Sami Hulkko
2025-Feb-18 14:21 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
My penny on it: ??????? tls enabled = Yes ??????? tls cafile = /var/lib/samba/private/tls/ca.crt ??????? tls certfile = /var/lib/samba/private/tls/dc.crt ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key Works and needs absolute paths. #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 opt out old ciphers is possible. SH On 18/02/2025 14:38, Christian Naumer via samba wrote:> Hi all, > some additional info. If I supply a CRL file in the smb.conf like this: > > #tls verify peer = ca_and_name > tls crlfile = tls/root.crl.pem > > And comment "tls verify peer" which then uses the default "tls verify > peer = as_strict_as_possible" > > the "gensec_gse_client_prepare_ccache" error is not logged during > "normal" password change. However, the behaviour of "net ads > changetrustpw" is still the same. > > Any thoughts on this? > > Regards > > Christian > > > Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >> Hi all, >> I have been trying to use the new options "sync machine password to >> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >> "client ldap sasl wrapping" >> >> When this is set: >> >> client ldap sasl wrapping = ldaps (or starttls) >> tls cafile = tls/ca.pem >> tls verify peer = ca_and_name >> sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> >> >> >> And I do a: >> >> net ads changetrustpw >> >> >> I get this: >> >> >> Changing password for principal: host$@DOMAIN.COM >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >> Invalid credentials >> secrets_finish_password_change: Sync of machine password failed. >> Password change failed: An internal error occurred. >> >> >> The keytab is still updated with the new KVNO and the machine >> password in AD is updated. However the new KVNO is appended to the >> keytab. There are two new KVNOs in the keytab as if the password was >> updated twice. >> >> >> When I remove the ldaps/startrls options from the smb.confI get this >> result: >> >> Changing password for principal: host$@DOMAIN.COM >> Password change for principal host$@DOMAIN.COM succeeded. >> >> >> The keytab is updated with the new KVNO and the machine password in >> AD is updated. In the keytab there are then always 3 KVNOs the >> current and the two previous ones. >> >> Additional info. If I wait for the machine password to timeout and >> winbind changes the password. This "works" as far as the keytab has >> only one additional KVNO and all other KVNOs more then the current >> and the last two are removed. However the error >> >> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >> access ldap/dc2.domain.com failed: Preauthentication failed: >> NT_STATUS_LOGON_FAILURE >> >> is still logged. >> >> Should I file a bug for this? I can reproduce this also on a Debian >> 12 system. >> >> Regards >> >> Christian >> >> >> >> >> >> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >> release this morning. >> >> Here is the rest of the global section: >> >> [global] >> ???????? netbios name = HOST >> ???????? server string = Daten >> ???????? security = ADS >> ???????? realm = HQ.DOMAIN.COM >> ???????? workgroup = DOMAIN-02 >> ???????? disable netbios = yes >> ???????? smb ports = 445 >> ???????? interfaces = eth0 >> ???????? bind interfaces only = yes >> ???????? server min protocol = SMB2 >> ???????? client min protocol = SMB2 >> ???????? log level = 1 auth_audit:5 >> ???????? client ldap sasl wrapping = starttls >> ???????? tls cafile = tls/ca.pem >> ???????? tls verify peer = ca_and_name >> ???????? logging = syslog only >> ???????? sync machine password to keytab = /etc/ >> krb5.keytab:sync_spns:sync_kvno:machine_password >> ???????? writeable =YES >> ???????? map acl inherit = yes >> ???????? store dos attributes = yes >> ???????? inherit acls = Yes >> ???????? vfs objects = acl_xattr full_audit >> ???????? full_audit:success = pwrite write unlinkat renameat >> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >> ???????? full_audit:priority = NOTICE >> ???????? full_audit:facility = local7 >> ???????? full_audit:failure = none >> ???????? apply group policies = yes >> ???????? username map = /etc/samba/smbusers >> >> ???????? interfaces = lo eth0 >> ???????? bind interfaces only = Yes >> ???????? ##idmap## >> ???????? # Default idmap config used for BUILTIN and local windows >> accounts/groups >> ???????? idmap config *:backend = tdb >> ???????? idmap config *:range = 1000000-2000000 >> >> ???????? # idmap config for domain DOMAIN-02 >> ???????? idmap config DOMAIN-02:backend = ad >> ???????? idmap config DOMAIN-02:range = 500-65555 >> ???????? idmap config DOMAIN-02:unix_nss_info = yes >> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >> ???????? winbind enum users = yes >> ???????? winbind enum groups = yes >> ???????? winbind use default domain = Yes >> ???????? machine password timeout = 604800 >> ???????? winbind reconnect delay = 5 >> ???????? winbind refresh tickets = yes >> ???????? min domain uid = 500 >> >> >> >> > >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com
Christian Naumer
2025-Feb-18 14:28 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
