[Samba] samba4 : [kerberos part kinit work but no kpasswd
Rowland Penny
rowlandpenny at googlemail.com
Sat May 10 09:47:17 MDT 2014
On 10/05/14 16:37, steve wrote:
> On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
>> On 10/05/14 15:43, steve wrote:
>>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
>>>> On 09/05/14 12:43, MARTIN boris wrote:
>>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
>>>>>
>>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
>>>>>
>>>>>
>>>>>
>>>>> best regards
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Message du 09/05/14 10:29
>>>>>> De : "Rowland Penny"
>>>>>> A : samba at lists.samba.org
>>>>>> Copie à :
>>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
>>>>>>
>>>>>> On 09/05/14 09:01, MARTIN boris wrote:
>>>>>>> hi,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> i have recently installed a samba 4 in a DC role.
>>>>>>>
>>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>>>>>>>
>>>>>>> The server is globally working but there is some litle trouble.
>>>>>>>
>>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> root at station:/var/log/samba# kinit
>>>>>>> Password for administrator at TOTO.FR:
>>>>>>>
>>>>>>> root at station:/var/log/samba# klist
>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>> Default principal: administrator at TOTO.FR
>>>>>>>
>>>>>>> Valid starting Expires Service principal
>>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
>>>>>>> renew until 10/05/2014 09:23:38
>>>>>>>
>>>>>>> root at station:/var/log/samba# kpasswd
>>>>>>>
>>>>>>> [10 sec later ....]
>>>>>>>
>>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> the smb.conf file is the following :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = TOTO
>>>>>>> realm = TOTO.FR
>>>>>>> netbios name = station
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>> dns forwarder = 129.20.128.39
>>>>>>> allow dns updates = nonsecure
>>>>>>> # winbind rpc only = yes
>>>>>>> log level = 4
>>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
>>>>>>> [netlogon]
>>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>>>>>>> read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>> path = /var/lib/samba/sysvol
>>>>>>> read only = No
>>>>>>>
>>>>>>> [demo]
>>>>>>> path = /share/demo
>>>>>>> read only = no
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> and the krb5.conf is the following :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [logging]
>>>>>>> default = FILE:/var/log/krb5.log
>>>>>>> [libdefaults]
>>>>>>> default_realm = TOTO.FR
>>>>>>> dns_lookup_realm = false
>>>>>>> dns_lookup_kdc = true
>>>>>>>
>>>>>>> # The following krb5.conf variables are only for MIT Kerberos.
>>>>>>> krb4_config = /etc/krb.conf
>>>>>>> krb4_realms = /etc/krb.realms
>>>>>>> kdc_timesync = 1
>>>>>>> ccache_type = 4
>>>>>>> forwardable = true
>>>>>>> proxiable = true
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>
>>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> v4_instance_resolve = false
>>>>>>> v4_name_convert = {
>>>>>>> host = {
>>>>>>> rcmd = host
>>>>>>> ftp = ftp
>>>>>>> }
>>>>>>> plain = {
>>>>>>> something = something-else
>>>>>>> }
>>>>>>> }
>>>>>>> fcc-mit-ticketflags = true
>>>>>>>
>>>>>>> [realms]
>>>>>>> IETR.UNIV-RENNES1.FR = {
>>>>>>> kdc = admin.toto.fr:88
>>>>>>> admin_server = admin.toto.fr
>>>>>>> }
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [domain_realm]
>>>>>>> .mit.edu = ATHENA.MIT.EDU
>>>>>>> mit.edu = ATHENA.MIT.EDU
>>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>> .csail.mit.edu = CSAIL.MIT.EDU
>>>>>>> csail.mit.edu = CSAIL.MIT.EDU
>>>>>>> .whoi.edu = ATHENA.MIT.EDU
>>>>>>> whoi.edu = ATHENA.MIT.EDU
>>>>>>> .stanford.edu = stanford.edu
>>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
>>>>>>> .toronto.edu = UTORONTO.CA
>>>>>>> .utoronto.ca = UTORONTO.CA
>>>>>>> .toto.fr= TOTO.FR
>>>>>>>
>>>>>>> [login]
>>>>>>> krb4_convert = true
>>>>>>> krb4_get_tickets = false
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> client -> station Kerberos AS-REQ
>>>>>>>
>>>>>>> MSG Type : AS-REQ(10)
>>>>>>>
>>>>>>> Server Name(principal): kadmin/changepw
>>>>>>>
>>>>>>> Encryption type rc4-hmac
