[Samba] samba4 : [kerberos part kinit work but no kpasswd
steve
steve at steve-ss.com
Sat May 10 10:54:11 MDT 2014
On Sat, 2014-05-10 at 17:09 +0100, Rowland Penny wrote:
> On 10/05/14 16:55, steve wrote:
> > On Sat, 2014-05-10 at 16:47 +0100, Rowland Penny wrote:
> >> On 10/05/14 16:37, steve wrote:
> >>> On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
> >>>> On 10/05/14 15:43, steve wrote:
> >>>>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
> >>>>>> On 09/05/14 12:43, MARTIN boris wrote:
> >>>>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
> >>>>>>>
> >>>>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> best regards
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> Message du 09/05/14 10:29
> >>>>>>>> De : "Rowland Penny"
> >>>>>>>> A : samba at lists.samba.org
> >>>>>>>> Copie à :
> >>>>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> >>>>>>>>
> >>>>>>>> On 09/05/14 09:01, MARTIN boris wrote:
> >>>>>>>>> hi,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> i have recently installed a samba 4 in a DC role.
> >>>>>>>>>
> >>>>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
> >>>>>>>>>
> >>>>>>>>> The server is globally working but there is some litle trouble.
> >>>>>>>>>
> >>>>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> root at station:/var/log/samba# kinit
> >>>>>>>>> Password for administrator at TOTO.FR:
> >>>>>>>>>
> >>>>>>>>> root at station:/var/log/samba# klist
> >>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>>>>>> Default principal: administrator at TOTO.FR
> >>>>>>>>>
> >>>>>>>>> Valid starting Expires Service principal
> >>>>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
> >>>>>>>>> renew until 10/05/2014 09:23:38
> >>>>>>>>>
> >>>>>>>>> root at station:/var/log/samba# kpasswd
> >>>>>>>>>
> >>>>>>>>> [10 sec later ....]
> >>>>>>>>>
> >>>>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> the smb.conf file is the following :
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> [global]
> >>>>>>>>> workgroup = TOTO
> >>>>>>>>> realm = TOTO.FR
> >>>>>>>>> netbios name = station
> >>>>>>>>> server role = active directory domain controller
> >>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
> >>>>>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>>>>> dns forwarder = 129.20.128.39
> >>>>>>>>> allow dns updates = nonsecure
> >>>>>>>>> # winbind rpc only = yes
> >>>>>>>>> log level = 4
> >>>>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
> >>>>>>>>> [netlogon]
> >>>>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
> >>>>>>>>> read only = No
> >>>>>>>>>
> >>>>>>>>> [sysvol]
> >>>>>>>>> path = /var/lib/samba/sysvol
> >>>>>>>>> read only = No
> >>>>>>>>>
> >>>>>>>>> [demo]
> >>>>>>>>> path = /share/demo
> >>>>>>>>> read only = no
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> and the krb5.conf is the following :
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> [logging]
> >>>>>>>>> default = FILE:/var/log/krb5.log
> >>>>>>>>> [libdefaults]
> >>>>>>>>> default_realm = TOTO.FR
> >>>>>>>>> dns_lookup_realm = false
> >>>>>>>>> dns_lookup_kdc = true
> >>>>>>>>>
> >>>>>>>>> # The following krb5.conf variables are only for MIT Kerberos.
> >>>>>>>>> krb4_config = /etc/krb.conf
> >>>>>>>>> krb4_realms = /etc/krb.realms
> >>>>>>>>> kdc_timesync = 1
> >>>>>>>>> ccache_type = 4
> >>>>>>>>> forwardable = true
> >>>>>>>>> proxiable = true
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>>>
> >>>>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> v4_instance_resolve = false
> >>>>>>>>> v4_name_convert = {
> >>>>>>>>> host = {
> >>>>>>>>> rcmd = host
> >>>>>>>>> ftp = ftp
> >>>>>>>>> }
> >>>>>>>>> plain = {
> >>>>>>>>> something = something-else
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>> fcc-mit-ticketflags = true
> >>>>>>>>>
> >>>>>>>>> [realms]
> >>>>>>>>> IETR.UNIV-RENNES1.FR = {
> >>>>>>>>> kdc = admin.toto.fr:88
> >>>>>>>>> admin_server = admin.toto.fr
> >>>>>>>>> }
> >>>>>>>>> ...
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> [domain_realm]
> >>>>>>>>> .mit.edu = ATHENA.MIT.EDU
> >>>>>>>>> mit.edu = ATHENA.MIT.EDU
> >>>>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
> >>>>>>>>> .csail.mit.edu = CSAIL.MIT.EDU
> >>>>>>>>> csail.mit.edu = CSAIL.MIT.EDU
> >>>>>>>>> .whoi.edu = ATHENA.MIT.EDU
> >>>>>>>>> whoi.edu = ATHENA.MIT.EDU
> >>>>>>>>> .stanford.edu = stanford.edu
> >>>>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
> >>>>>>>>> .toronto.edu = UTORONTO.CA
> >>>>>>>>> .utoronto.ca = UTORONTO.CA
> >>>>>>>>> .toto.fr= TOTO.FR
> >>>>>>>>>
> >>>>>>>>> [login]
> >>>>>>>>> krb4_convert = true
> >>>>>>>>> krb4_get_tickets = false
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> client -> station Kerberos AS-REQ
> >>>>>>>>>
> >>>>>>>>> MSG Type : AS-REQ(10)
> >>>>>>>>>
> >>>>>>>>> Server Name(principal): kadmin/changepw
> >>>>>>>>>
> >>>>>>>>> Encryption type rc4-hmac
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> station-> client BER Error : Empty choice was found ...
