pfilipensky at samba.org
2025-Feb-19 10:22 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi Christian, On 2/18/25 3:28 PM, Christian Naumer via samba wrote:> This is from the man page of Samba: > > "This path is relative to private dir if the path does not start with > a/." > > Having said that this is wat We have on our DCs: > > > ??????? tls enabled? = yes > ??????? tls keyfile? = tls/server_de.key > ??????? tls certfile = tls/server.pem > ??????? tls cafile?? = tls/ca.pem > ??????? tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > > The problem is only on the member servers and only when using: > > net ads changetrustpw > > > The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the > file servers. > > Have you tried "net ads changetrustpw" on a member with "sync machine > password to keytab" in the smb.conf?Yes, "net ads changetrustpw" is part of upstream tests: https://gitlab.com/samba-team/samba/-/blob/ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/test_update_keytab.sh#L601 Does the issue happens also with samba 4.21.3? Kind regards, Pavel> > > > Regards > > Christian > > > > > Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba: >> My penny on it: >> >> ???????? tls enabled = Yes >> ???????? tls cafile = /var/lib/samba/private/tls/ca.crt >> ???????? tls certfile = /var/lib/samba/private/tls/dc.crt >> ???????? tls crlfile = /var/lib/samba/private/tls/pki.crl >> ???????? tls dh params file = /var/lib/samba/private/tls/dh.pem >> ???????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key >> >> Works and needs absolute paths. >> >> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 >> >> opt out old ciphers is possible. >> >> SH >> >> On 18/02/2025 14:38, Christian Naumer via samba wrote: >>> Hi all, >>> some additional info. If I supply a CRL file in the smb.conf like this: >>> >>> #tls verify peer = ca_and_name >>> tls crlfile = tls/root.crl.pem >>> >>> And comment "tls verify peer" which then uses the default "tls >>> verify peer = as_strict_as_possible" >>> >>> the "gensec_gse_client_prepare_ccache" error is not logged during >>> "normal" password change. However, the behaviour of "net ads >>> changetrustpw" is still the same. >>> >>> Any thoughts on this? >>> >>> Regards >>> >>> Christian >>> >>> >>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >>>> Hi all, >>>> I have been trying to use the new options "sync machine password to >>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >>>> "client ldap sasl wrapping" >>>> >>>> When this is set: >>>> >>>> client ldap sasl wrapping = ldaps (or starttls) >>>> tls cafile = tls/ca.pem >>>> tls verify peer = ca_and_name >>>> sync machine password to keytab = /etc/ >>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>> >>>> >>>> >>>> And I do a: >>>> >>>> net ads changetrustpw >>>> >>>> >>>> I get this: >>>> >>>> >>>> Changing password for principal: host$@DOMAIN.COM >>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>> NT_STATUS_LOGON_FAILURE >>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >>>> Invalid credentials >>>> secrets_finish_password_change: Sync of machine password failed. >>>> Password change failed: An internal error occurred. >>>> >>>> >>>> The keytab is still updated with the new KVNO and the machine >>>> password in AD is updated. However the new KVNO is appended to the >>>> keytab. There are two new KVNOs in the keytab as if the password >>>> was updated twice. >>>> >>>> >>>> When I remove the ldaps/startrls options from the smb.confI get >>>> this result: >>>> >>>> Changing password for principal: host$@DOMAIN.COM >>>> Password change for principal host$@DOMAIN.COM succeeded. >>>> >>>> >>>> The keytab is updated with the new KVNO and the machine password in >>>> AD is updated. In the keytab there are then always 3 KVNOs the >>>> current and the two previous ones. >>>> >>>> Additional info. If I wait for the machine password to timeout and >>>> winbind changes the password. This "works" as far as the keytab has >>>> only one additional KVNO and all other KVNOs more then the current >>>> and the last two are removed. However the error >>>> >>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>> NT_STATUS_LOGON_FAILURE >>>> >>>> is still logged. >>>> >>>> Should I file a bug for this? I can reproduce this also on a Debian >>>> 12 system. >>>> >>>> Regards >>>> >>>> Christian >>>> >>>> >>>> >>>> >>>> >>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >>>> release this morning. >>>> >>>> Here is the rest of the global section: >>>> >>>> [global] >>>> ???????? netbios name = HOST >>>> ???????? server string = Daten >>>> ???????? security = ADS >>>> ???????? realm = HQ.DOMAIN.COM >>>> ???????? workgroup = DOMAIN-02 >>>> ???????? disable netbios = yes >>>> ???????? smb ports = 445 >>>> ???????? interfaces = eth0 >>>> ???????? bind interfaces only = yes >>>> ???????? server min protocol = SMB2 >>>> ???????? client min protocol = SMB2 >>>> ???????? log level = 1 auth_audit:5 >>>> ???????? client ldap sasl wrapping = starttls >>>> ???????? tls cafile = tls/ca.pem >>>> ???????? tls verify peer = ca_and_name >>>> ???????? logging = syslog only >>>> ???????? sync machine password to keytab = /etc/ >>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>> ???????? writeable =YES >>>> ???????? map acl inherit = yes >>>> ???????? store dos attributes = yes >>>> ???????? inherit acls = Yes >>>> ???????? vfs objects = acl_xattr full_audit >>>> ???????? full_audit:success = pwrite write unlinkat renameat >>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >>>> ???????? full_audit:priority = NOTICE >>>> ???????? full_audit:facility = local7 >>>> ???????? full_audit:failure = none >>>> ???????? apply group policies = yes >>>> ???????? username map = /etc/samba/smbusers >>>> >>>> ???????? interfaces = lo eth0 >>>> ???????? bind interfaces only = Yes >>>> ???????? ##idmap## >>>> ???????? # Default idmap config used for BUILTIN and local windows >>>> accounts/groups >>>> ???????? idmap config *:backend = tdb >>>> ???????? idmap config *:range = 1000000-2000000 >>>> >>>> ???????? # idmap config for domain DOMAIN-02 >>>> ???????? idmap config DOMAIN-02:backend = ad >>>> ???????? idmap config DOMAIN-02:range = 500-65555 >>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes >>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >>>> ???????? winbind enum users = yes >>>> ???????? winbind enum groups = yes >>>> ???????? winbind use default domain = Yes >>>> ???????? machine password timeout = 604800 >>>> ???????? winbind reconnect delay = 5 >>>> ???????? winbind refresh tickets = yes >>>> ???????? min domain uid = 500 >>>> >>>> >>>> >>>> >>> >>> > >
Christian Naumer
2025-Feb-19 10:50 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Hi Pavel. Am 19.02.25 um 11:22 schrieb Pavel Fiipensk? via samba:>> Have you tried "net ads changetrustpw" on a member with "sync machine >> password to keytab" in the smb.conf? > > Yes, "net ads changetrustpw" is part of upstream tests: > > https://gitlab.com/samba-team/samba/-/blob/ > ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/ > test_update_keytab.sh#L601 > > > Does the issue happens also with samba 4.21.3?I can not test this as the sernet repo does not allow the downgrade. I also now upgrade the DCs from 4.20 to 4.21 just to make sure that this is not the issue. I have been digging deeper. If I run "net ads changetrustpw" On the DC side I see mixed entries in the logs: One dc2 a [Success]. Feb 19 11:27:22 dc2.domain.com samba[8970]: Password Change [Change] at [Wed, 19 Feb 2025 11:27:22.744358 CET] status [Success] remote host [Unknown] SID [S-1-5-21-xx-xx-xx-xx] DN [CN=HOST,CN=Computers,DC=domain,DC=com] On dc4 [insufficient access rights] Password Change [Reset] at [Wed, 19 Feb 2025 11:27:22.667348 CET] status [insufficient access rights] remote host [Unknown] SID [S-1-5-21-xx-xx-xx-xx] DN [CN=HOST,CN=Computers,DC=domain,DC=com] Feb 19 11:27:22 dc4.domain.com samba[4078]: [2025/02/19 11:27:22.667406, 5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text) Feb 19 11:27:22 dc4.domain.com samba[4078]: DSDB Transaction [rollback] at [Wed, 19 Feb 2025 11:27:22.667402 CET] duration [1558] Feb 19 11:27:22 dc4.domain.com samba[4078]: [2025/02/19 11:27:22.667485, 0] ../../source4/kdc/kpasswd-service-heimdal.c:234(kpasswd_set_password) Feb 19 11:27:22 dc4.domain.com samba[4078]: kpasswd_set_password: kpasswd_samdb_set_password failed - NT_STATUS_ACCESS_DENIED If the password change is done because of "machine password timeout" then it looks like this on the DC: Feb 19 11:37:22 dc2.domain.com samba[8914]: Password Change [Reset] at [Wed, 19 Feb 2025 11:37:22.503303 CET] status [Success] remote host [ipv4:192.168.0.31:55402] SID [S-1-5-18] DN [CN=HOST,CN=Computers,DC=domain,DC=com] Feb 19 11:37:22 dc2.domain.com samba[8978]: [2025/02/19 11:37:22.639002, 2] ../../auth/auth_log.c:876(log_authentication_event_human_readable) No logs in the other DCs. Locally it looks like this: Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.434123, 0, traceid=1] ../../source3/libads/trusts_util.c:399(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Verifying passwords remotely netlogon_creds_cli:CLI[host/host$]/SRV[DC2/DOMAIN]. Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.438574, 0, traceid=1] ../../source3/libads/trusts_util.c:477(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Verified old password remotely using netlogon_creds_cli:CLI[host/host$]/SRV[DC2/DOMAIN] Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.438683, 0, traceid=1] ../../source3/libads/trusts_util.c:516(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Changed password locally Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.510568, 0, traceid=1] ../../source3/libads/trusts_util.c:570(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Changed password remotely using netlogon_creds_cli:CLI[host/host$]/SRV[DC2/DOMAIN] Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.511555, 1, traceid=1] ../../source3/passdb/machine_account_secrets.c:786(secrets_debug_domain_info) Feb 19 11:37:22 host.domain.com winbindd[31776]: &sdib: struct secrets_domain_infoB Feb 19 11:37:22 host.domain.com winbindd[31776]: version : SECRETS_DOMAIN_INFO_VERSION_1 (1) Feb 19 11:37:22 host.domain.com winbindd[31776]: reserved : 0x00000000 (0) Feb 19 11:37:22 host.domain.com winbindd[31776]: info : union secrets_domain_infoU(case 1) Feb 19 11:37:22 host.domain.com winbindd[31776]: info1 : * Feb 19 11:37:22 host.domain.com winbindd[31776]: info1: struct secrets_domain_info1 Feb 19 11:37:22 host.domain.com winbindd[31776]: reserved_flags : 0x0000000000000000 (0) Feb 19 11:37:22 host.domain.com winbindd[31776]: join_time : Mon Feb 17 16:20:16 2025 CET Feb 19 11:37:22 host.domain.com winbindd[31776]: computer_name : 'host' Feb 19 11:37:22 host.domain.com winbindd[31776]: account_name : 'host$' Feb 19 11:37:22 host.domain.com winbindd[31776]: secure_channel_type : SEC_CHAN_WKSTA (2) Feb 19 11:37:22 host.domain.com winbindd[31776]: domain_info: struct lsa_DnsDomainInfo Feb 19 11:37:22 host.domain.com winbindd[31776]: name: struct lsa_StringLarge Feb 19 11:37:22 host.domain.com winbindd[31776]: length : 0x0010 (16) Feb 19 11:37:22 host.domain.com winbindd[31776]: size : 0x0012 (18) Feb 19 11:37:22 host.domain.com winbindd[31776]: string : * Feb 19 11:37:22 host.domain.com winbindd[31776]: string : 'DOMAIN' Feb 19 11:37:22 host.domain.com winbindd[31776]: dns_domain: struct lsa_StringLarge Feb 19 11:37:22 host.domain.com winbindd[31776]: length : 0x0026 (38) Feb 19 11:37:22 host.domain.com winbindd[31776]: size : 0x0028 (40) Feb 19 11:37:22 host.domain.com winbindd[31776]: string : * Feb 19 11:37:22 host.domain.com winbindd[31776]: string : 'domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: dns_forest: struct lsa_StringLarge Feb 19 11:37:22 host.domain.com winbindd[31776]: length : 0x0026 (38) Feb 19 11:37:22 host.domain.com winbindd[31776]: size : 0x0028 (40) Feb 19 11:37:22 host.domain.com winbindd[31776]: string : * Feb 19 11:37:22 host.domain.com winbindd[31776]: string : 'domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: domain_guid : 733e196a-bcc5-407f-8de5-76e577927c13 Feb 19 11:37:22 host.domain.com winbindd[31776]: sid : * Feb 19 11:37:22 host.domain.com winbindd[31776]: sid : S-1-5-21-773202902-494389186-2375354597 Feb 19 11:37:22 host.domain.com winbindd[31776]: trust_flags : 0x0000001a (26) Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: NETR_TRUST_FLAG_IN_FOREST Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: NETR_TRUST_FLAG_OUTBOUND Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: NETR_TRUST_FLAG_TREEROOT Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: NETR_TRUST_FLAG_PRIMARY Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: NETR_TRUST_FLAG_NATIVE Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: NETR_TRUST_FLAG_INBOUND Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: NETR_TRUST_FLAG_MIT_KRB5 Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: NETR_TRUST_FLAG_AES Feb 19 11:37:22 host.domain.com winbindd[31776]: trust_type : LSA_TRUST_TYPE_UPLEVEL (2) Feb 19 11:37:22 host.domain.com winbindd[31776]: trust_attributes : 0x00000040 (64) Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION Feb 19 11:37:22 host.domain.com winbindd[31776]: reserved_routing : NULL Feb 19 11:37:22 host.domain.com winbindd[31776]: supported_enc_types : 0x0000001c (28) Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_DES_CBC_CRC Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_DES_CBC_MD5 Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: KERB_ENCTYPE_RC4_HMAC_MD5 Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 Feb 19 11:37:22 host.domain.com winbindd[31776]: 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_FAST_SUPPORTED Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_CLAIMS_SUPPORTED Feb 19 11:37:22 host.domain.com winbindd[31776]: 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_principal : * Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_principal : 'host/host.domain.com at domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: password_last_change : Wed Feb 19 11:37:22 2025 CET Feb 19 11:37:22 host.domain.com winbindd[31776]: password_changes : 0x0000000000000028 (40) Feb 19 11:37:22 host.domain.com winbindd[31776]: next_change : NULL Feb 19 11:37:22 host.domain.com winbindd[31776]: password : * Feb 19 11:37:22 host.domain.com winbindd[31776]: password: struct secrets_domain_info1_password Feb 19 11:37:22 host.domain.com winbindd[31776]: change_time : Wed Feb 19 11:37:22 2025 CET Feb 19 11:37:22 host.domain.com winbindd[31776]: change_server : 'dc2.domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: cleartext_blob : DATA_BLOB length=240 Feb 19 11:37:22 host.domain.com winbindd[31776]: nt_hash: struct samr_Password Feb 19 11:37:22 host.domain.com winbindd[31776]: hash: ARRAY(16): <REDACTED SECRET VALUES> Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : * Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : 'domain.comhosthost.domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: default_iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: num_keys : 0x0003 (3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: ARRAY(3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000012 (18) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=32 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000011 (17) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000017 (23) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: old_password : * Feb 19 11:37:22 host.domain.com winbindd[31776]: old_password: struct secrets_domain_info1_password Feb 19 11:37:22 host.domain.com winbindd[31776]: change_time : Wed Feb 19 11:27:22 2025 CET Feb 19 11:37:22 host.domain.com winbindd[31776]: change_server : '192.168.0.91' Feb 19 11:37:22 host.domain.com winbindd[31776]: cleartext_blob : DATA_BLOB length=240 Feb 19 11:37:22 host.domain.com winbindd[31776]: nt_hash: struct samr_Password Feb 19 11:37:22 host.domain.com winbindd[31776]: hash: ARRAY(16): <REDACTED SECRET VALUES> Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : * Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : 'domain.comhosthost.domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: default_iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: num_keys : 0x0003 (3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: ARRAY(3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000012 (18) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=32 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000011 (17) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000017 (23) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: older_password : * Feb 19 11:37:22 host.domain.com winbindd[31776]: older_password: struct secrets_domain_info1_password Feb 19 11:37:22 host.domain.com winbindd[31776]: change_time : Wed Feb 19 11:26:01 2025 CET Feb 19 11:37:22 host.domain.com winbindd[31776]: change_server : 'dc1' Feb 19 11:37:22 host.domain.com winbindd[31776]: cleartext_blob : DATA_BLOB length=240 Feb 19 11:37:22 host.domain.com winbindd[31776]: nt_hash: struct samr_Password Feb 19 11:37:22 host.domain.com winbindd[31776]: hash: ARRAY(16): <REDACTED SECRET VALUES> Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : * Feb 19 11:37:22 host.domain.com winbindd[31776]: salt_data : 'domain.comhosthost.domain.com' Feb 19 11:37:22 host.domain.com winbindd[31776]: default_iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: num_keys : 0x0003 (3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: ARRAY(3) Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000012 (18) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=32 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000011 (17) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: keys: struct secrets_domain_info1_kerberos_key Feb 19 11:37:22 host.domain.com winbindd[31776]: keytype : 0x00000017 (23) Feb 19 11:37:22 host.domain.com winbindd[31776]: iteration_count : 0x00001000 (4096) Feb 19 11:37:22 host.domain.com winbindd[31776]: value : DATA_BLOB length=16 Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.716105, 0, traceid=1] ../../source3/libads/trusts_util.c:594(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Finished password change. Feb 19 11:37:22 host.domain.com winbindd[31776]: [2025/02/19 11:37:22.721540, 0, traceid=1] ../../source3/libads/trusts_util.c:646(trust_pw_change) Feb 19 11:37:22 host.domain.com winbindd[31776]: 2025/02/19 11:37:22 : trust_pw_change(DOMAIN): Verified new password remotely using netlogon_creds_cli:CLI[host/host$]/SRV[DC2/DOMAIN] If you have any ideas to debug further let me know.
