[Samba] samba4 : [kerberos part kinit work but no kpasswd

Rowland Penny rowlandpenny at googlemail.com
Sat May 10 03:24:08 MDT 2014 

On 09/05/14 12:43, MARTIN boris wrote:
> the resolv.conf have the ip of the DC server first , then to other dns from the site.
>
> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
>
>   
>
> best regards
>
>
>
>
>
>> Message du 09/05/14 10:29
>> De : "Rowland Penny"
>> A : samba at lists.samba.org
>> Copie à :
>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
>>
>> On 09/05/14 09:01, MARTIN boris wrote:
>>> hi,
>>>
>>>
>>>
>>> i have recently installed a samba 4 in a DC role.
>>>
>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>>>
>>> The server is globally working but there is some litle trouble.
>>>
>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>>>
>>>
>>>
>>> root at station:/var/log/samba# kinit
>>> Password for administrator at TOTO.FR:
>>>
>>> root at station:/var/log/samba# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: administrator at TOTO.FR
>>>
>>> Valid starting Expires Service principal
>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
>>> renew until 10/05/2014 09:23:38
>>>
>>> root at station:/var/log/samba# kpasswd
>>>
>>> [10 sec later ....]
>>>
>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>>>
>>>
>>>
>>>
>>>
>>> the smb.conf file is the following :
>>>
>>>
>>>
>>> [global]
>>> workgroup = TOTO
>>> realm = TOTO.FR
>>> netbios name = station
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 129.20.128.39
>>> allow dns updates = nonsecure
>>> # winbind rpc only = yes
>>> log level = 4
>>> ntp signd socket directory = /var/lib/samba/ntp_signd
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [demo]
>>> path = /share/demo
>>> read only = no
>>>
>>>
>>>
>>> and the krb5.conf is the following :
>>>
>>>
>>>
>>> [logging]
>>> default = FILE:/var/log/krb5.log
>>> [libdefaults]
>>> default_realm = TOTO.FR
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> # The following krb5.conf variables are only for MIT Kerberos.
>>> krb4_config = /etc/krb.conf
>>> krb4_realms = /etc/krb.realms
>>> kdc_timesync = 1
>>> ccache_type = 4
>>> forwardable = true
>>> proxiable = true
>>>
>>>
>>>
>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>
>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>
>>>
>>>
>>> v4_instance_resolve = false
>>> v4_name_convert = {
>>> host = {
>>> rcmd = host
>>> ftp = ftp
>>> }
>>> plain = {
>>> something = something-else
>>> }
>>> }
>>> fcc-mit-ticketflags = true
>>>
>>> [realms]
>>> IETR.UNIV-RENNES1.FR = {
>>> kdc = admin.toto.fr:88
>>> admin_server = admin.toto.fr
>>> }
>>> ...
>>>
>>>
>>>
>>> [domain_realm]
>>> .mit.edu = ATHENA.MIT.EDU
>>> mit.edu = ATHENA.MIT.EDU
>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>>> media.mit.edu = MEDIA-LAB.MIT.EDU
>>> .csail.mit.edu = CSAIL.MIT.EDU
>>> csail.mit.edu = CSAIL.MIT.EDU
>>> .whoi.edu = ATHENA.MIT.EDU
>>> whoi.edu = ATHENA.MIT.EDU
>>> .stanford.edu = stanford.edu
>>> .slac.stanford.edu = SLAC.STANFORD.EDU
>>> .toronto.edu = UTORONTO.CA
>>> .utoronto.ca = UTORONTO.CA
>>> .toto.fr= TOTO.FR
>>>
>>> [login]
>>> krb4_convert = true
>>> krb4_get_tickets = false
>>>
>>>
>>>
>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
>>>
>>>
>>>
>>> client -> station Kerberos AS-REQ
>>>
>>> MSG Type : AS-REQ(10)
>>>
>>> Server Name(principal): kadmin/changepw
>>>
>>> Encryption type rc4-hmac
>>>
>>>
>>>
>>> station-> client BER Error : Empty choice was found ...
>>>
>>>
>>>
>>> and the log on the server side gives
>>>
>>>
>>>
>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>>> arcfour-hmac-md5) error Decrypt integrity check failed
>>>
>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>>
>>>
>>>
>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>>>
>>>
>>>
>>> So my questions are :
>>>
>>>
>>>
>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>>>
>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>>>
>>> - does any one see what i can do to fix this mess ?
>>>
>>>
>>>
>>>
>>>
>>> best regards
>> This sort of works for me, but all I have in /etc/krb5.conf is this:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> root at dc1:~# kinit
>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>> getting initial credentials
>> root at dc1:~# kinit Administrator
>> Password for Administrator at EXAMPLE.COM:
>> root at dc1:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> renew until 10/05/14 09:06:33
>> root at dc1:~# kpasswd
>> Password for Administrator at EXAMPLE.COM:
>> Enter new password:
>> Enter it again:
>> Password change rejected: Try a more complex password, or contact your
>> administrator.
>>
>> NOTE: I deliberately used a non complex password.
>>
>> What do you have in /etc/resolv.conf ? is the nameserver line set to
>> either your samba 4's ipaddress or 127.0.0.1 ?
>>
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Hi, I am trying to understand how you can kinit as root?

root at station:/var/log/samba# kinit
Password for administrator at TOTO.FR:

When I try it, I get this:

root at dc2:~# kinit
kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while 
getting initial credentials

I have to kinit as Administrator:

root at dc2:~# kinit Administrator
Password for Administrator at EXAMPLE.COM:
root at dc2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at EXAMPLE.COM

Valid starting     Expires            Service principal
10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
     renew until 11/05/14 09:58:48

The other thing that is strange, is that you seem to refer to running 
the kinit command on the samba 4 server, but now you are referring to a 
client ?

OK, just what is the problem that started you along the path of wanting 
to change the Administrators password ?

Rowland

More information about the samba mailing list