[Samba] samba4 : [kerberos part kinit work but no kpasswd

Rowland Penny rowlandpenny at googlemail.com
Sat May 10 10:09:21 MDT 2014


On 10/05/14 16:55, steve wrote:
> On Sat, 2014-05-10 at 16:47 +0100, Rowland Penny wrote:
>> On 10/05/14 16:37, steve wrote:
>>> On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
>>>> On 10/05/14 15:43, steve wrote:
>>>>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
>>>>>> On 09/05/14 12:43, MARTIN boris wrote:
>>>>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
>>>>>>>
>>>>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
>>>>>>>
>>>>>>>      
>>>>>>>
>>>>>>> best regards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Message du 09/05/14 10:29
>>>>>>>> De : "Rowland Penny"
>>>>>>>> A : samba at lists.samba.org
>>>>>>>> Copie à :
>>>>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
>>>>>>>>
>>>>>>>> On 09/05/14 09:01, MARTIN boris wrote:
>>>>>>>>> hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> i have recently installed a samba 4 in a DC role.
>>>>>>>>>
>>>>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>>>>>>>>>
>>>>>>>>> The server is globally working but there is some litle trouble.
>>>>>>>>>
>>>>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> root at station:/var/log/samba# kinit
>>>>>>>>> Password for administrator at TOTO.FR:
>>>>>>>>>
>>>>>>>>> root at station:/var/log/samba# klist
>>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>>> Default principal: administrator at TOTO.FR
>>>>>>>>>
>>>>>>>>> Valid starting Expires Service principal
>>>>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
>>>>>>>>> renew until 10/05/2014 09:23:38
>>>>>>>>>
>>>>>>>>> root at station:/var/log/samba# kpasswd
>>>>>>>>>
>>>>>>>>> [10 sec later ....]
>>>>>>>>>
>>>>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the smb.conf file is the following :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = TOTO
>>>>>>>>> realm = TOTO.FR
>>>>>>>>> netbios name = station
>>>>>>>>> server role = active directory domain controller
>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>> dns forwarder = 129.20.128.39
>>>>>>>>> allow dns updates = nonsecure
>>>>>>>>> # winbind rpc only = yes
>>>>>>>>> log level = 4
>>>>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
>>>>>>>>> [netlogon]
>>>>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [sysvol]
>>>>>>>>> path = /var/lib/samba/sysvol
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [demo]
>>>>>>>>> path = /share/demo
>>>>>>>>> read only = no
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and the krb5.conf is the following :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [logging]
>>>>>>>>> default = FILE:/var/log/krb5.log
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = TOTO.FR
>>>>>>>>> dns_lookup_realm = false
>>>>>>>>> dns_lookup_kdc = true
>>>>>>>>>
>>>>>>>>> # The following krb5.conf variables are only for MIT Kerberos.
>>>>>>>>> krb4_config = /etc/krb.conf
>>>>>>>>> krb4_realms = /etc/krb.realms
>>>>>>>>> kdc_timesync = 1
>>>>>>>>> ccache_type = 4
>>>>>>>>> forwardable = true
>>>>>>>>> proxiable = true
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>
>>>>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> v4_instance_resolve = false
>>>>>>>>> v4_name_convert = {
>>>>>>>>> host = {
>>>>>>>>> rcmd = host
>>>>>>>>> ftp = ftp
>>>>>>>>> }
>>>>>>>>> plain = {
>>>>>>>>> something = something-else
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>> fcc-mit-ticketflags = true
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> IETR.UNIV-RENNES1.FR = {
>>>>>>>>> kdc = admin.toto.fr:88
>>>>>>>>> admin_server = admin.toto.fr
>>>>>>>>> }
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [domain_realm]
>>>>>>>>> .mit.edu = ATHENA.MIT.EDU
>>>>>>>>> mit.edu = ATHENA.MIT.EDU
>>>>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>>>> .csail.mit.edu = CSAIL.MIT.EDU
>>>>>>>>> csail.mit.edu = CSAIL.MIT.EDU
>>>>>>>>> .whoi.edu = ATHENA.MIT.EDU
>>>>>>>>> whoi.edu = ATHENA.MIT.EDU
>>>>>>>>> .stanford.edu = stanford.edu
>>>>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
>>>>>>>>> .toronto.edu = UTORONTO.CA
>>>>>>>>> .utoronto.ca = UTORONTO.CA
>>>>>>>>> .toto.fr= TOTO.FR
>>>>>>>>>
>>>>>>>>> [login]
>>>>>>>>> krb4_convert = true
>>>>>>>>> krb4_get_tickets = false
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> client -> station Kerberos AS-REQ
>>>>>>>>>
>>>>>>>>> MSG Type : AS-REQ(10)
>>>>>>>>>
>>>>>>>>> Server Name(principal): kadmin/changepw
>>>>>>>>>
>>>>>>>>> Encryption type rc4-hmac
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> station-> client BER Error : Empty choice was found ...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and the log on the server side gives
