samba - Feb 2025 - New options "sync machine password to keytab"/ "client ldap sasl wrapping"

This is from the man page of Samba:

"This path is relative to private dir if the path does not start with
a/."

Having said that this is wat We have on our DCs:


         tls enabled  = yes
         tls keyfile  = tls/server_de.key
         tls certfile = tls/server.pem
         tls cafile   = tls/ca.pem
         tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3

The problem is only on the member servers and only when using:

net ads changetrustpw


The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the 
file servers.

Have you tried "net ads changetrustpw" on a member with "sync
machine
password to keytab" in the smb.conf?



Regards

Christian




Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:
> My penny on it:
> 
>  ??????? tls enabled = Yes
>  ??????? tls cafile = /var/lib/samba/private/tls/ca.crt
>  ??????? tls certfile = /var/lib/samba/private/tls/dc.crt
>  ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl
>  ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem
>  ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key
> 
> Works and needs absolute paths.
> 
> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
> 
> opt out old ciphers is possible.
> 
> SH
> 
> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>> Hi all,
>> some additional info. If I supply a CRL file in the smb.conf like this:
>>
>> #tls verify peer = ca_and_name
>> tls crlfile = tls/root.crl.pem
>>
>> And comment "tls verify peer" which then uses the default
"tls verify
>> peer = as_strict_as_possible"
>>
>> the "gensec_gse_client_prepare_ccache" error is not logged
during
>> "normal" password change. However, the behaviour of "net
ads
>> changetrustpw" is still the same.
>>
>> Any thoughts on this?
>>
>> Regards
>>
>> Christian
>>
>>
>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>> Hi all,
>>> I have been trying to use the new options "sync machine
password to
>>> keytab" and "client ldap sasl wrapping" in Samba
4.21 together with
>>> "client ldap sasl wrapping"
>>>
>>> When this is set:
>>>
>>> client ldap sasl wrapping = ldaps (or starttls)
>>> tls cafile = tls/ca.pem
>>> tls verify peer = ca_and_name
>>> sync machine password to keytab = /etc/ 
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>
>>>
>>>
>>> And I do a:
>>>
>>> net ads changetrustpw
>>>
>>>
>>> I get this:
>>>
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>> NT_STATUS_LOGON_FAILURE
>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned
>>> Invalid credentials
>>> secrets_finish_password_change: Sync of machine password failed.
>>> Password change failed: An internal error occurred.
>>>
>>>
>>> The keytab is still updated with the new KVNO and the machine 
>>> password in AD is updated. However the new KVNO is appended to the 
>>> keytab. There are two new KVNOs in the keytab as if the password
was
>>> updated twice.
>>>
>>>
>>> When I remove the ldaps/startrls options from the smb.confI get
this
>>> result:
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>
>>>
>>> The keytab is updated with the new KVNO and the machine password in
>>> AD is updated. In the keytab there are then always 3 KVNOs the 
>>> current and the two previous ones.
>>>
>>> Additional info. If I wait for the machine password to timeout and 
>>> winbind changes the password. This "works" as far as the
keytab has
>>> only one additional KVNO and all other KVNOs more then the current 
>>> and the last two are removed. However the error
>>>
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>> NT_STATUS_LOGON_FAILURE
>>>
>>> is still logged.
>>>
>>> Should I file a bug for this? I can reproduce this also on a Debian
>>> 12 system.
>>>
>>> Regards
>>>
>>> Christian
>>>
>>>
>>>
>>>
>>>
>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the 
>>> release this morning.
>>>
>>> Here is the rest of the global section:
>>>
>>> [global]
>>> ???????? netbios name = HOST
>>> ???????? server string = Daten
>>> ???????? security = ADS
>>> ???????? realm = HQ.DOMAIN.COM
>>> ???????? workgroup = DOMAIN-02
>>> ???????? disable netbios = yes
>>> ???????? smb ports = 445
>>> ???????? interfaces = eth0
>>> ???????? bind interfaces only = yes
>>> ???????? server min protocol = SMB2
>>> ???????? client min protocol = SMB2
>>> ???????? log level = 1 auth_audit:5
>>> ???????? client ldap sasl wrapping = starttls
>>> ???????? tls cafile = tls/ca.pem
>>> ???????? tls verify peer = ca_and_name
>>> ???????? logging = syslog only
>>> ???????? sync machine password to keytab = /etc/ 
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>> ???????? writeable =YES
>>> ???????? map acl inherit = yes
>>> ???????? store dos attributes = yes
>>> ???????? inherit acls = Yes
>>> ???????? vfs objects = acl_xattr full_audit
>>> ???????? full_audit:success = pwrite write unlinkat renameat
>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>> ???????? full_audit:priority = NOTICE
>>> ???????? full_audit:facility = local7
>>> ???????? full_audit:failure = none
>>> ???????? apply group policies = yes
>>> ???????? username map = /etc/samba/smbusers
>>>
>>> ???????? interfaces = lo eth0
>>> ???????? bind interfaces only = Yes
>>> ???????? ##idmap##
>>> ???????? # Default idmap config used for BUILTIN and local windows 
>>> accounts/groups
>>> ???????? idmap config *:backend = tdb
>>> ???????? idmap config *:range = 1000000-2000000
>>>
>>> ???????? # idmap config for domain DOMAIN-02
>>> ???????? idmap config DOMAIN-02:backend = ad
>>> ???????? idmap config DOMAIN-02:range = 500-65555
>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes
>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307
>>> ???????? winbind enum users = yes
>>> ???????? winbind enum groups = yes
>>> ???????? winbind use default domain = Yes
>>> ???????? machine password timeout = 604800
>>> ???????? winbind reconnect delay = 5
>>> ???????? winbind refresh tickets = yes
>>> ???????? min domain uid = 500
>>>
>>>
>>>
>>>
>>
>>