Christian Naumer
2025-Feb-19 10:54 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Additional info again. Also running wbinfo --change-secret --domain=DOMAIN causes no errors and updates the keytap as expected. It is basically from the logs as waiting for the machine password to timeout. Regards Christian Am 19.02.25 um 11:22 schrieb Pavel Fiipensk? via samba:> Hi Christian, > > > > On 2/18/25 3:28 PM, Christian Naumer via samba wrote: >> This is from the man page of Samba: >> >> "This path is relative to private dir if the path does not start with >> a/." >> >> Having said that this is wat We have on our DCs: >> >> >> ??????? tls enabled? = yes >> ??????? tls keyfile? = tls/server_de.key >> ??????? tls certfile = tls/server.pem >> ??????? tls cafile?? = tls/ca.pem >> ??????? tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 >> >> The problem is only on the member servers and only when using: >> >> net ads changetrustpw >> >> >> The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the >> file servers. >> >> Have you tried "net ads changetrustpw" on a member with "sync machine >> password to keytab" in the smb.conf? > > Yes, "net ads changetrustpw" is part of upstream tests: > > https://gitlab.com/samba-team/samba/-/blob/ > ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/ > test_update_keytab.sh#L601 > > > Does the issue happens also with samba 4.21.3? > > Kind regards, > > Pavel > >> >> >> >> Regards >> >> Christian >> >> >> >> >> Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba: >>> My penny on it: >>> >>> ???????? tls enabled = Yes >>> ???????? tls cafile = /var/lib/samba/private/tls/ca.crt >>> ???????? tls certfile = /var/lib/samba/private/tls/dc.crt >>> ???????? tls crlfile = /var/lib/samba/private/tls/pki.crl >>> ???????? tls dh params file = /var/lib/samba/private/tls/dh.pem >>> ???????? tls keyfile = /var/lib/samba/private/tls/secure/dc.key >>> >>> Works and needs absolute paths. >>> >>> #??????? tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 >>> >>> opt out old ciphers is possible. >>> >>> SH >>> >>> On 18/02/2025 14:38, Christian Naumer via samba wrote: >>>> Hi all, >>>> some additional info. If I supply a CRL file in the smb.conf like this: >>>> >>>> #tls verify peer = ca_and_name >>>> tls crlfile = tls/root.crl.pem >>>> >>>> And comment "tls verify peer" which then uses the default "tls >>>> verify peer = as_strict_as_possible" >>>> >>>> the "gensec_gse_client_prepare_ccache" error is not logged during >>>> "normal" password change. However, the behaviour of "net ads >>>> changetrustpw" is still the same. >>>> >>>> Any thoughts on this? >>>> >>>> Regards >>>> >>>> Christian >>>> >>>> >>>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba: >>>>> Hi all, >>>>> I have been trying to use the new options "sync machine password to >>>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with >>>>> "client ldap sasl wrapping" >>>>> >>>>> When this is set: >>>>> >>>>> client ldap sasl wrapping = ldaps (or starttls) >>>>> tls cafile = tls/ca.pem >>>>> tls verify peer = ca_and_name >>>>> sync machine password to keytab = /etc/ >>>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>>> >>>>> >>>>> >>>>> And I do a: >>>>> >>>>> net ads changetrustpw >>>>> >>>>> >>>>> I get this: >>>>> >>>>> >>>>> Changing password for principal: host$@DOMAIN.COM >>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>>> NT_STATUS_LOGON_FAILURE >>>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned >>>>> Invalid credentials >>>>> secrets_finish_password_change: Sync of machine password failed. >>>>> Password change failed: An internal error occurred. >>>>> >>>>> >>>>> The keytab is still updated with the new KVNO and the machine >>>>> password in AD is updated. However the new KVNO is appended to the >>>>> keytab. There are two new KVNOs in the keytab as if the password >>>>> was updated twice. >>>>> >>>>> >>>>> When I remove the ldaps/startrls options from the smb.confI get >>>>> this result: >>>>> >>>>> Changing password for principal: host$@DOMAIN.COM >>>>> Password change for principal host$@DOMAIN.COM succeeded. >>>>> >>>>> >>>>> The keytab is updated with the new KVNO and the machine password in >>>>> AD is updated. In the keytab there are then always 3 KVNOs the >>>>> current and the two previous ones. >>>>> >>>>> Additional info. If I wait for the machine password to timeout and >>>>> winbind changes the password. This "works" as far as the keytab has >>>>> only one additional KVNO and all other KVNOs more then the current >>>>> and the last two are removed. However the error >>>>> >>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to >>>>> access ldap/dc2.domain.com failed: Preauthentication failed: >>>>> NT_STATUS_LOGON_FAILURE >>>>> >>>>> is still logged. >>>>> >>>>> Should I file a bug for this? I can reproduce this also on a Debian >>>>> 12 system. >>>>> >>>>> Regards >>>>> >>>>> Christian >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the >>>>> release this morning. >>>>> >>>>> Here is the rest of the global section: >>>>> >>>>> [global] >>>>> ???????? netbios name = HOST >>>>> ???????? server string = Daten >>>>> ???????? security = ADS >>>>> ???????? realm = HQ.DOMAIN.COM >>>>> ???????? workgroup = DOMAIN-02 >>>>> ???????? disable netbios = yes >>>>> ???????? smb ports = 445 >>>>> ???????? interfaces = eth0 >>>>> ???????? bind interfaces only = yes >>>>> ???????? server min protocol = SMB2 >>>>> ???????? client min protocol = SMB2 >>>>> ???????? log level = 1 auth_audit:5 >>>>> ???????? client ldap sasl wrapping = starttls >>>>> ???????? tls cafile = tls/ca.pem >>>>> ???????? tls verify peer = ca_and_name >>>>> ???????? logging = syslog only >>>>> ???????? sync machine password to keytab = /etc/ >>>>> krb5.keytab:sync_spns:sync_kvno:machine_password >>>>> ???????? writeable =YES >>>>> ???????? map acl inherit = yes >>>>> ???????? store dos attributes = yes >>>>> ???????? inherit acls = Yes >>>>> ???????? vfs objects = acl_xattr full_audit >>>>> ???????? full_audit:success = pwrite write unlinkat renameat >>>>> ???????? full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >>>>> ???????? full_audit:priority = NOTICE >>>>> ???????? full_audit:facility = local7 >>>>> ???????? full_audit:failure = none >>>>> ???????? apply group policies = yes >>>>> ???????? username map = /etc/samba/smbusers >>>>> >>>>> ???????? interfaces = lo eth0 >>>>> ???????? bind interfaces only = Yes >>>>> ???????? ##idmap## >>>>> ???????? # Default idmap config used for BUILTIN and local windows >>>>> accounts/groups >>>>> ???????? idmap config *:backend = tdb >>>>> ???????? idmap config *:range = 1000000-2000000 >>>>> >>>>> ???????? # idmap config for domain DOMAIN-02 >>>>> ???????? idmap config DOMAIN-02:backend = ad >>>>> ???????? idmap config DOMAIN-02:range = 500-65555 >>>>> ???????? idmap config DOMAIN-02:unix_nss_info = yes >>>>> ???????? idmap config DOMAIN-02:schema_mode = rfc2307 >>>>> ???????? winbind enum users = yes >>>>> ???????? winbind enum groups = yes >>>>> ???????? winbind use default domain = Yes >>>>> ???????? machine password timeout = 604800 >>>>> ???????? winbind reconnect delay = 5 >>>>> ???????? winbind refresh tickets = yes >>>>> ???????? min domain uid = 500 >>>>> >>>>> >>>>> >>>>> >>>> >>>> >> >> >
Christian Naumer
2025-Feb-19 11:21 UTC
[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Am 19.02.25 um 11:22 schrieb Pavel Fiipensk? via samba:> Does the issue happens also with samba 4.21.3?I just checked. I actually startet with 4.21.3 and upgraded yesterday to see if this is fixed. Regards Christian