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> station-> client BER Error : Empty choice was found ...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> and the log on the server side gives
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
>>>>>>>
>>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So my questions are :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>>>>>>>
>>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>>>>>>>
>>>>>>> - does any one see what i can do to fix this mess ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> best regards
>>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = EXAMPLE.COM
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>>
>>>>>> root at dc1:~# kinit
>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>>>> getting initial credentials
>>>>>> root at dc1:~# kinit Administrator
>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>> root at dc1:~# klist
>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>> Default principal: Administrator at EXAMPLE.COM
>>>>>>
>>>>>> Valid starting Expires Service principal
>>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>> renew until 10/05/14 09:06:33
>>>>>> root at dc1:~# kpasswd
>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>> Enter new password:
>>>>>> Enter it again:
>>>>>> Password change rejected: Try a more complex password, or contact your
>>>>>> administrator.
>>>>>>
>>>>>> NOTE: I deliberately used a non complex password.
>>>>>>
>>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
>>>>>> either your samba 4's ipaddress or 127.0.0.1 ?
>>>>>>
>>>>>> Rowland
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> Hi, I am trying to understand how you can kinit as root?
>>>>
>>>> root at station:/var/log/samba# kinit
>>>> Password for administrator at TOTO.FR:
>>>>
>>>> When I try it, I get this:
>>>>
>>>> root at dc2:~# kinit
>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>> getting initial credentials
>>>>
>>>> I have to kinit as Administrator:
>>>>
>>>> root at dc2:~# kinit Administrator
>>>> Password for Administrator at EXAMPLE.COM:
>>>> root at dc2:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: Administrator at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 10/05/14 09:58:56 10/05/14 19:58:56 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>> renew until 11/05/14 09:58:48
>>>>
>>>> The other thing that is strange, is that you seem to refer to running
>>>> the kinit command on the samba 4 server, but now you are referring to a
>>>> client ?
>>>>
>>>> OK, just what is the problem that started you along the path of wanting
>>>> to change the Administrators password ?
>>>>
>>>> Rowland
>>>>
>>> Hi
>>> Trying to clarify.
>>> You can only kinit as root if root is kinit-able. I think what we mean
>>> is that is that the cache is owned by root, not by the object which is
>>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
>>> the '0' bit at the end. The uid for root.
>>> Steve
>>>
>>>
>> Hi Steve, yes I know that the cache ends up being owned by account '0',
>> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
>> I get the cache in /tmp
>>
>> ls -la /tmp/krb5cc_0
>> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
>>
>> Rowland
>>
>>
> Hi
> OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
> account, you will always get a root cache. e.g. you could equally well:
> kinit MACHINE$
> you will still end up with /tmp/krb5cc_0 except that now, the principal
> with the tgt will be that of the machine. As far as we can see, all the
> tgt does is allows you to get a ticket for a service, e.g. the file
> server. Maybe we should distinguish the terms:
> - ticket granting ticket
> - ticket
> - ticket granting ticket cache
> - ticket cache
> on a calling-a-spade-a-spade level. My English is not up to that.
> Cheers,
> Steve
>
>
Steve, I think you are misunderstanding what I am getting at, the OP
posted that he can kinit as 'root', whilst I cannot, can you ? He then
confused the issue by starting to talk about a 'client' when before he
only talked about the server, is he having problems connecting a client
to the server, or is it just a server problem ? I think that more info
is needed here.
Rowland
More information about the samba
mailing list