[Samba] samba4 : [kerberos part kinit work but no kpasswd

Rowland Penny rowlandpenny at googlemail.com
Sat May 10 09:10:10 MDT 2014 

On 10/05/14 15:43, steve wrote:
> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
>> On 09/05/14 12:43, MARTIN boris wrote:
>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
>>>
>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
>>>
>>>    
>>>
>>> best regards
>>>
>>>
>>>
>>>
>>>
>>>> Message du 09/05/14 10:29
>>>> De : "Rowland Penny"
>>>> A : samba at lists.samba.org
>>>> Copie à :
>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
>>>>
>>>> On 09/05/14 09:01, MARTIN boris wrote:
>>>>> hi,
>>>>>
>>>>>
>>>>>
>>>>> i have recently installed a samba 4 in a DC role.
>>>>>
>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>>>>>
>>>>> The server is globally working but there is some litle trouble.
>>>>>
>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>>>>>
>>>>>
>>>>>
>>>>> root at station:/var/log/samba# kinit
>>>>> Password for administrator at TOTO.FR:
>>>>>
>>>>> root at station:/var/log/samba# klist
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: administrator at TOTO.FR
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
>>>>> renew until 10/05/2014 09:23:38
>>>>>
>>>>> root at station:/var/log/samba# kpasswd
>>>>>
>>>>> [10 sec later ....]
>>>>>
>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the smb.conf file is the following :
>>>>>
>>>>>
>>>>>
>>>>> [global]
>>>>> workgroup = TOTO
>>>>> realm = TOTO.FR
>>>>> netbios name = station
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> dns forwarder = 129.20.128.39
>>>>> allow dns updates = nonsecure
>>>>> # winbind rpc only = yes
>>>>> log level = 4
>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
>>>>> [netlogon]
>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /var/lib/samba/sysvol
>>>>> read only = No
>>>>>
>>>>> [demo]
>>>>> path = /share/demo
>>>>> read only = no
>>>>>
>>>>>
>>>>>
>>>>> and the krb5.conf is the following :
>>>>>
>>>>>
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5.log
>>>>> [libdefaults]
>>>>> default_realm = TOTO.FR
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>>
>>>>> # The following krb5.conf variables are only for MIT Kerberos.
>>>>> krb4_config = /etc/krb.conf
>>>>> krb4_realms = /etc/krb.realms
>>>>> kdc_timesync = 1
>>>>> ccache_type = 4
>>>>> forwardable = true
>>>>> proxiable = true
>>>>>
>>>>>
>>>>>
>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>
>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>
>>>>>
>>>>>
>>>>> v4_instance_resolve = false
>>>>> v4_name_convert = {
>>>>> host = {
>>>>> rcmd = host
>>>>> ftp = ftp
>>>>> }
>>>>> plain = {
>>>>> something = something-else
>>>>> }
>>>>> }
>>>>> fcc-mit-ticketflags = true
>>>>>
>>>>> [realms]
>>>>> IETR.UNIV-RENNES1.FR = {
>>>>> kdc = admin.toto.fr:88
>>>>> admin_server = admin.toto.fr
>>>>> }
>>>>> ...
>>>>>
>>>>>
>>>>>
>>>>> [domain_realm]
>>>>> .mit.edu = ATHENA.MIT.EDU
>>>>> mit.edu = ATHENA.MIT.EDU
>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>> .csail.mit.edu = CSAIL.MIT.EDU
>>>>> csail.mit.edu = CSAIL.MIT.EDU
>>>>> .whoi.edu = ATHENA.MIT.EDU
>>>>> whoi.edu = ATHENA.MIT.EDU
>>>>> .stanford.edu = stanford.edu
>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
>>>>> .toronto.edu = UTORONTO.CA
>>>>> .utoronto.ca = UTORONTO.CA
>>>>> .toto.fr= TOTO.FR
>>>>>
>>>>> [login]
>>>>> krb4_convert = true
>>>>> krb4_get_tickets = false
>>>>>
>>>>>
>>>>>
>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
>>>>>
>>>>>
>>>>>
>>>>> client -> station Kerberos AS-REQ
>>>>>
>>>>> MSG Type : AS-REQ(10)
>>>>>
>>>>> Server Name(principal): kadmin/changepw
>>>>>
>>>>> Encryption type rc4-hmac
>>>>>
>>>>>
>>>>>
>>>>> station-> client BER Error : Empty choice was found ...
>>>>>
>>>>>
>>>>>
>>>>> and the log on the server side gives
>>>>>
>>>>>
>>>>>
>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
>>>>>
>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>>>>
>>>>>
>>>>>
>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>>>>>
>>>>>
>>>>>
>>>>> So my questions are :
>>>>>
>>>>>
>>>>>
>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>>>>>
>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>>>>>
>>>>> - does any one see what i can do to fix this mess ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> best regards
>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
>>>>
>>>> [libdefaults]
>>>> default_realm = EXAMPLE.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> root at dc1:~# kinit
>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>> getting initial credentials
>>>> root at dc1:~# kinit Administrator
>>>> Password for Administrator at EXAMPLE.COM:
>>>> root at dc1:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: Administrator at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>> renew until 10/05/14 09:06:33
>>>> root at dc1:~# kpasswd
>>>> Password for Administrator at EXAMPLE.COM:
>>>> Enter new password:
>>>> Enter it again:
>>>> Password change rejected: Try a more complex password, or contact your
>>>> administrator.
>>>>
>>>> NOTE: I deliberately used a non complex password.
>>>>
>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
>>>> either your samba 4's ipaddress or 127.0.0.1 ?
>>>>
>>>> Rowland
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>> Hi, I am trying to understand how you can kinit as root?
>>
>> root at station:/var/log/samba# kinit
>> Password for administrator at TOTO.FR:
>>
>> When I try it, I get this:
>>
>> root at dc2:~# kinit
>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>> getting initial credentials
>>
>> I have to kinit as Administrator:
>>
>> root at dc2:~# kinit Administrator
>> Password for Administrator at EXAMPLE.COM:
>> root at dc2:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>       renew until 11/05/14 09:58:48
>>
>> The other thing that is strange, is that you seem to refer to running
>> the kinit command on the samba 4 server, but now you are referring to a
>> client ?
>>
>> OK, just what is the problem that started you along the path of wanting
>> to change the Administrators password ?
>>
>> Rowland
>>
> Hi
> Trying to clarify.
> You can only kinit as root if root is kinit-able. I think what we mean
> is that is that the cache is owned by root, not by the object which is
> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
> the '0' bit at the end. The uid for root.
> Steve
>
>
Hi Steve, yes I know that the cache ends up being owned by account '0', 
but I cannot kinit as 'root', I have to do it as 'Administrator' and yes 
I get the cache in /tmp

ls -la /tmp/krb5cc_0
-rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0

Rowland

More information about the samba mailing list