[Samba] samba4 : [kerberos part kinit work but no kpasswd

MARTIN boris martin-boris at wanadoo.fr
Fri May 9 05:43:35 MDT 2014 

the resolv.conf have the ip of the DC server first , then to other dns from the site.

But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.

 

best regards





> Message du 09/05/14 10:29
> De : "Rowland Penny" 
> A : samba at lists.samba.org
> Copie à : 
> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> 
> On 09/05/14 09:01, MARTIN boris wrote:
> > hi,
> >
> > 
> >
> > i have recently installed a samba 4 in a DC role.
> >
> > The distribution is a debian jessie/sid, the version of samba is 4.1.7.
> >
> > The server is globally working but there is some litle trouble.
> >
> > on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
> >
> > 
> >
> > root at station:/var/log/samba# kinit
> > Password for administrator at TOTO.FR:
> >
> > root at station:/var/log/samba# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator at TOTO.FR
> >
> > Valid starting Expires Service principal
> > 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
> > renew until 10/05/2014 09:23:38
> >
> > root at station:/var/log/samba# kpasswd
> >
> > [10 sec later ....]
> >
> > kpasswd: Cannot contact any KDC for requested realm getting initial ticket
> >
> > 
> >
> > 
> >
> > the smb.conf file is the following :
> >
> > 
> >
> > [global]
> > workgroup = TOTO
> > realm = TOTO.FR
> > netbios name = station
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
> > idmap_ldb:use rfc2307 = yes
> > dns forwarder = 129.20.128.39
> > allow dns updates = nonsecure
> > # winbind rpc only = yes
> > log level = 4
> > ntp signd socket directory = /var/lib/samba/ntp_signd
> > [netlogon]
> > path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > [demo]
> > path = /share/demo
> > read only = no
> >
> > 
> >
> > and the krb5.conf is the following :
> >
> > 
> >
> > [logging]
> > default = FILE:/var/log/krb5.log
> > [libdefaults]
> > default_realm = TOTO.FR
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > # The following krb5.conf variables are only for MIT Kerberos.
> > krb4_config = /etc/krb.conf
> > krb4_realms = /etc/krb.realms
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> >
> >
> >
> > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >
> > permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> > supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >
> > 
> >
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > IETR.UNIV-RENNES1.FR = {
> > kdc = admin.toto.fr:88
> > admin_server = admin.toto.fr
> > }
> > ...
> >
> > 
> >
> > [domain_realm]
> > .mit.edu = ATHENA.MIT.EDU
> > mit.edu = ATHENA.MIT.EDU
> > .media.mit.edu = MEDIA-LAB.MIT.EDU
> > media.mit.edu = MEDIA-LAB.MIT.EDU
> > .csail.mit.edu = CSAIL.MIT.EDU
> > csail.mit.edu = CSAIL.MIT.EDU
> > .whoi.edu = ATHENA.MIT.EDU
> > whoi.edu = ATHENA.MIT.EDU
> > .stanford.edu = stanford.edu
> > .slac.stanford.edu = SLAC.STANFORD.EDU
> > .toronto.edu = UTORONTO.CA
> > .utoronto.ca = UTORONTO.CA
> > .toto.fr= TOTO.FR
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> >
> > 
> >
> > the tcp dump for a failed attempt of kpasswd give the folllowing :
> >
> > 
> >
> > client -> station Kerberos AS-REQ
> >
> > MSG Type : AS-REQ(10)
> >
> > Server Name(principal): kadmin/changepw
> >
> > Encryption type rc4-hmac
> >
> > 
> >
> > station-> client BER Error : Empty choice was found ...
> >
> > 
> >
> > and the log on the server side gives
> >
> > 
> >
> > Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
> > arcfour-hmac-md5) error Decrypt integrity check failed
> >
> > Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> >
> > 
> >
> > it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
> >
> > 
> >
> > So my questions are :
> >
> > 
> >
> > - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
> >
> > - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
> >
> > - does any one see what i can do to fix this mess ?
> >
> > 
> >
> > 
> >
> > best regards
> This sort of works for me, but all I have in /etc/krb5.conf is this:
> 
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> root at dc1:~# kinit
> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while 
> getting initial credentials
> root at dc1:~# kinit Administrator
> Password for Administrator at EXAMPLE.COM:
> root at dc1:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at EXAMPLE.COM
> 
> Valid starting Expires Service principal
> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> renew until 10/05/14 09:06:33
> root at dc1:~# kpasswd
> Password for Administrator at EXAMPLE.COM:
> Enter new password:
> Enter it again:
> Password change rejected: Try a more complex password, or contact your 
> administrator.
> 
> NOTE: I deliberately used a non complex password.
> 
> What do you have in /etc/resolv.conf ? is the nameserver line set to 
> either your samba 4's ipaddress or 127.0.0.1 ?
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list