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>>>>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
>>>>>>>>>
>>>>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So my questions are :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>>>>>>>>>
>>>>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>>>>>>>>>
>>>>>>>>> - does any one see what i can do to fix this mess ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> best regards
>>>>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = EXAMPLE.COM
>>>>>>>> dns_lookup_realm = false
>>>>>>>> dns_lookup_kdc = true
>>>>>>>>
>>>>>>>> root at dc1:~# kinit
>>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>>>>>> getting initial credentials
>>>>>>>> root at dc1:~# kinit Administrator
>>>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>>>> root at dc1:~# klist
>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>> Default principal: Administrator at EXAMPLE.COM
>>>>>>>>
>>>>>>>> Valid starting Expires Service principal
>>>>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>>> renew until 10/05/14 09:06:33
>>>>>>>> root at dc1:~# kpasswd
>>>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>>>> Enter new password:
>>>>>>>> Enter it again:
>>>>>>>> Password change rejected: Try a more complex password, or contact your
>>>>>>>> administrator.
>>>>>>>>
>>>>>>>> NOTE: I deliberately used a non complex password.
>>>>>>>>
>>>>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
>>>>>>>> either your samba 4's ipaddress or 127.0.0.1 ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>> Hi, I am trying to understand how you can kinit as root?
>>>>>>
>>>>>> root at station:/var/log/samba# kinit
>>>>>> Password for administrator at TOTO.FR:
>>>>>>
>>>>>> When I try it, I get this:
>>>>>>
>>>>>> root at dc2:~# kinit
>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>>>> getting initial credentials
>>>>>>
>>>>>> I have to kinit as Administrator:
>>>>>>
>>>>>> root at dc2:~# kinit Administrator
>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>> root at dc2:~# klist
>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>> Default principal: Administrator at EXAMPLE.COM
>>>>>>
>>>>>> Valid starting     Expires            Service principal
>>>>>> 10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>         renew until 11/05/14 09:58:48
>>>>>>
>>>>>> The other thing that is strange, is that you seem to refer to running
>>>>>> the kinit command on the samba 4 server, but now you are referring to a
>>>>>> client ?
>>>>>>
>>>>>> OK, just what is the problem that started you along the path of wanting
>>>>>> to change the Administrators password ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi
>>>>> Trying to clarify.
>>>>> You can only kinit as root if root is kinit-able. I think what we mean
>>>>> is that is that the cache is owned by root, not by the object which is
>>>>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
>>>>> the '0' bit at the end. The uid for root.
>>>>> Steve
>>>>>
>>>>>
>>>> Hi Steve, yes I know that the cache ends up being owned by account '0',
>>>> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
>>>> I get the cache in /tmp
>>>>
>>>> ls -la /tmp/krb5cc_0
>>>> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
>>>>
>>>> Rowland
>>>>
>>>>
>>> Hi
>>> OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
>>> account, you will always get a root cache. e.g. you could equally well:
>>> kinit MACHINE$
>>> you will still end up with /tmp/krb5cc_0 except that now, the principal
>>> with the tgt will be that of the machine. As far as we can see, all the
>>> tgt does is allows you to get a ticket for a service, e.g. the file
>>> server. Maybe we should distinguish the terms:
>>> - ticket granting ticket
>>> - ticket
>>> - ticket granting ticket cache
>>> - ticket cache
>>> on a calling-a-spade-a-spade level. My English is not up to that.
>>> Cheers,
>>> Steve
>>>
>>>
>> Steve, I think you are misunderstanding what I am getting at, the OP
>> posted that he can kinit as 'root', whilst I cannot, can you ? He then
>> confused the issue by starting to talk about  a 'client' when before he
>> only talked about the server, is he having problems connecting a client
>> to the server, or is it just a server problem ? I think that more info
>> is needed here.
>>
>> Rowland
> Hi
> Sorry, I'm having to translate all this at the same time. Nightmare.
> No, we can't:
>   kinit root
> either. I could only successfully kinit root if there was indeed an
> object called root in the directory. The current consensus down here is
> that a user or a machine called 'root' would get you there.
> Cheers,
> Steve
>
>
OK, so has the OP added a user or machine called 'root' to AD ?? if so 
why ?? As I said, more info needed here.

Rowland


More information about the samba mailing list