Hi Christian,



On 2/18/25 3:28 PM, Christian Naumer via samba wrote:
> This is from the man page of Samba:
>
> "This path is relative to private dir if the path does not start with 
> a/."
>
> Having said that this is wat We have on our DCs:
>
>
> ??????? tls enabled? = yes
> ??????? tls keyfile? = tls/server_de.key
> ??????? tls certfile = tls/server.pem
> ??????? tls cafile?? = tls/ca.pem
> ??????? tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>
> The problem is only on the member servers and only when using:
>
> net ads changetrustpw
>
>
> The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the 
> file servers.
>
> Have you tried "net ads changetrustpw" on a member with
"sync machine
> password to keytab" in the smb.conf?
Yes, "net ads changetrustpw" is part of upstream tests:

https://gitlab.com/samba-team/samba/-/blob/ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/test_update_keytab.sh#L601


Does the issue happens also with samba 4.21.3?

Kind regards,

Pavel
>
>
>
> Regards
>
> Christian
>
>
>
>
> Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:
>> My penny on it:
>>
>> ???????? tls enabled = Yes
>> ???????? tls cafile = /var/lib/samba/private/tls/ca.crt
>> ???????? tls certfile = /var/lib/samba/private/tls/dc.crt
>> ???????? tls crlfile = /var/lib/samba/private/tls/pki.crl
>> ???????? tls dh params file = /var/lib/samba/private/tls/dh.pem
>> ???????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key
>>
>> Works and needs absolute paths.
>>
>> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>>
>> opt out old ciphers is possible.
>>
>> SH
>>
>> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>>> Hi all,
>>> some additional info. If I supply a CRL file in the smb.conf like
this:
>>>
>>> #tls verify peer = ca_and_name
>>> tls crlfile = tls/root.crl.pem
>>>
>>> And comment "tls verify peer" which then uses the default
"tls
>>> verify peer = as_strict_as_possible"
>>>
>>> the "gensec_gse_client_prepare_ccache" error is not
logged during
>>> "normal" password change. However, the behaviour of
"net ads
>>> changetrustpw" is still the same.
>>>
>>> Any thoughts on this?
>>>
>>> Regards
>>>
>>> Christian
>>>
>>>
>>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>>> Hi all,
>>>> I have been trying to use the new options "sync machine
password to
>>>> keytab" and "client ldap sasl wrapping" in Samba
4.21 together with
>>>> "client ldap sasl wrapping"
>>>>
>>>> When this is set:
>>>>
>>>> client ldap sasl wrapping = ldaps (or starttls)
>>>> tls cafile = tls/ca.pem
>>>> tls verify peer = ca_and_name
>>>> sync machine password to keytab = /etc/ 
>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>>
>>>>
>>>>
>>>> And I do a:
>>>>
>>>> net ads changetrustpw
>>>>
>>>>
>>>> I get this:
>>>>
>>>>
>>>> Changing password for principal: host$@DOMAIN.COM
>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>> NT_STATUS_LOGON_FAILURE
>>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect()
returned
>>>> Invalid credentials
>>>> secrets_finish_password_change: Sync of machine password
failed.
>>>> Password change failed: An internal error occurred.
>>>>
>>>>
>>>> The keytab is still updated with the new KVNO and the machine 
>>>> password in AD is updated. However the new KVNO is appended to
the
