[Samba] samba4 : [kerberos part kinit work but no kpasswd

steve steve at steve-ss.com
Sat May 10 09:37:22 MDT 2014 

On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
> On 10/05/14 15:43, steve wrote:
> > On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
> >> On 09/05/14 12:43, MARTIN boris wrote:
> >>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
> >>>
> >>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
> >>>
> >>>    
> >>>
> >>> best regards
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> Message du 09/05/14 10:29
> >>>> De : "Rowland Penny"
> >>>> A : samba at lists.samba.org
> >>>> Copie à :
> >>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> >>>>
> >>>> On 09/05/14 09:01, MARTIN boris wrote:
> >>>>> hi,
> >>>>>
> >>>>>
> >>>>>
> >>>>> i have recently installed a samba 4 in a DC role.
> >>>>>
> >>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
> >>>>>
> >>>>> The server is globally working but there is some litle trouble.
> >>>>>
> >>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
> >>>>>
> >>>>>
> >>>>>
> >>>>> root at station:/var/log/samba# kinit
> >>>>> Password for administrator at TOTO.FR:
> >>>>>
> >>>>> root at station:/var/log/samba# klist
> >>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>> Default principal: administrator at TOTO.FR
> >>>>>
> >>>>> Valid starting Expires Service principal
> >>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
> >>>>> renew until 10/05/2014 09:23:38
> >>>>>
> >>>>> root at station:/var/log/samba# kpasswd
> >>>>>
> >>>>> [10 sec later ....]
> >>>>>
> >>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> the smb.conf file is the following :
> >>>>>
> >>>>>
> >>>>>
> >>>>> [global]
> >>>>> workgroup = TOTO
> >>>>> realm = TOTO.FR
> >>>>> netbios name = station
> >>>>> server role = active directory domain controller
> >>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
> >>>>> idmap_ldb:use rfc2307 = yes
> >>>>> dns forwarder = 129.20.128.39
> >>>>> allow dns updates = nonsecure
> >>>>> # winbind rpc only = yes
> >>>>> log level = 4
> >>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
> >>>>> [netlogon]
> >>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
> >>>>> read only = No
> >>>>>
> >>>>> [sysvol]
> >>>>> path = /var/lib/samba/sysvol
> >>>>> read only = No
> >>>>>
> >>>>> [demo]
> >>>>> path = /share/demo
> >>>>> read only = no
> >>>>>
> >>>>>
> >>>>>
> >>>>> and the krb5.conf is the following :
> >>>>>
> >>>>>
> >>>>>
> >>>>> [logging]
> >>>>> default = FILE:/var/log/krb5.log
> >>>>> [libdefaults]
> >>>>> default_realm = TOTO.FR
> >>>>> dns_lookup_realm = false
> >>>>> dns_lookup_kdc = true
> >>>>>
> >>>>> # The following krb5.conf variables are only for MIT Kerberos.
> >>>>> krb4_config = /etc/krb.conf
> >>>>> krb4_realms = /etc/krb.realms
> >>>>> kdc_timesync = 1
> >>>>> ccache_type = 4
> >>>>> forwardable = true
> >>>>> proxiable = true
> >>>>>
> >>>>>
> >>>>>
> >>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>
> >>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>
> >>>>>
> >>>>>
> >>>>> v4_instance_resolve = false
> >>>>> v4_name_convert = {
> >>>>> host = {
> >>>>> rcmd = host
> >>>>> ftp = ftp
> >>>>> }
> >>>>> plain = {
> >>>>> something = something-else
> >>>>> }
> >>>>> }
> >>>>> fcc-mit-ticketflags = true
> >>>>>
> >>>>> [realms]
> >>>>> IETR.UNIV-RENNES1.FR = {
> >>>>> kdc = admin.toto.fr:88
> >>>>> admin_server = admin.toto.fr
> >>>>> }
> >>>>> ...
> >>>>>
> >>>>>
> >>>>>
> >>>>> [domain_realm]
> >>>>> .mit.edu = ATHENA.MIT.EDU
> >>>>> mit.edu = ATHENA.MIT.EDU
> >>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>> .csail.mit.edu = CSAIL.MIT.EDU
> >>>>> csail.mit.edu = CSAIL.MIT.EDU
> >>>>> .whoi.edu = ATHENA.MIT.EDU
> >>>>> whoi.edu = ATHENA.MIT.EDU
> >>>>> .stanford.edu = stanford.edu
> >>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
> >>>>> .toronto.edu = UTORONTO.CA
> >>>>> .utoronto.ca = UTORONTO.CA
> >>>>> .toto.fr= TOTO.FR
> >>>>>
> >>>>> [login]
> >>>>> krb4_convert = true
> >>>>> krb4_get_tickets = false
> >>>>>
> >>>>>
> >>>>>
> >>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
> >>>>>
> >>>>>
> >>>>>
> >>>>> client -> station Kerberos AS-REQ
> >>>>>
> >>>>> MSG Type : AS-REQ(10)
> >>>>>
