Christian Naumer
2025-Feb-18 14:28 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
This is from the man page of Samba: "This path is relative to private dir if the path does not start with a/." Having said that this is wat We have on our DCs: tls enabled = yes tls keyfile = tls/server_de.key tls certfile = tls/server.pem tls cafile = tls/ca.pem tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 The problem is only on the member servers and only when using: net ads changetrustpw The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the file servers. Have you tried "net ads changetrustpw" on a member with "sync machine password to keytab" in the smb.conf? Regards Christian Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:> My penny on it: > > ??????? tls enabled = Yes > ??????? tls cafile = /var/lib/samba/private/tls/ca.crt > ??????? tls certfile = /var/lib/samba/private/tls/dc.crt > ??????? tls crlfile = /var/lib/samba/private/tls/pki.crl > ??????? tls dh params file = /var/lib/samba/private/tls/dh.pem > ??????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key > > Works and needs absolute paths. > > #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 > > opt out old ciphers is possible. > > SH > > On 18/02/2025 14:38, Christian Naumer via samba wrote: >> Hi all, >> some additional info. If I supply a CRL file in the smb.conf like this: >> >> #tls verify peer = ca_and_name >> tls crlfile = tls/root.crl.pem >> >> And comment "tls verify peer" which then uses the default "tls verify >> peer = as_strict_as_possible" >> >> the "gensec_gse_client_prepare_ccache" error is not logged during >> "normal" password change. However, the behaviour of "net ads >> changetrustpw" is still the same. >> >> Any thoughts on this? >> >> Regards >> >> Christian >> >> >> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >>> Hi all, >>> I have been trying to use the new options "sync machine password to >>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >>> "client ldap sasl wrapping" >>> >>> When this is set: >>> >>> client ldap sasl wrapping = ldaps (or starttls) >>> tls cafile = tls/ca.pem >>> tls verify peer = ca_and_name >>> sync machine password to keytab = /etc/ >>> krb5.keytab:sync_spns:sync_kvno:machine_password >>> >>> >>> >>> And I do a: >>> >>> net ads changetrustpw >>> >>> >>> I get this: >>> >>> >>> Changing password for principal: host$@DOMAIN.COM >>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>> access ldap/dc2.domain.com failed: Preauthentication failed: >>> NT_STATUS_LOGON_FAILURE >>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >>> Invalid credentials >>> secrets_finish_password_change: Sync of machine password failed. >>> Password change failed: An internal error occurred. >>> >>> >>> The keytab is still updated with the new KVNO and the machine >>> password in AD is updated. However the new KVNO is appended to the >>> keytab. There are two new KVNOs in the keytab as if the password was >>> updated twice. >>> >>> >>> When I remove the ldaps/startrls options from the smb.confI get this >>> result: >>> >>> Changing password for principal: host$@DOMAIN.COM >>> Password change for principal host$@DOMAIN.COM succeeded. >>> >>> >>> The keytab is updated with the new KVNO and the machine password in >>> AD is updated. In the keytab there are then always 3 KVNOs the >>> current and the two previous ones. >>> >>> Additional info. If I wait for the machine password to timeout and >>> winbind changes the password. This "works" as far as the keytab has >>> only one additional KVNO and all other KVNOs more then the current >>> and the last two are removed. However the error >>> >>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>> access ldap/dc2.domain.com failed: Preauthentication failed: >>> NT_STATUS_LOGON_FAILURE >>> >>> is still logged. >>> >>> Should I file a bug for this? I can reproduce this also on a Debian >>> 12 system. >>> >>> Regards >>> >>> Christian >>> >>> >>> >>> >>> >>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >>> release this morning. >>> >>> Here is the rest of the global section: >>> >>> [global] >>> ???????? netbios name = HOST >>> ???????? server string = Daten >>> ???????? security = ADS >>> ???????? realm = HQ.DOMAIN.COM >>> ???????? workgroup = DOMAIN-02 >>> ???????? disable netbios = yes >>> ???????? smb ports = 445 >>> ???????? interfaces = eth0 >>> ???????? bind interfaces only = yes >>> ???????? server min protocol = SMB2 >>> ???????? client min protocol = SMB2 >>> ???????? log level = 1 auth_audit:5 >>> ???????? client ldap sasl wrapping = starttls >>> ???????? tls cafile = tls/ca.pem >>> ???????? tls verify peer = ca_and_name >>> ???????? logging = syslog only >>> ???????? sync machine password to keytab = /etc/ >>> krb5.keytab:sync_spns:sync_kvno:machine_password >>> ???????? writeable =YES >>> ???????? map acl inherit = yes >>> ???????? store dos attributes = yes >>> ???????? inherit acls = Yes >>> ???????? vfs objects = acl_xattr full_audit >>> ???????? full_audit:success = pwrite write unlinkat renameat >>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >>> ???????? full_audit:priority = NOTICE >>> ???????? full_audit:facility = local7 >>> ???????? full_audit:failure = none >>> ???????? apply group policies = yes >>> ???????? username map = /etc/samba/smbusers >>> >>> ???????? interfaces = lo eth0 >>> ???????? bind interfaces only = Yes >>> ???????? ##idmap## >>> ???????? # Default idmap config used for BUILTIN and local windows >>> accounts/groups >>> ???????? idmap config *:backend = tdb >>> ???????? idmap config *:range = 1000000-2000000 >>> >>> ???????? # idmap config for domain DOMAIN-02 >>> ???????? idmap config DOMAIN-02:backend = ad >>> ???????? idmap config DOMAIN-02:range = 500-65555 >>> ???????? idmap config DOMAIN-02:unix_nss_info = yes >>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >>> ???????? winbind enum users = yes >>> ???????? winbind enum groups = yes >>> ???????? winbind use default domain = Yes >>> ???????? machine password timeout = 604800 >>> ???????? winbind reconnect delay = 5 >>> ???????? winbind refresh tickets = yes >>> ???????? min domain uid = 500 >>> >>> >>> >>> >> >>
pfilipensky at samba.org
2025-Feb-19 10:22 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi Christian, On 2/18/25 3:28 PM, Christian Naumer via samba wrote:> This is from the man page of Samba: > > "This path is relative to private dir if the path does not start with > a/." > > Having said that this is wat We have on our DCs: > > > ??????? tls enabled? = yes > ??????? tls keyfile? = tls/server_de.key > ??????? tls certfile = tls/server.pem > ??????? tls cafile?? = tls/ca.pem > ??????? tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > > The problem is only on the member servers and only when using: > > net ads changetrustpw > > > The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the > file servers. > > Have you tried "net ads changetrustpw" on a member with "sync machine > password to keytab" in the smb.conf?Yes, "net ads changetrustpw" is part of upstream tests: https://gitlab.com/samba-team/samba/-/blob/ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/test_update_keytab.sh#L601 Does the issue happens also with samba 4.21.3? Kind regards, Pavel> > > > Regards > > Christian > > > > > Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba: >> My penny on it: >> >> ???????? tls enabled = Yes >> ???????? tls cafile = /var/lib/samba/private/tls/ca.crt >> ???????? tls certfile = /var/lib/samba/private/tls/dc.crt >> ???????? tls crlfile = /var/lib/samba/private/tls/pki.crl >> ???????? tls dh params file = /var/lib/samba/private/tls/dh.pem >> ???????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key >> >> Works and needs absolute paths. >> >> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 >> >> opt out old ciphers is possible. >> >> SH >> >> On 18/02/2025 14:38, Christian Naumer via samba wrote: >>> Hi all, >>> some additional info. If I supply a CRL file in the smb.conf like this: >>> >>> #tls verify peer = ca_and_name >>> tls crlfile = tls/root.crl.pem >>> >>> And comment "tls verify peer" which then uses the default "tls >>> verify peer = as_strict_as_possible" >>> >>> the "gensec_gse_client_prepare_ccache" error is not logged during >>> "normal" password change. However, the behaviour of "net ads >>> changetrustpw" is still the same. >>> >>> Any thoughts on this? >>> >>> Regards >>> >>> Christian >>> >>> >>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >>>> Hi all, >>>> I have been trying to use the new