>>>> keytab. There are two new KVNOs in the keytab as if the
password
>>>> was updated twice.
>>>>
>>>>
>>>> When I remove the ldaps/startrls options from the smb.confI get
>>>> this result:
>>>>
>>>> Changing password for principal: host$@DOMAIN.COM
>>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>>
>>>>
>>>> The keytab is updated with the new KVNO and the machine
password in
>>>> AD is updated. In the keytab there are then always 3 KVNOs the 
>>>> current and the two previous ones.
>>>>
>>>> Additional info. If I wait for the machine password to timeout
and
>>>> winbind changes the password. This "works" as far as
the keytab has
>>>> only one additional KVNO and all other KVNOs more then the
current
>>>> and the last two are removed. However the error
>>>>
>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>> NT_STATUS_LOGON_FAILURE
>>>>
>>>> is still logged.
>>>>
>>>> Should I file a bug for this? I can reproduce this also on a
Debian
>>>> 12 system.
>>>>
>>>> Regards
>>>>
>>>> Christian
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with
the
>>>> release this morning.
>>>>
>>>> Here is the rest of the global section:
>>>>
>>>> [global]
>>>> ???????? netbios name = HOST
>>>> ???????? server string = Daten
>>>> ???????? security = ADS
>>>> ???????? realm = HQ.DOMAIN.COM
>>>> ???????? workgroup = DOMAIN-02
>>>> ???????? disable netbios = yes
>>>> ???????? smb ports = 445
>>>> ???????? interfaces = eth0
>>>> ???????? bind interfaces only = yes
>>>> ???????? server min protocol = SMB2
>>>> ???????? client min protocol = SMB2
>>>> ???????? log level = 1 auth_audit:5
>>>> ???????? client ldap sasl wrapping = starttls
>>>> ???????? tls cafile = tls/ca.pem
>>>> ???????? tls verify peer = ca_and_name
>>>> ???????? logging = syslog only
>>>> ???????? sync machine password to keytab = /etc/ 
>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>> ???????? writeable =YES
>>>> ???????? map acl inherit = yes
>>>> ???????? store dos attributes = yes
>>>> ???????? inherit acls = Yes
>>>> ???????? vfs objects = acl_xattr full_audit
>>>> ???????? full_audit:success = pwrite write unlinkat renameat
>>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>>> ???????? full_audit:priority = NOTICE
>>>> ???????? full_audit:facility = local7
>>>> ???????? full_audit:failure = none
>>>> ???????? apply group policies = yes
>>>> ???????? username map = /etc/samba/smbusers
>>>>
>>>> ???????? interfaces = lo eth0
>>>> ???????? bind interfaces only = Yes
>>>> ???????? ##idmap##
>>>> ???????? # Default idmap config used for BUILTIN and local
windows
>>>> accounts/groups
>>>> ???????? idmap config *:backend = tdb
>>>> ???????? idmap config *:range = 1000000-2000000
>>>>
>>>> ???????? # idmap config for domain DOMAIN-02
>>>> ???????? idmap config DOMAIN-02:backend = ad
>>>> ???????? idmap config DOMAIN-02:range = 500-65555
>>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes
>>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307
>>>> ???????? winbind enum users = yes
>>>> ???????? winbind enum groups = yes
>>>> ???????? winbind use default domain = Yes
>>>> ???????? machine password timeout = 604800
>>>> ???????? winbind reconnect delay = 5
>>>> ???????? winbind refresh tickets = yes
>>>> ???????? min domain uid = 500
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>
>