This is from the man page of Samba: "This path is relative to private dir if the path does not start with a/." Having said that this is wat We have on our DCs: tls enabled = yes tls keyfile = tls/server_de.key tls certfile = tls/server.pem tls cafile = tls/ca.pem tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 The problem is only on the member servers and only when using: net ads changetrustpw The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the file servers. Have you tried "net ads changetrustpw" on a member with "sync machine password to keytab" in the smb.conf? Regards Christian Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:> My penny on it: > > ??????? tls enabled = Yes > ??????? tls cafile = /var/lib/samba/private/tls/ca.crt > ??????? tls certfile = /var/lib/samba/private/tls/dc.crt > ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl > ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem > ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key > > Works and needs absolute paths. > > #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 > > opt out old ciphers is possible. > > SH > > On 18/02/2025 14:38, Christian Naumer via samba wrote: >> Hi all, >> some additional info. If I supply a CRL file in the smb.conf like this: >> >> #tls verify peer = ca_and_name >> tls crlfile = tls/root.crl.pem >> >> And comment "tls verify peer" which then uses the default "tls verify >> peer = as_strict_as_possible" >> >> the "gensec_gse_client_prepare_ccache" error is not logged during >> "normal" password change. However, the behaviour of "net ads >> changetrustpw" is still the same. >> >> Any thoughts on this? >> >> Regards >> >> Christian >> >> >> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >>> Hi all, >>> I have been trying to use the new options "sync machine password to >>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >>> "client ldap sasl wrapping" >>> >>> When this is set: >>> >>> client ldap sasl wrapping = ldaps (or starttls) >>> tls cafile = tls/ca.pem >>> tls verify peer = ca_and_name >>> sync machine password to keytab = /etc/ >>> krb5.keytab:sync_spns:sync_kvno:machine_password >>> >>> >>> >>> And I do a: >>> >>> net ads changetrustpw >>> >>> >>> I get this: >>> >>> >>> Changing password for principal: host$@DOMAIN.COM >>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>> access ldap/dc2.domain.com failed: Preauthentication failed: >>> NT_STATUS_LOGON_FAILURE >>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >>> Invalid credentials >>> secrets_finish_password_change: Sync of machine password failed. >>> Password change failed: An internal error occurred. >>> >>> >>> The keytab is still updated with the new KVNO and the machine >>> password in AD is updated. However the new KVNO is appended to the >>> keytab. There are two new KVNOs in the keytab as if the password was >>> updated twice. >>> >>> >>> When I remove the ldaps/startrls options from the smb.confI get this >>> result: >>> >>> Changing password for principal: host$@DOMAIN.COM >>> Password change for principal host$@DOMAIN.COM succeeded. >>> >>> >>> The keytab is updated with the new KVNO and the machine password in >>> AD is updated. In the keytab there are then always 3 KVNOs the >>> current and the two previous ones. >>> >>> Additional info. If I wait for the machine password to timeout and >>> winbind changes the password. This "works" as far as the keytab has >>> only one additional KVNO and all other KVNOs more then the current >>> and the last two are removed. However the error >>> >>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>> access ldap/dc2.domain.com failed: Preauthentication failed: >>> NT_STATUS_LOGON_FAILURE >>> >>> is still logged. >>> >>> Should I file a bug for this? I can reproduce this also on a Debian >>> 12 system. >>> >>> Regards >>> >>> Christian >>> >>> >>> >>> >>> >>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >>> release this morning. >>> >>> Here is the rest of the global section: >>> >>> [global] >>> ???????? netbios name = HOST >>> ???????? server string = Daten >>> ???????? security = ADS >>> ???????? realm = HQ.DOMAIN.COM >>> ???????? workgroup = DOMAIN-02 >>> ???????? disable netbios = yes >>> ???????? smb ports = 445 >>> ???????? interfaces = eth0 >>> ???????? bind interfaces only = yes >>> ???????? server min protocol = SMB2 >>> ???????? client min protocol = SMB2 >>> ???????? log level = 1 auth_audit:5 >>> ???????? client ldap sasl wrapping = starttls >>> ???????? tls cafile = tls/ca.pem >>> ???????? tls verify peer = ca_and_name >>> ???????? logging = syslog only >>> ???????? sync machine password to keytab = /etc/ >>> krb5.keytab:sync_spns:sync_kvno:machine_password >>> ???????? writeable =YES >>> ???????? map acl inherit = yes >>> ???????? store dos attributes = yes >>> ???????? inherit acls = Yes >>> ???????? vfs objects = acl_xattr full_audit >>> ???????? full_audit:success = pwrite write unlinkat renameat >>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >>> ???????? full_audit:priority = NOTICE >>> ???????? full_audit:facility = local7 >>> ???????? full_audit:failure = none >>> ???????? apply group policies = yes >>> ???????? username map = /etc/samba/smbusers >>> >>> ???????? interfaces = lo eth0 >>> ???????? bind interfaces only = Yes >>> ???????? ##idmap## >>> ???????? # Default idmap config used for BUILTIN and local windows >>> accounts/groups >>> ???????? idmap config *:backend = tdb >>> ???????? idmap config *:range = 1000000-2000000 >>> >>> ???????? # idmap config for domain DOMAIN-02 >>> ???????? idmap config DOMAIN-02:backend = ad >>> ???????? idmap config DOMAIN-02:range = 500-65555 >>> ???????? idmap config DOMAIN-02:unix_nss_info = yes >>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >>> ???????? winbind enum users = yes >>> ???????? winbind enum groups = yes >>> ???????? winbind use default domain = Yes >>> ???????? machine password timeout = 604800 >>> ???????? winbind reconnect delay = 5 >>> ???????? winbind refresh tickets = yes >>> ???????? min domain uid = 500 >>> >>> >>> >>> >> >>