[Samba] samba4 : [kerberos part kinit work but no kpasswd
steve
steve at steve-ss.com
Sat May 10 09:55:45 MDT 2014
On Sat, 2014-05-10 at 16:47 +0100, Rowland Penny wrote:
> On 10/05/14 16:37, steve wrote:
> > On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
> >> On 10/05/14 15:43, steve wrote:
> >>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
> >>>> On 09/05/14 12:43, MARTIN boris wrote:
> >>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
> >>>>>
> >>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
> >>>>>
> >>>>>
> >>>>>
> >>>>> best regards
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> Message du 09/05/14 10:29
> >>>>>> De : "Rowland Penny"
> >>>>>> A : samba at lists.samba.org
> >>>>>> Copie à :
> >>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> >>>>>>
> >>>>>> On 09/05/14 09:01, MARTIN boris wrote:
> >>>>>>> hi,
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> i have recently installed a samba 4 in a DC role.
> >>>>>>>
> >>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
> >>>>>>>
> >>>>>>> The server is globally working but there is some litle trouble.
> >>>>>>>
> >>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> root at station:/var/log/samba# kinit
> >>>>>>> Password for administrator at TOTO.FR:
> >>>>>>>
> >>>>>>> root at station:/var/log/samba# klist
> >>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>>>> Default principal: administrator at TOTO.FR
> >>>>>>>
> >>>>>>> Valid starting Expires Service principal
> >>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
> >>>>>>> renew until 10/05/2014 09:23:38
> >>>>>>>
> >>>>>>> root at station:/var/log/samba# kpasswd
> >>>>>>>
> >>>>>>> [10 sec later ....]
> >>>>>>>
> >>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> the smb.conf file is the following :
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> [global]
> >>>>>>> workgroup = TOTO
> >>>>>>> realm = TOTO.FR
> >>>>>>> netbios name = station
> >>>>>>> server role = active directory domain controller
> >>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
> >>>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>>> dns forwarder = 129.20.128.39
> >>>>>>> allow dns updates = nonsecure
> >>>>>>> # winbind rpc only = yes
> >>>>>>> log level = 4
> >>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
> >>>>>>> [netlogon]
> >>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
> >>>>>>> read only = No
> >>>>>>>
> >>>>>>> [sysvol]
> >>>>>>> path = /var/lib/samba/sysvol
> >>>>>>> read only = No
> >>>>>>>
> >>>>>>> [demo]
> >>>>>>> path = /share/demo
> >>>>>>> read only = no
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> and the krb5.conf is the following :
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> [logging]
> >>>>>>> default = FILE:/var/log/krb5.log
> >>>>>>> [libdefaults]
> >>>>>>> default_realm = TOTO.FR
> >>>>>>> dns_lookup_realm = false
> >>>>>>> dns_lookup_kdc = true
> >>>>>>>
> >>>>>>> # The following krb5.conf variables are only for MIT Kerberos.
> >>>>>>> krb4_config = /etc/krb.conf
> >>>>>>> krb4_realms = /etc/krb.realms
> >>>>>>> kdc_timesync = 1
> >>>>>>> ccache_type = 4
> >>>>>>> forwardable = true
> >>>>>>> proxiable = true
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>
> >>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> v4_instance_resolve = false
> >>>>>>> v4_name_convert = {
> >>>>>>> host = {
> >>>>>>> rcmd = host
> >>>>>>> ftp = ftp
> >>>>>>> }
> >>>>>>> plain = {
> >>>>>>> something = something-else
> >>>>>>> }
> >>>>>>> }
> >>>>>>> fcc-mit-ticketflags = true
> >>>>>>>
> >>>>>>> [realms]
> >>>>>>> IETR.UNIV-RENNES1.FR = {
> >>>>>>> kdc = admin.toto.fr:88
> >>>>>>> admin_server = admin.toto.fr
> >>>>>>> }
> >>>>>>> ...
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> [domain_realm]
> >>>>>>> .mit.edu = ATHENA.MIT.EDU
> >>>>>>> mit.edu = ATHENA.MIT.EDU
> >>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>>>> .csail.mit.edu = CSAIL.MIT.EDU
> >>>>>>> csail.mit.edu = CSAIL.MIT.EDU
> >>>>>>> .whoi.edu = ATHENA.MIT.EDU
> >>>>>>> whoi.edu = ATHENA.MIT.EDU
> >>>>>>> .stanford.edu = stanford.edu
> >>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
> >>>>>>> .toronto.edu = UTORONTO.CA
> >>>>>>> .utoronto.ca = UTORONTO.CA
> >>>>>>> .toto.fr= TOTO.FR
> >>>>>>>
> >>>>>>> [login]
> >>>>>>> krb4_convert = true
> >>>>>>> krb4_get_tickets = false
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> client -> station Kerberos AS-REQ
> >>>>>>>
> >>>>>>> MSG Type : AS-REQ(10)
> >>>>>>>
> >>>>>>> Server Name(principal): kadmin/changepw
> >>>>>>>
> >>>>>>> Encryption type rc4-hmac
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> station-> client BER Error : Empty choice was found ...