> >>>>> Server Name(principal): kadmin/changepw
> >>>>>
> >>>>> Encryption type rc4-hmac
> >>>>>
> >>>>>
> >>>>>
> >>>>> station-> client BER Error : Empty choice was found ...
> >>>>>
> >>>>>
> >>>>>
> >>>>> and the log on the server side gives
> >>>>>
> >>>>>
> >>>>>
> >>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
> >>>>> arcfour-hmac-md5) error Decrypt integrity check failed
> >>>>>
> >>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> >>>>>
> >>>>>
> >>>>>
> >>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
> >>>>>
> >>>>>
> >>>>>
> >>>>> So my questions are :
> >>>>>
> >>>>>
> >>>>>
> >>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
> >>>>>
> >>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
> >>>>>
> >>>>> - does any one see what i can do to fix this mess ?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> best regards
> >>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
> >>>>
> >>>> [libdefaults]
> >>>> default_realm = EXAMPLE.COM
> >>>> dns_lookup_realm = false
> >>>> dns_lookup_kdc = true
> >>>>
> >>>> root at dc1:~# kinit
> >>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >>>> getting initial credentials
> >>>> root at dc1:~# kinit Administrator
> >>>> Password for Administrator at EXAMPLE.COM:
> >>>> root at dc1:~# klist
> >>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>> Default principal: Administrator at EXAMPLE.COM
> >>>>
> >>>> Valid starting Expires Service principal
> >>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>> renew until 10/05/14 09:06:33
> >>>> root at dc1:~# kpasswd
> >>>> Password for Administrator at EXAMPLE.COM:
> >>>> Enter new password:
> >>>> Enter it again:
> >>>> Password change rejected: Try a more complex password, or contact your
> >>>> administrator.
> >>>>
> >>>> NOTE: I deliberately used a non complex password.
> >>>>
> >>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
> >>>> either your samba 4's ipaddress or 127.0.0.1 ?
> >>>>
> >>>> Rowland
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >> Hi, I am trying to understand how you can kinit as root?
> >>
> >> root at station:/var/log/samba# kinit
> >> Password for administrator at TOTO.FR:
> >>
> >> When I try it, I get this:
> >>
> >> root at dc2:~# kinit
> >> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >> getting initial credentials
> >>
> >> I have to kinit as Administrator:
> >>
> >> root at dc2:~# kinit Administrator
> >> Password for Administrator at EXAMPLE.COM:
> >> root at dc2:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: Administrator at EXAMPLE.COM
> >>
> >> Valid starting     Expires            Service principal
> >> 10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>       renew until 11/05/14 09:58:48
> >>
> >> The other thing that is strange, is that you seem to refer to running
> >> the kinit command on the samba 4 server, but now you are referring to a
> >> client ?
> >>
> >> OK, just what is the problem that started you along the path of wanting
> >> to change the Administrators password ?
> >>
> >> Rowland
> >>
> > Hi
> > Trying to clarify.
> > You can only kinit as root if root is kinit-able. I think what we mean
> > is that is that the cache is owned by root, not by the object which is
> > asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
> > the '0' bit at the end. The uid for root.
> > Steve
> >
> >
> Hi Steve, yes I know that the cache ends up being owned by account '0', 
> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes 
> I get the cache in /tmp
> 
> ls -la /tmp/krb5cc_0
> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
> 
> Rowland
> 
> 
Hi
OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
account, you will always get a root cache. e.g. you could equally well:
kinit MACHINE$
you will still end up with /tmp/krb5cc_0 except that now, the principal
with the tgt will be that of the machine. As far as we can see, all the
tgt does is allows you to get a ticket for a service, e.g. the file
server. Maybe we should distinguish the terms:
- ticket granting ticket
- ticket
- ticket granting ticket cache
- ticket cache
on a calling-a-spade-a-spade level. My English is not up to that.
Cheers,
Steve

More information about the samba mailing list