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> and the log on the server side gives
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
> >>>>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
> >>>>>>>>>
> >>>>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> So my questions are :
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
> >>>>>>>>>
> >>>>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
> >>>>>>>>>
> >>>>>>>>> - does any one see what i can do to fix this mess ?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> best regards
> >>>>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
> >>>>>>>>
> >>>>>>>> [libdefaults]
> >>>>>>>> default_realm = EXAMPLE.COM
> >>>>>>>> dns_lookup_realm = false
> >>>>>>>> dns_lookup_kdc = true
> >>>>>>>>
> >>>>>>>> root at dc1:~# kinit
> >>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >>>>>>>> getting initial credentials
> >>>>>>>> root at dc1:~# kinit Administrator
> >>>>>>>> Password for Administrator at EXAMPLE.COM:
> >>>>>>>> root at dc1:~# klist
> >>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>>>>> Default principal: Administrator at EXAMPLE.COM
> >>>>>>>>
> >>>>>>>> Valid starting Expires Service principal
> >>>>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>>>>>> renew until 10/05/14 09:06:33
> >>>>>>>> root at dc1:~# kpasswd
> >>>>>>>> Password for Administrator at EXAMPLE.COM:
> >>>>>>>> Enter new password:
> >>>>>>>> Enter it again:
> >>>>>>>> Password change rejected: Try a more complex password, or contact your
> >>>>>>>> administrator.
> >>>>>>>>
> >>>>>>>> NOTE: I deliberately used a non complex password.
> >>>>>>>>
> >>>>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
> >>>>>>>> either your samba 4's ipaddress or 127.0.0.1 ?
> >>>>>>>>
> >>>>>>>> Rowland
> >>>>>>>> --
> >>>>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>
> >>>>>> Hi, I am trying to understand how you can kinit as root?
> >>>>>>
> >>>>>> root at station:/var/log/samba# kinit
> >>>>>> Password for administrator at TOTO.FR:
> >>>>>>
> >>>>>> When I try it, I get this:
> >>>>>>
> >>>>>> root at dc2:~# kinit
> >>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
> >>>>>> getting initial credentials
> >>>>>>
> >>>>>> I have to kinit as Administrator:
> >>>>>>
> >>>>>> root at dc2:~# kinit Administrator
> >>>>>> Password for Administrator at EXAMPLE.COM:
> >>>>>> root at dc2:~# klist
> >>>>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>>>> Default principal: Administrator at EXAMPLE.COM
> >>>>>>
> >>>>>> Valid starting Expires Service principal
> >>>>>> 10/05/14 09:58:56 10/05/14 19:58:56 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >>>>>> renew until 11/05/14 09:58:48
> >>>>>>
> >>>>>> The other thing that is strange, is that you seem to refer to running
> >>>>>> the kinit command on the samba 4 server, but now you are referring to a
> >>>>>> client ?
> >>>>>>
> >>>>>> OK, just what is the problem that started you along the path of wanting
> >>>>>> to change the Administrators password ?
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>> Hi
> >>>>> Trying to clarify.
> >>>>> You can only kinit as root if root is kinit-able. I think what we mean
> >>>>> is that is that the cache is owned by root, not by the object which is
> >>>>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
> >>>>> the '0' bit at the end. The uid for root.
> >>>>> Steve
> >>>>>
> >>>>>
> >>>> Hi Steve, yes I know that the cache ends up being owned by account '0',
> >>>> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
> >>>> I get the cache in /tmp
> >>>>
> >>>> ls -la /tmp/krb5cc_0
> >>>> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>> Hi
> >>> OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
> >>> account, you will always get a root cache. e.g. you could equally well:
> >>> kinit MACHINE$
> >>> you will still end up with /tmp/krb5cc_0 except that now, the principal
> >>> with the tgt will be that of the machine. As far as we can see, all the
> >>> tgt does is allows you to get a ticket for a service, e.g. the file
> >>> server. Maybe we should distinguish the terms:
> >>> - ticket granting ticket
> >>> - ticket
> >>> - ticket granting ticket cache
> >>> - ticket cache
> >>> on a calling-a-spade-a-spade level. My English is not up to that.
> >>> Cheers,
> >>> Steve
> >>>
> >>>
> >> Steve, I think you are misunderstanding what I am getting at, the OP
> >> posted that he can kinit as 'root', whilst I cannot, can you ? He then
> >> confused the issue by starting to talk about a 'client' when before he
> >> only talked about the server, is he having problems connecting a client
> >> to the server, or is it just a server problem ? I think that more info
> >> is needed here.
> >>
> >> Rowland
> > Hi
> > Sorry, I'm having to translate all this at the same time. Nightmare.
> > No, we can't:
> > kinit root
> > either. I could only successfully kinit root if there was indeed an
> > object called root in the directory. The current consensus down here is
> > that a user or a machine called 'root' would get you there.
> > Cheers,
> > Steve
> >
> >
> OK, so has the OP added a user or machine called 'root' to AD ?? if so
> why ?? As I said, more info needed here.
>
> Rowland
Guess. He has allocated:
uidNumber: 0
gidNumber: 0
to mimic local root on al clients?
More information about the samba
mailing list