[Samba] samba4 : [kerberos part kinit work but no kpasswd

Rowland Penny rowlandpenny at googlemail.com
Sat May 10 10:58:16 MDT 2014


On 10/05/14 17:54, steve wrote:
> On Sat, 2014-05-10 at 17:09 +0100, Rowland Penny wrote:
>> On 10/05/14 16:55, steve wrote:
>>> On Sat, 2014-05-10 at 16:47 +0100, Rowland Penny wrote:
>>>> On 10/05/14 16:37, steve wrote:
>>>>> On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote:
>>>>>> On 10/05/14 15:43, steve wrote:
>>>>>>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote:
>>>>>>>> On 09/05/14 12:43, MARTIN boris wrote:
>>>>>>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site.
>>>>>>>>>
>>>>>>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
>>>>>>>>>
>>>>>>>>>       
>>>>>>>>>
>>>>>>>>> best regards
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Message du 09/05/14 10:29
>>>>>>>>>> De : "Rowland Penny"
>>>>>>>>>> A : samba at lists.samba.org
>>>>>>>>>> Copie à :
>>>>>>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
>>>>>>>>>>
>>>>>>>>>> On 09/05/14 09:01, MARTIN boris wrote:
>>>>>>>>>>> hi,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i have recently installed a samba 4 in a DC role.
>>>>>>>>>>>
>>>>>>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7.
>>>>>>>>>>>
>>>>>>>>>>> The server is globally working but there is some litle trouble.
>>>>>>>>>>>
>>>>>>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> root at station:/var/log/samba# kinit
>>>>>>>>>>> Password for administrator at TOTO.FR:
>>>>>>>>>>>
>>>>>>>>>>> root at station:/var/log/samba# klist
>>>>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>>>>> Default principal: administrator at TOTO.FR
>>>>>>>>>>>
>>>>>>>>>>> Valid starting Expires Service principal
>>>>>>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
>>>>>>>>>>> renew until 10/05/2014 09:23:38
>>>>>>>>>>>
>>>>>>>>>>> root at station:/var/log/samba# kpasswd
>>>>>>>>>>>
>>>>>>>>>>> [10 sec later ....]
>>>>>>>>>>>
>>>>>>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> the smb.conf file is the following :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = TOTO
>>>>>>>>>>> realm = TOTO.FR
>>>>>>>>>>> netbios name = station
>>>>>>>>>>> server role = active directory domain controller
>>>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>>>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>>>> dns forwarder = 129.20.128.39
>>>>>>>>>>> allow dns updates = nonsecure
>>>>>>>>>>> # winbind rpc only = yes
>>>>>>>>>>> log level = 4
>>>>>>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd
>>>>>>>>>>> [netlogon]
>>>>>>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [sysvol]
>>>>>>>>>>> path = /var/lib/samba/sysvol
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [demo]
>>>>>>>>>>> path = /share/demo
>>>>>>>>>>> read only = no
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> and the krb5.conf is the following :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [logging]
>>>>>>>>>>> default = FILE:/var/log/krb5.log
>>>>>>>>>>> [libdefaults]
>>>>>>>>>>> default_realm = TOTO.FR
>>>>>>>>>>> dns_lookup_realm = false
>>>>>>>>>>> dns_lookup_kdc = true
>>>>>>>>>>>
>>>>>>>>>>> # The following krb5.conf variables are only for MIT Kerberos.
>>>>>>>>>>> krb4_config = /etc/krb.conf
>>>>>>>>>>> krb4_realms = /etc/krb.realms
>>>>>>>>>>> kdc_timesync = 1
>>>>>>>>>>> ccache_type = 4
>>>>>>>>>>> forwardable = true
>>>>>>>>>>> proxiable = true
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>>>
>>>>>>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> v4_instance_resolve = false
>>>>>>>>>>> v4_name_convert = {
>>>>>>>>>>> host = {
>>>>>>>>>>> rcmd = host
>>>>>>>>>>> ftp = ftp
>>>>>>>>>>> }
>>>>>>>>>>> plain = {
>>>>>>>>>>> something = something-else
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>> fcc-mit-ticketflags = true
>>>>>>>>>>>
>>>>>>>>>>> [realms]
>>>>>>>>>>> IETR.UNIV-RENNES1.FR = {
>>>>>>>>>>> kdc = admin.toto.fr:88
>>>>>>>>>>> admin_server = admin.toto.fr
>>>>>>>>>>> }
>>>>>>>>>>> ...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [domain_realm]
>>>>>>>>>>> .mit.edu = ATHENA.MIT.EDU
>>>>>>>>>>> mit.edu = ATHENA.MIT.EDU
>>>>>>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU
>>>>>>>>>>> .csail.mit.edu = CSAIL.MIT.EDU
>>>>>>>>>>> csail.mit.edu = CSAIL.MIT.EDU
>>>>>>>>>>> .whoi.edu = ATHENA.MIT.EDU
>>>>>>>>>>> whoi.edu = ATHENA.MIT.EDU
>>>>>>>>>>> .stanford.edu = stanford.edu
>>>>>>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU
>>>>>>>>>>> .toronto.edu = UTORONTO.CA
>>>>>>>>>>> .utoronto.ca = UTORONTO.CA
>>>>>>>>>>> .toto.fr= TOTO.FR
>>>>>>>>>>>
>>>>>>>>>>> [login]
>>>>>>>>>>> krb4_convert = true
>>>>>>>>>>> krb4_get_tickets = false
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> client -> station Kerberos AS-REQ
>>>>>>>>>>>
>>>>>>>>>>> MSG Type : AS-REQ(10)
>>>>>>>>>>>
>>>>>>>>>>> Server Name(principal): kadmin/changepw
>>>>>>>>>>>
>>>>>>>>>>> Encryption type rc4-hmac
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> station-> client BER Error : Empty choice was found ...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> and the log on the server side gives
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
>>>>>>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed
>>>>>>>>>>>
