >> release this morning. >> >> Here is the rest of the global section: >> >> [global] >> ???????? netbios name = HOST >> ???????? server string = Daten >> ???????? security = ADS >> ???????? realm = HQ.DOMAIN.COM >> ???????? workgroup = DOMAIN-02 >> ???????? disable netbios = yes >> ???????? smb ports = 445 >> ???????? interfaces = eth0 >> ???????? bind interfaces only = yes >> ???????? server min protocol = SMB2 >> ???????? client min protocol = SMB2 >> ???????? log level = 1 auth_audit:5 >> ???????? client ldap sasl wrapping = starttls >> ???????? tls cafile = tls/ca.pem >> ???????? tls verify peer = ca_and_name >> ???????? logging = syslog only >> ???????? sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> ???????? writeable =YES >> ???????? map acl inherit = yes >> ???????? store dos attributes = yes >> ???????? inherit acls = Yes >> ???????? vfs objects = acl_xattr full_audit >> ???????? full_audit:success = pwrite write unlinkat renameat >> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >> ???????? full_audit:priority = NOTICE >> ???????? full_audit:facility = local7 >> ???????? full_audit:failure = none >> ???????? apply group policies = yes >> ???????? username map = /etc/samba/smbusers >> >> ???????? interfaces = lo eth0 >> ???????? bind interfaces only = Yes >> ???????? ##idmap## >> ???????? # Default idmap config used for BUILTIN and local windows >> accounts/groups >> ???????? idmap config *:backend = tdb >> ???????? idmap config *:range = 1000000-2000000 >> >> ???????? # idmap config for domain DOMAIN-02 >> ???????? idmap config DOMAIN-02:backend = ad >> ???????? idmap config DOMAIN-02:range = 500-65555 >> ???????? idmap config DOMAIN-02:unix_nss_info = yes >> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >> ???????? winbind enum users = yes >> ???????? winbind enum groups = yes >> ???????? winbind use default domain = Yes >> ???????? machine password timeout = 604800 >> ???????? winbind reconnect delay = 5 >> ???????? winbind refresh tickets = yes >> ???????? min domain uid = 500 >> >> >> >> > >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com