[Samba] samba4 : [kerberos part kinit work but no kpasswd

Rowland Penny rowlandpenny at googlemail.com
Fri May 9 02:28:37 MDT 2014


On 09/05/14 09:01, MARTIN boris wrote:
> hi,
>
>   
>
> i have recently installed a samba 4 in a DC role.
>
> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>
> The server is globally working but there is some litle trouble.
>
> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>
>   
>
> root at station:/var/log/samba# kinit
> Password for administrator at TOTO.FR:
>
> root at station:/var/log/samba# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at TOTO.FR
>
> Valid starting       Expires              Service principal
> 09/05/2014 09:23:42  09/05/2014 19:23:42  krbtgt/TOTO.FR at TOTO.FR
>      renew until 10/05/2014 09:23:38
>
> root at station:/var/log/samba# kpasswd
>
> [10 sec later ....]
>
> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>
>   
>
>   
>
> the smb.conf file is the following :
>
>   
>
> [global]
>          workgroup = TOTO
>          realm = TOTO.FR
>          netbios name = station
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>          idmap_ldb:use rfc2307 = yes
>          dns forwarder = 129.20.128.39
>          allow dns updates = nonsecure
> #       winbind rpc only = yes
>          log level = 4
>          ntp signd socket directory = /var/lib/samba/ntp_signd
> [netlogon]
>          path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [demo]
>          path = /share/demo
>          read only = no
>
>   
>
> and the krb5.conf is the following :
>
>   
>
> [logging]
>      default = FILE:/var/log/krb5.log
> [libdefaults]
>          default_realm = TOTO.FR
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> # The following krb5.conf variables are only for MIT Kerberos.
>          krb4_config = /etc/krb.conf
>          krb4_realms = /etc/krb.realms
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>
>
>
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
>   
>
>        v4_instance_resolve = false
>          v4_name_convert = {
>                  host = {
>                          rcmd = host
>                          ftp = ftp
>                  }
>                  plain = {
>                          something = something-else
>                  }
>          }
>          fcc-mit-ticketflags = true
>
> [realms]
>          IETR.UNIV-RENNES1.FR = {
>                  kdc = admin.toto.fr:88
>                  admin_server = admin.toto.fr
>          }
> ...
>
>   
>
> [domain_realm]
>          .mit.edu = ATHENA.MIT.EDU
>          mit.edu = ATHENA.MIT.EDU
>          .media.mit.edu = MEDIA-LAB.MIT.EDU
>          media.mit.edu = MEDIA-LAB.MIT.EDU
>          .csail.mit.edu = CSAIL.MIT.EDU
>          csail.mit.edu = CSAIL.MIT.EDU
>          .whoi.edu = ATHENA.MIT.EDU
>          whoi.edu = ATHENA.MIT.EDU
>          .stanford.edu = stanford.edu
>          .slac.stanford.edu = SLAC.STANFORD.EDU
>          .toronto.edu = UTORONTO.CA
>          .utoronto.ca = UTORONTO.CA
>          .toto.fr= TOTO.FR
>
> [login]
>          krb4_convert = true
>          krb4_get_tickets = false
>
>   
>
> the tcp dump for a failed attempt of kpasswd give the folllowing :
>
>   
>
> client -> station Kerberos AS-REQ
>
> MSG Type : AS-REQ(10)
>
> Server Name(principal): kadmin/changepw
>
> Encryption type rc4-hmac
>
>   
>
> station-> client BER Error : Empty choice was found ...
>
>   
>
> and the log on the server side gives
>
>   
>
>   Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>   arcfour-hmac-md5) error Decrypt integrity check failed
>
>   Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>
>   
>
> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>
>   
>
> So my questions are :
>
>   
>
> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>
> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>
> - does any one see what i can do to fix this mess ?
>
>   
>
>   
>
> best regards
This sort of works for me, but all I have in /etc/krb5.conf is this:

[libdefaults]
         default_realm = EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

root at dc1:~# kinit
kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while 
getting initial credentials
root at dc1:~# kinit Administrator
Password for Administrator at EXAMPLE.COM:
root at dc1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at EXAMPLE.COM

Valid starting     Expires            Service principal
09/05/14 09:06:40  09/05/14 19:06:40  krbtgt/EXAMPLE.COM at EXAMPLE.COM
     renew until 10/05/14 09:06:33
root at dc1:~# kpasswd
Password for Administrator at EXAMPLE.COM:
Enter new password:
Enter it again:
Password change rejected: Try a more complex password, or contact your 
administrator.

NOTE: I deliberately used a non complex password.

What do you have in /etc/resolv.conf ? is the nameserver line set to 
either your samba 4's ipaddress or 127.0.0.1 ?

Rowland


More information about the samba mailing list