Sami Hulkko
2025-Feb-18 14:21 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
My penny on it: ??????? tls enabled = Yes ??????? tls cafile = /var/lib/samba/private/tls/ca.crt ??????? tls certfile = /var/lib/samba/private/tls/dc.crt ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key Works and needs absolute paths. #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 opt out old ciphers is possible. SH On 18/02/2025 14:38, Christian Naumer via samba wrote:> Hi all, > some additional info. If I supply a CRL file in the smb.conf like this: > > #tls verify peer = ca_and_name > tls crlfile = tls/root.crl.pem > > And comment "tls verify peer" which then uses the default "tls verify > peer = as_strict_as_possible" > > the "gensec_gse_client_prepare_ccache" error is not logged during > "normal" password change. However, the behaviour of "net ads > changetrustpw" is still the same. > > Any thoughts on this? > > Regards > > Christian > > > Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >> Hi all, >> I have been trying to use the new options "sync machine password to >> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >> "client ldap sasl wrapping" >> >> When this is set: >> >> client ldap sasl wrapping = ldaps (or starttls) >> tls cafile = tls/ca.pem >> tls verify peer = ca_and_name >> sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> >> >> >> And I do a: >> >> net ads changetrustpw >> >> >> I get this: >> >> >> Changing password for principal: host$@DOMAIN.COM >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >> Invalid credentials >> secrets_finish_password_change: Sync of machine password failed. >> Password change failed: An internal error occurred. >> >> >> The keytab is still updated with the new KVNO and the machine >> password in AD is updated. However the new KVNO is appended to the >> keytab. There are two new KVNOs in the keytab as if the password was >> updated twice. >> >> >> When I remove the ldaps/startrls options from the smb.confI get this >> result: >> >> Changing password for principal: host$@DOMAIN.COM >> Password change for principal host$@DOMAIN.COM succeeded. >> >> >> The keytab is updated with the new KVNO and the machine password in >> AD is updated. In the keytab there are then always 3 KVNOs the >> current and the two previous ones. >> >> Additional info. If I wait for the machine password to timeout and >> winbind changes the password. This "works" as far as the keytab has >> only one additional KVNO and all other KVNOs more then the current >> and the last two are removed. However the error >> >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> >> is still logged. >> >> Should I file a bug for this? I can reproduce this also on a Debian >> 12 system. >> >> Regards >> >> Christian >> >> >> >> >> >> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >> release this morning. >> >> Here is the rest of the global section: >> >> [global] >> ???????? netbios name = HOST >> ???????? server string = Daten >> ???????? security = ADS >> ???????? realm = HQ.DOMAIN.COM >> ???????? workgroup = DOMAIN-02 >> ???????? disable netbios = yes >> ???????? smb ports = 445 >> ???????? interfaces = eth0 >> ???????? bind interfaces only = yes >> ???????? server min protocol = SMB2 >> ???????? client min protocol = SMB2 >> ???????? log level = 1 auth_audit:5 >> ???????? client ldap sasl wrapping = starttls >> ???????? tls cafile = tls/ca.pem >> ???????? tls verify peer = ca_and_name >> ???????? logging = syslog only >> ???????? sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> ???????? writeable =YES >> ???????? map acl inherit = yes >> ???????? store dos attributes = yes >> ???????? inherit acls = Yes >> ???????? vfs objects = acl_xattr full_audit >> ???????? full_audit:success = pwrite write unlinkat renameat >> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >> ???????? full_audit:priority = NOTICE >> ???????? full_audit:facility = local7 >> ???????? full_audit:failure = none >> ???????? apply group policies = yes >> ???????? username map = /etc/samba/smbusers >> >> ???????? interfaces = lo eth0 >> ???????? bind interfaces only = Yes >> ???????? ##idmap## >> ???????? # Default idmap config used for BUILTIN and local windows >> accounts/groups >> ???????? idmap config *:backend = tdb >> ???????? idmap config *:range = 1000000-2000000 >> >> ???????? # idmap config for domain DOMAIN-02 >> ???????? idmap config DOMAIN-02:backend = ad >> ???????? idmap config DOMAIN-02:range = 500-65555 >> ???????? idmap config DOMAIN-02:unix_nss_info = yes >> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >> ???????? winbind enum users = yes >> ???????? winbind enum groups = yes >> ???????? winbind use default domain = Yes >> ???????? machine password timeout = 604800 >> ???????? winbind reconnect delay = 5 >> ???????? winbind refresh tickets = yes >> ???????? min domain uid = 500 >> >> >> >> > >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com
Christian Naumer
2025-Feb-18 14:28 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
This is from the man page of Samba:
"This path is relative to private dir if the path does not start with
a/."
Having said that this is wat We have on our DCs:
tls enabled = yes
tls keyfile = tls/server_de.key
tls certfile = tls/server.pem
tls cafile = tls/ca.pem
tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
The problem is only on the member servers and only when using:
net ads changetrustpw
The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the
file servers.
Have you tried "net ads changetrustpw" on a member with "sync
machine
password to keytab" in the smb.conf?