options "sync machine password to >>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >>>> "client ldap sasl wrapping" >>>> >>>> When this is set: >>>> >>>> client ldap sasl wrapping = ldaps (or starttls) >>>> tls cafile = tls/ca.pem >>>> tls verify peer = ca_and_name >>>> sync machine password to keytab = /etc/ >>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>> >>>> >>>> >>>> And I do a: >>>> >>>> net ads changetrustpw >>>> >>>> >>>> I get this: >>>> >>>> >>>> Changing password for principal: host$@DOMAIN.COM >>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>> NT_STATUS_LOGON_FAILURE >>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >>>> Invalid credentials >>>> secrets_finish_password_change: Sync of machine password failed. >>>> Password change failed: An internal error occurred. >>>> >>>> >>>> The keytab is still updated with the new KVNO and the machine >>>> password in AD is updated. However the new KVNO is appended to the >>>> keytab. There are two new KVNOs in the keytab as if the password >>>> was updated twice. >>>> >>>> >>>> When I remove the ldaps/startrls options from the smb.confI get >>>> this result: >>>> >>>> Changing password for principal: host$@DOMAIN.COM >>>> Password change for principal host$@DOMAIN.COM succeeded. >>>> >>>> >>>> The keytab is updated with the new KVNO and the machine password in >>>> AD is updated. In the keytab there are then always 3 KVNOs the >>>> current and the two previous ones. >>>> >>>> Additional info. If I wait for the machine password to timeout and >>>> winbind changes the password. This "works" as far as the keytab has >>>> only one additional KVNO and all other KVNOs more then the current >>>> and the last two are removed. However the error >>>> >>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>> NT_STATUS_LOGON_FAILURE >>>> >>>> is still logged. >>>> >>>> Should I file a bug for this? I can reproduce this also on a Debian >>>> 12 system. >>>> >>>> Regards >>>> >>>> Christian >>>> >>>> >>>> >>>> >>>> >>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >>>> release this morning. >>>> >>>> Here is the rest of the global section: >>>> >>>> [global] >>>> ???????? netbios name = HOST >>>> ???????? server string = Daten >>>> ???????? security = ADS >>>> ???????? realm = HQ.DOMAIN.COM >>>> ???????? workgroup = DOMAIN-02 >>>> ???????? disable netbios = yes >>>> ???????? smb ports = 445 >>>> ???????? interfaces = eth0 >>>> ???????? bind interfaces only = yes >>>> ???????? server min protocol = SMB2 >>>> ???????? client min protocol = SMB2 >>>> ???????? log level = 1 auth_audit:5 >>>> ???????? client ldap sasl wrapping = starttls >>>> ???????? tls cafile = tls/ca.pem >>>> ???????? tls verify peer = ca_and_name >>>> ???????? logging = syslog only >>>> ???????? sync machine password to keytab = /etc/ >>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>> ???????? writeable =YES >>>> ???????? map acl inherit = yes >>>> ???????? store dos attributes = yes >>>> ???????? inherit acls = Yes >>>> ???????? vfs objects = acl_xattr full_audit >>>> ???????? full_audit:success = pwrite write unlinkat renameat >>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >>>> ???????? full_audit:priority = NOTICE >>>> ???????? full_audit:facility = local7 >>>> ???????? full_audit:failure = none >>>> ???????? apply group policies = yes >>>> ???????? username map = /etc/samba/smbusers >>>> >>>> ???????? interfaces = lo eth0 >>>> ???????? bind interfaces only = Yes >>>> ???????? ##idmap## >>>> ???????? # Default idmap config used for BUILTIN and local windows >>>> accounts/groups >>>> ???????? idmap config *:backend = tdb >>>> ???????? idmap config *:range = 1000000-2000000 >>>> >>>> ???????? # idmap config for domain DOMAIN-02 >>>> ???????? idmap config DOMAIN-02:backend = ad >>>> ???????? idmap config DOMAIN-02:range = 500-65555 >>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes >>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >>>> ???????? winbind enum users = yes >>>> ???????? winbind enum groups = yes >>>> ???????? winbind use default domain = Yes >>>> ???????? machine password timeout = 604800 >>>> ???????? winbind reconnect delay = 5 >>>> ???????? winbind refresh tickets = yes >>>> ???????? min domain uid = 500 >>>> >>>> >>>> >>>> >>> >>> > >