[Samba] samba4 : [kerberos part kinit work but no kpasswd

steve steve at steve-ss.com
Sat May 10 08:43:30 MDT 2014 

On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
> On 09/05/14 12:43, MARTIN boris wrote:
> > the resolv.conf have the ip of the DC server first , then to other dns from the site.
> >
> > But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
> >
> >   
> >
> > best regards
> >
> >
> >
> >
> >
> >> Message du 09/05/14 10:29
> >> De : "Rowland Penny"
> >> A : samba at lists.samba.org
> >> Copie à :
> >> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> >>
> >> On 09/05/14 09:01, MARTIN boris wrote:
> >>> hi,
> >>>
> >>>
> >>>
> >>> i have recently installed a samba 4 in a DC role.
> >>>
> >>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
> >>>
> >>> The server is globally working but there is some litle trouble.
> >>>
> >>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
> >>>
> >>>
> >>>
> >>> root at station:/var/log/samba# kinit
> >>> Password for administrator at TOTO.FR:
> >>>
> >>> root at station:/var/log/samba# klist
> >>> Ticket cache: FILE:/tmp/krb5cc_0
> >>> Default principal: administrator at TOTO.FR
> >>>
> >>> Valid starting Expires Service principal
> >>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
> >>> renew until 10/05/2014 09:23:38
> >>>
> >>> root at station:/var/log/samba# kpasswd
> >>>
> >>> [10 sec later ....]
> >>>
> >>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> the smb.conf file is the following :
> >>>
> >>>
> >>>
> >>> [global]
> >>> workgroup = TOTO
> >>> realm = TOTO.FR
> >>> netbios name = station
> >>> server role = active directory domain controller
> >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
> >>> idmap_ldb:use rfc2307 = yes
> >>> dns forwarder = 129.20.128.39
> >>> allow dns updates = nonsecure
> >>> # winbind rpc only = yes
> >>> log level = 4
> >>> ntp signd socket directory = /var/lib/samba/ntp_signd
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
> >>> read only = No
> >>>
> >>> [sysvol]
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> [demo]
> >>> path = /share/demo
> >>> read only = no
> >>>
> >>>
> >>>
> >>> and the krb5.conf is the following :
> >>>
> >>>
> >>>
> >>> [logging]
> >>> default = FILE:/var/log/krb5.log
> >>> [libdefaults]
> >>> default_realm = TOTO.FR
> >>> dns_lookup_realm = false
> >>> dns_lookup_kdc = true
> >>>
> >>> # The following krb5.conf variables are only for MIT Kerberos.
> >>> krb4_config = /etc/krb.conf
> >>> krb4_realms = /etc/krb.realms
> >>> kdc_timesync = 1
> >>> ccache_type = 4
> >>> forwardable = true
> >>> proxiable = true
> >>>
> >>>
> >>>
> >>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>
> >>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>
> >>>
> >>>
> >>> v4_instance_resolve = false
> >>> v4_name_convert = {
> >>> host = {
> >>> rcmd = host
> >>> ftp = ftp
> >>> }
> >>> plain = {
> >>> something = something-else
> >>> }
> >>> }
> >>> fcc-mit-ticketflags = true
> >>>
> >>> [realms]
> >>> IETR.UNIV-RENNES1.FR = {
> >>> kdc = admin.toto.fr:88
> >>> admin_server = admin.toto.fr
> >>> }
> >>> ...
> >>>
> >>>
> >>>
> >>> [domain_realm]
> >>> .mit.edu = ATHENA.MIT.EDU
> >>> mit.edu = ATHENA.MIT.EDU
> >>> .media.mit.edu = MEDIA-LAB.MIT.EDU
> >>> media.mit.edu = MEDIA-LAB.MIT.EDU
> >>> .csail.mit.edu = CSAIL.MIT.EDU
> >>> csail.mit.edu = CSAIL.MIT.EDU
> >>> .whoi.edu = ATHENA.MIT.EDU
> >>> whoi.edu = ATHENA.MIT.EDU
> >>> .stanford.edu = stanford.edu
> >>> .slac.stanford.edu = SLAC.STANFORD.EDU
> >>> .toronto.edu = UTORONTO.CA
> >>> .utoronto.ca = UTORONTO.CA
> >>> .toto.fr= TOTO.FR
> >>>
> >>> [login]
> >>> krb4_convert = true
> >>> krb4_get_tickets = false
> >>>
> >>>
> >>>
> >>> the tcp dump for a failed attempt of kpasswd give the folllowing :
> >>>
> >>>
> >>>
> >>> client -> station Kerberos AS-REQ
> >>>
> >>> MSG Type : AS-REQ(10)
> >>>
> >>> Server Name(principal): kadmin/changepw
> >>>
> >>> Encryption type rc4-hmac
> >>>
> >>>
> >>>
> >>> station-> client BER Error : Empty choice was found ...
> >>>
> >>>
> >>>
> >>> and the log on the server side gives
> >>>
> >>>
> >>>
> >>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
> >>> arcfour-hmac-md5) error Decrypt integrity check failed
> >>>
> >>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> >>>
> >>>
> >>>
> >>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
> >>>
> >>>
> >>>
> >>> So my questions are :
> >>>
> >>>
> >>>
> >>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
> >>>
> >>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
> >>>
> >>> - does any one see what i can do to fix this mess ?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> best regards
> >> This sort of works for me, but all I have in /etc/krb5.conf is this:
> >>
> >> [libdefaults]
> >> default_realm = EXAMPLE.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >>
> >> root at dc1:~# kinit
> >> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >> getting initial credentials
> >> root at dc1:~# kinit Administrator
> >> Password for Administrator at EXAMPLE.COM:
> >> root at dc1:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: Administrator at EXAMPLE.COM
> >>
> >> Valid starting Expires Service principal
> >> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >> renew until 10/05/14 09:06:33
> >> root at dc1:~# kpasswd
> >> Password for Administrator at EXAMPLE.COM:
> >> Enter new password:
> >> Enter it again:
> >> Password change rejected: Try a more complex password, or contact your
> >> administrator.
> >>
> >> NOTE: I deliberately used a non complex password.
> >>
> >> What do you have in /etc/resolv.conf ? is the nameserver line set to
> >> either your samba 4's ipaddress or 127.0.0.1 ?
> >>
> >> Rowland
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> Hi, I am trying to understand how you can kinit as root?
> 
> root at station:/var/log/samba# kinit
> Password for administrator at TOTO.FR:
> 
> When I try it, I get this:
> 
> root at dc2:~# kinit
> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while 
> getting initial credentials
> 
> I have to kinit as Administrator:
> 
> root at dc2:~# kinit Administrator
> Password for Administrator at EXAMPLE.COM:
> root at dc2:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>      renew until 11/05/14 09:58:48
> 
> The other thing that is strange, is that you seem to refer to running 
> the kinit command on the samba 4 server, but now you are referring to a 
> client ?
> 
> OK, just what is the problem that started you along the path of wanting 
> to change the Administrators password ?
> 
> Rowland
> 
Hi
Trying to clarify.
You can only kinit as root if root is kinit-able. I think what we mean
is that is that the cache is owned by root, not by the object which is
asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
the '0' bit at the end. The uid for root.
Steve

More information about the samba mailing list