Regards
Christian
Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:> My penny on it:
>
> ??????? tls enabled = Yes
> ??????? tls cafile = /var/lib/samba/private/tls/ca.crt
> ??????? tls certfile = /var/lib/samba/private/tls/dc.crt
> ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl
> ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem
> ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key
>
> Works and needs absolute paths.
>
> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>
> opt out old ciphers is possible.
>
> SH
>
> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>> Hi all,
>> some additional info. If I supply a CRL file in the smb.conf like this:
>>
>> #tls verify peer = ca_and_name
>> tls crlfile = tls/root.crl.pem
>>
>> And comment "tls verify peer" which then uses the default
"tls verify
>> peer = as_strict_as_possible"
>>
>> the "gensec_gse_client_prepare_ccache" error is not logged
during
>> "normal" password change. However, the behaviour of "net
ads
>> changetrustpw" is still the same.
>>
>> Any thoughts on this?
>>
>> Regards
>>
>> Christian
>>
>>
>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>> Hi all,
>>> I have been trying to use the new options "sync machine
password to
>>> keytab" and "client ldap sasl wrapping" in Samba
4.21 together with
>>> "client ldap sasl wrapping"
>>>
>>> When this is set:
>>>
>>> client ldap sasl wrapping = ldaps (or starttls)
>>> tls cafile = tls/ca.pem
>>> tls verify peer = ca_and_name
>>> sync machine password to keytab = /etc/
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>
>>>
>>>
>>> And I do a:
>>>
>>> net ads changetrustpw
>>>
>>>
>>> I get this:
>>>
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>> access ldap/dc2.domain.com failed: Preauthentication failed:
>>> NT_STATUS_LOGON_FAILURE
>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned
>>> Invalid credentials
>>> secrets_finish_password_change: Sync of machine password failed.
>>> Password change failed: An internal error occurred.
>>>
>>>
>>> The keytab is still updated with the new KVNO and the machine
>>> password in AD is updated. However the new KVNO is appended to the
>>> keytab. There are two new KVNOs in the keytab as if the password
was
>>> updated twice.
>>>
>>>
>>> When I remove the ldaps/startrls options from the smb.confI get
this
>>> result:
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>
>>>
>>> The keytab is updated with the new KVNO and the machine password in
>>> AD is updated. In the keytab there are then always 3 KVNOs the
>>> current and the two previous ones.
>>>
>>> Additional info. If I wait for the machine password to timeout and
>>> winbind changes the password. This "works" as far as the
keytab has
>>> only one additional KVNO and all other KVNOs more then the current
>>> and the last two are removed. However the error
>>>
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>> access ldap/dc2.domain.com failed: Preauthentication failed:
>>> NT_STATUS_LOGON_FAILURE
>>>
>>> is still logged.
>>>
>>> Should I file a bug for this? I can reproduce this also on a Debian
>>> 12 system.
>>>
>>> Regards
>>>
>>> Christian
>>>
>>>
>>>
>>>
>>>
>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the
>>> release this morning.
>>>
>>> Here is the rest of the global section:
>>>
>>> [global]
>>> ???????? netbios name = HOST
>>> ???????? server string = Daten
>>> ???????? security = ADS
>>> ???????? realm = HQ.DOMAIN.COM
>>> ???????? workgroup = DOMAIN-02
>>> ???????? disable netbios = yes
>>> ???????? smb ports = 445
>>> ???????? interfaces = eth0
>>> ???????? bind interfaces only = yes
>>> ???????? server min protocol = SMB2
>>> ???????? client min protocol = SMB2
>>> ???????? log level = 1 auth_audit:5
>>> ???????? client ldap sasl wrapping = starttls
>>> ???????? tls cafile = tls/ca.pem
>>> ???????? tls verify peer = ca_and_name
>>> ???????? logging = syslog only
>>> ???????? sync machine password to keytab = /etc/
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>> ???????? writeable =YES
>>> ???????? map acl inherit = yes
>>> ???????? store dos attributes = yes
>>> ???????? inherit acls = Yes
>>> ???????? vfs objects = acl_xattr full_audit
>>> ???????? full_audit:success = pwrite write unlinkat renameat
>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>> ???????? full_audit:priority = NOTICE
>>> ???????? full_audit:facility = local7
>>> ???????? full_audit:failure = none
>>> ???????? apply group policies = yes
>>> ???????? username map = /etc/samba/smbusers
>>>
>>> ???????? interfaces = lo eth0
>>> ???????? bind interfaces only = Yes
>>> ???????? ##idmap##
>>> ???????? # Default idmap config used for BUILTIN and local windows
>>> accounts/groups
>>> ???????? idmap config *:backend = tdb
>>> ???????? idmap config *:range = 1000000-2000000
>>>
>>> ???????? # idmap config for domain DOMAIN-02
>>> ???????? idmap config DOMAIN-02:backend = ad
>>> ???????? idmap config DOMAIN-02:range = 500-65555
>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes
>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307
>>> ???????? winbind enum users = yes
>>> ???????? winbind enum groups = yes
>>> ???????? winbind use default domain = Yes
>>> ???????? machine password timeout = 604800
>>> ???????? winbind reconnect delay = 5
>>> ???????? winbind refresh tickets = yes
>>> ???????? min domain uid = 500
>>>
>>>
>>>
>>>
>>
>>