>>>>>>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So my questions are :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
>>>>>>>>>>>
>>>>>>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
>>>>>>>>>>>
>>>>>>>>>>> - does any one see what i can do to fix this mess ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> best regards
>>>>>>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this:
>>>>>>>>>>
>>>>>>>>>> [libdefaults]
>>>>>>>>>> default_realm = EXAMPLE.COM
>>>>>>>>>> dns_lookup_realm = false
>>>>>>>>>> dns_lookup_kdc = true
>>>>>>>>>>
>>>>>>>>>> root at dc1:~# kinit
>>>>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>>>>>>>> getting initial credentials
>>>>>>>>>> root at dc1:~# kinit Administrator
>>>>>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>>>>>> root at dc1:~# klist
>>>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>>>> Default principal: Administrator at EXAMPLE.COM
>>>>>>>>>>
>>>>>>>>>> Valid starting Expires Service principal
>>>>>>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>>>>> renew until 10/05/14 09:06:33
>>>>>>>>>> root at dc1:~# kpasswd
>>>>>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>>>>>> Enter new password:
>>>>>>>>>> Enter it again:
>>>>>>>>>> Password change rejected: Try a more complex password, or contact your
>>>>>>>>>> administrator.
>>>>>>>>>>
>>>>>>>>>> NOTE: I deliberately used a non complex password.
>>>>>>>>>>
>>>>>>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to
>>>>>>>>>> either your samba 4's ipaddress or 127.0.0.1 ?
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>> Hi, I am trying to understand how you can kinit as root?
>>>>>>>>
>>>>>>>> root at station:/var/log/samba# kinit
>>>>>>>> Password for administrator at TOTO.FR:
>>>>>>>>
>>>>>>>> When I try it, I get this:
>>>>>>>>
>>>>>>>> root at dc2:~# kinit
>>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while
>>>>>>>> getting initial credentials
>>>>>>>>
>>>>>>>> I have to kinit as Administrator:
>>>>>>>>
>>>>>>>> root at dc2:~# kinit Administrator
>>>>>>>> Password for Administrator at EXAMPLE.COM:
>>>>>>>> root at dc2:~# klist
>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>> Default principal: Administrator at EXAMPLE.COM
>>>>>>>>
>>>>>>>> Valid starting     Expires            Service principal
>>>>>>>> 10/05/14 09:58:56  10/05/14 19:58:56  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>>>>          renew until 11/05/14 09:58:48
>>>>>>>>
>>>>>>>> The other thing that is strange, is that you seem to refer to running
>>>>>>>> the kinit command on the samba 4 server, but now you are referring to a
>>>>>>>> client ?
>>>>>>>>
>>>>>>>> OK, just what is the problem that started you along the path of wanting
>>>>>>>> to change the Administrators password ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Hi
>>>>>>> Trying to clarify.
>>>>>>> You can only kinit as root if root is kinit-able. I think what we mean
>>>>>>> is that is that the cache is owned by root, not by the object which is
>>>>>>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
>>>>>>> the '0' bit at the end. The uid for root.
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> Hi Steve, yes I know that the cache ends up being owned by account '0',
>>>>>> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
>>>>>> I get the cache in /tmp
>>>>>>
>>>>>> ls -la /tmp/krb5cc_0
>>>>>> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> Hi
>>>>> OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
>>>>> account, you will always get a root cache. e.g. you could equally well:
>>>>> kinit MACHINE$
>>>>> you will still end up with /tmp/krb5cc_0 except that now, the principal
>>>>> with the tgt will be that of the machine. As far as we can see, all the
>>>>> tgt does is allows you to get a ticket for a service, e.g. the file
>>>>> server. Maybe we should distinguish the terms:
>>>>> - ticket granting ticket
>>>>> - ticket
>>>>> - ticket granting ticket cache
>>>>> - ticket cache
>>>>> on a calling-a-spade-a-spade level. My English is not up to that.
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>>
>>>> Steve, I think you are misunderstanding what I am getting at, the OP
>>>> posted that he can kinit as 'root', whilst I cannot, can you ? He then
>>>> confused the issue by starting to talk about  a 'client' when before he
>>>> only talked about the server, is he having problems connecting a client
>>>> to the server, or is it just a server problem ? I think that more info
>>>> is needed here.
>>>>
>>>> Rowland
>>> Hi
>>> Sorry, I'm having to translate all this at the same time. Nightmare.
>>> No, we can't:
>>>    kinit root
>>> either. I could only successfully kinit root if there was indeed an
>>> object called root in the directory. The current consensus down here is
>>> that a user or a machine called 'root' would get you there.
>>> Cheers,
>>> Steve
>>>
>>>
>> OK, so has the OP added a user or machine called 'root' to AD ?? if so
>> why ?? As I said, more info needed here.
>>
>> Rowland
> Guess. He has allocated:
>   uidNumber: 0
>   gidNumber: 0
> to mimic local root on al clients?
>
That is what I am thinking, but I hope not, I think that would be a 
really bad idea.

Rowland



More information about the samba mailing list