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> and the log on the server side gives
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
> >>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
> >>>>>>>
> >>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> So my questions are :
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
> >>>>>>>
> >>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
> >>>>>>>
> >>>>>>> - does any one see what i can do to fix this mess ?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> best regards
> >>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
> >>>>>>
> >>>>>> [libdefaults]
> >>>>>> default_realm = EXAMPLE.COM
> >>>>>> dns_lookup_realm = false
> >>>>>> dns_lookup_kdc = true
> >>>>>>
> >>>>>> root at dc1:~# kinit
> >>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >>>>>> getting initial credentials
> >>>>>> root at dc1:~# kinit Administrator
> >>>>>> Password for Administrator at EXAMPLE.COM:
> >>>>>> root at dc1:~# klist
> >>>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>>> Default principal: Administrator at EXAMPLE.COM
> >>>>>>
> >>>>>> Valid starting Expires Service principal
> >>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>>>> renew until 10/05/14 09:06:33
> >>>>>> root at dc1:~# kpasswd
> >>>>>> Password for Administrator at EXAMPLE.COM:
> >>>>>> Enter new password:
> >>>>>> Enter it again:
> >>>>>> Password change rejected: Try a more complex password, or contact your
> >>>>>> administrator.
> >>>>>>
> >>>>>> NOTE: I deliberately used a non complex password.
> >>>>>>
> >>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
> >>>>>> either your samba 4's ipaddress or 127.0.0.1 ?
> >>>>>>
> >>>>>> Rowland
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>> Hi, I am trying to understand how you can kinit as root?
> >>>>
> >>>> root at station:/var/log/samba# kinit
> >>>> Password for administrator at TOTO.FR:
> >>>>
> >>>> When I try it, I get this:
> >>>>
> >>>> root at dc2:~# kinit
> >>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >>>> getting initial credentials
> >>>>
> >>>> I have to kinit as Administrator:
> >>>>
> >>>> root at dc2:~# kinit Administrator
> >>>> Password for Administrator at EXAMPLE.COM:
> >>>> root at dc2:~# klist
> >>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>> Default principal: Administrator at EXAMPLE.COM
> >>>>
> >>>> Valid starting Expires Service principal
> >>>> 10/05/14 09:58:56 10/05/14 19:58:56 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>> renew until 11/05/14 09:58:48
> >>>>
> >>>> The other thing that is strange, is that you seem to refer to running
> >>>> the kinit command on the samba 4 server, but now you are referring to a
> >>>> client ?
> >>>>
> >>>> OK, just what is the problem that started you along the path of wanting
> >>>> to change the Administrators password ?
> >>>>
> >>>> Rowland
> >>>>
> >>> Hi
> >>> Trying to clarify.
> >>> You can only kinit as root if root is kinit-able. I think what we mean
> >>> is that is that the cache is owned by root, not by the object which is
> >>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
> >>> the '0' bit at the end. The uid for root.
> >>> Steve
> >>>
> >>>
> >> Hi Steve, yes I know that the cache ends up being owned by account '0',
> >> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
> >> I get the cache in /tmp
> >>
> >> ls -la /tmp/krb5cc_0
> >> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
> >>
> >> Rowland
> >>
> >>
> > Hi
> > OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
> > account, you will always get a root cache. e.g. you could equally well:
> > kinit MACHINE$
> > you will still end up with /tmp/krb5cc_0 except that now, the principal
> > with the tgt will be that of the machine. As far as we can see, all the
> > tgt does is allows you to get a ticket for a service, e.g. the file
> > server. Maybe we should distinguish the terms:
> > - ticket granting ticket
> > - ticket
> > - ticket granting ticket cache
> > - ticket cache
> > on a calling-a-spade-a-spade level. My English is not up to that.
> > Cheers,
> > Steve
> >
> >
> Steve, I think you are misunderstanding what I am getting at, the OP
> posted that he can kinit as 'root', whilst I cannot, can you ? He then
> confused the issue by starting to talk about a 'client' when before he
> only talked about the server, is he having problems connecting a client
> to the server, or is it just a server problem ? I think that more info
> is needed here.
>
> Rowland
Hi
Sorry, I'm having to translate all this at the same time. Nightmare.
No, we can't:
kinit root
either. I could only successfully kinit root if there was indeed an
object called root in the directory. The current consensus down here is
that a user or a machine called 'root' would get you there.
Cheers,
Steve
More information about the samba
mailing list