[Samba] samba4 : [kerberos part kinit work but no kpasswd

Tue May 13 01:42:54 MDT 2014

hi,

i want to clarify the situation here.

i have no user root, when i do my kinit, i do it on the administrator account, a hight privilege samba 4 account.

I do it being the local root user on the client machine, but the fact that i am root have no releavance here, i could user a standard local account on the client and do my

kinit administrator, the behavior would be the same.

the missanderstood come from a bad copy/cut when i do a kinit ,I always do a kinit administrator... ;)

And for me the computer i use to authentify against samba 4 is always a "client" no matter it is the server itself or another linux client, as long as i do a kinit , the machine is a samba4/AD/kerberos client ?

Does this clarify the situation ? does anyone have any idea on why my kpasswd are failing ?

best regards 

> Message du 10/05/14 18:58
> De : "Rowland Penny" 
> A : samba at lists.samba.org
> Copie à : 
> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
> 
> On 10/05/14 17:54, steve wrote: > On Sat, 2014-05-10 at 17:09 +0100, Rowland Penny wrote: >> On 10/05/14 16:55, steve wrote: >>> On Sat, 2014-05-10 at 16:47 +0100, Rowland Penny wrote: >>>> On 10/05/14 16:37, steve wrote: >>>>> On Sat, 2014-05-10 at 16:10 +0100, Rowland Penny wrote: >>>>>> On 10/05/14 15:43, steve wrote: >>>>>>> On Sat, 2014-05-10 at 10:24 +0100, Rowland Penny wrote: >>>>>>>> On 09/05/14 12:43, MARTIN boris wrote: >>>>>>>>> the resolv.conf have the ip of the DC server first , then to other dns from the site. >>>>>>>>> >>>>>>>>> But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> best regards >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Message du 09/05/14 10:29 >>>>>>>>>> De : "Rowland Penny" >>>>>>>>>> A : samba at lists.samba.org >>>>>>>>>> Copie à : >>>>>>>>>> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd >>>>>>>>>> >>>>>>>>>> On 09/05/14 09:01, MARTIN boris wrote: >>>>>>>>>>> hi, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> i have recently installed a samba 4 in a DC role. >>>>>>>>>>> >>>>>>>>>>> The distribution is a debian jessie/sid, the version of samba is 4.1.7. >>>>>>>>>>> >>>>>>>>>>> The server is globally working but there is some litle trouble. >>>>>>>>>>> >>>>>>>>>>> on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> root at station:/var/log/samba# kinit >>>>>>>>>>> Password for administrator at TOTO.FR: >>>>>>>>>>> >>>>>>>>>>> root at station:/var/log/samba# klist >>>>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>>>>>>>> Default principal: administrator at TOTO.FR >>>>>>>>>>> >>>>>>>>>>> Valid starting Expires Service principal >>>>>>>>>>> 09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR >>>>>>>>>>> renew until 10/05/2014 09:23:38 >>>>>>>>>>> >>>>>>>>>>> root at station:/var/log/samba# kpasswd >>>>>>>>>>> >>>>>>>>>>> [10 sec later ....] >>>>>>>>>>> >>>>>>>>>>> kpasswd: Cannot contact any KDC for requested realm getting initial ticket >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> the smb.conf file is the following : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [global] >>>>>>>>>>> workgroup = TOTO >>>>>>>>>>> realm = TOTO.FR >>>>>>>>>>> netbios name = station >>>>>>>>>>> server role = active directory domain controller >>>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns >>>>>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>>>>> dns forwarder = 129.20.128.39 >>>>>>>>>>> allow dns updates = nonsecure >>>>>>>>>>> # winbind rpc only = yes >>>>>>>>>>> log level = 4 >>>>>>>>>>> ntp signd socket directory = /var/lib/samba/ntp_signd >>>>>>>>>>> [netlogon] >>>>>>>>>>> path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts >>>>>>>>>>> read only = No >>>>>>>>>>> >>>>>>>>>>> [sysvol] >>>>>>>>>>> path = /var/lib/samba/sysvol >>>>>>>>>>> read only = No >>>>>>>>>>> >>>>>>>>>>> [demo] >>>>>>>>>>> path = /share/demo >>>>>>>>>>> read only = no >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> and the krb5.conf is the following : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [logging] >>>>>>>>>>> default = FILE:/var/log/krb5.log >>>>>>>>>>> [libdefaults] >>>>>>>>>>> default_realm = TOTO.FR >>>>>>>>>>> dns_lookup_realm = false >>>>>>>>>>> dns_lookup_kdc = true >>>>>>>>>>> >>>>>>>>>>> # The following krb5.conf variables are only for MIT Kerberos. >>>>>>>>>>> krb4_config = /etc/krb.conf >>>>>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>>>>> kdc_timesync = 1 >>>>>>>>>>> ccache_type = 4 >>>>>>>>>>> forwardable = true >>>>>>>>>>> proxiable = true >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 >>>>>>>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 >>>>>>>>>>> >>>>>>>>>>> permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 >>>>>>>>>>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> v4_instance_resolve = false >>>>>>>>>>> v4_name_convert = { >>>>>>>>>>> host = { >>>>>>>>>>> rcmd = host >>>>>>>>>>> ftp = ftp >>>>>>>>>>> } >>>>>>>>>>> plain = { >>>>>>>>>>> something = something-else >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> fcc-mit-ticketflags = true >>>>>>>>>>> >>>>>>>>>>> [realms] >>>>>>>>>>> IETR.UNIV-RENNES1.FR = { >>>>>>>>>>> kdc = admin.toto.fr:88 >>>>>>>>>>> admin_server = admin.toto.fr >>>>>>>>>>> } >>>>>>>>>>> ... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [domain_realm] >>>>>>>>>>> .mit.edu = ATHENA.MIT.EDU >>>>>>>>>>> mit.edu = ATHENA.MIT.EDU >>>>>>>>>>> .media.mit.edu = MEDIA-LAB.MIT.EDU >>>>>>>>>>> media.mit.edu = MEDIA-LAB.MIT.EDU >>>>>>>>>>> .csail.mit.edu = CSAIL.MIT.EDU >>>>>>>>>>> csail.mit.edu = CSAIL.MIT.EDU >>>>>>>>>>> .whoi.edu = ATHENA.MIT.EDU >>>>>>>>>>> whoi.edu = ATHENA.MIT.EDU >>>>>>>>>>> .stanford.edu = stanford.edu >>>>>>>>>>> .slac.stanford.edu = SLAC.STANFORD.EDU >>>>>>>>>>> .toronto.edu = UTORONTO.CA >>>>>>>>>>> .utoronto.ca = UTORONTO.CA >>>>>>>>>>> .toto.fr= TOTO.FR >>>>>>>>>>> >>>>>>>>>>> [login] >>>>>>>>>>> krb4_convert = true >>>>>>>>>>> krb4_get_tickets = false >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> the tcp dump for a failed attempt of kpasswd give the folllowing : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> client -> station Kerberos AS-REQ >>>>>>>>>>> >>>>>>>>>>> MSG Type : AS-REQ(10) >>>>>>>>>>> >>>>>>>>>>> Server Name(principal): kadmin/changepw >>>>>>>>>>> >>>>>>>>>>> Encryption type rc4-hmac >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> station-> client BER Error : Empty choice was found ... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> and the log on the server side gives >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype >>>>>>>>>>> arcfour-hmac-md5) error Decrypt integrity check failed >>>>>>>>>>> >>>>>>>>>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> So my questions are : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> - is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ? >>>>>>>>>>> >>>>>>>>>>> - what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ? >>>>>>>>>>> >>>>>>>>>>> - does any one see what i can do to fix this mess ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> best regards >>>>>>>>>> This sort of works for me, but all I have in /etc/krb5.conf is this: >>>>>>>>>> >>>>>>>>>> [libdefaults] >>>>>>>>>> default_realm = EXAMPLE.COM >>>>>>>>>> dns_lookup_realm = false >>>>>>>>>> dns_lookup_kdc = true >>>>>>>>>> >>>>>>>>>> root at dc1:~# kinit >>>>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while >>>>>>>>>> getting initial credentials >>>>>>>>>> root at dc1:~# kinit Administrator >>>>>>>>>> Password for Administrator at EXAMPLE.COM: >>>>>>>>>> root at dc1:~# klist >>>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>>>>>>> Default principal: Administrator at EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> Valid starting Expires Service principal >>>>>>>>>> 09/05/14 09:06:40 09/05/14 19:06:40 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>>>>>>>> renew until 10/05/14 09:06:33 >>>>>>>>>> root at dc1:~# kpasswd >>>>>>>>>> Password for Administrator at EXAMPLE.COM: >>>>>>>>>> Enter new password: >>>>>>>>>> Enter it again: >>>>>>>>>> Password change rejected: Try a more complex password, or contact your >>>>>>>>>> administrator. >>>>>>>>>> >>>>>>>>>> NOTE: I deliberately used a non complex password. >>>>>>>>>> >>>>>>>>>> What do you have in /etc/resolv.conf ? is the nameserver line set to >>>>>>>>>> either your samba 4's ipaddress or 127.0.0.1 ? >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>> >>>>>>>> Hi, I am trying to understand how you can kinit as root? >>>>>>>> >>>>>>>> root at station:/var/log/samba# kinit >>>>>>>> Password for administrator at TOTO.FR: >>>>>>>> >>>>>>>> When I try it, I get this: >>>>>>>> >>>>>>>> root at dc2:~# kinit >>>>>>>> kinit: Client 'root at EXAMPLE.COM' not found in Kerberos database while >>>>>>>> getting initial credentials >>>>>>>> >>>>>>>> I have to kinit as Administrator: >>>>>>>> >>>>>>>> root at dc2:~# kinit Administrator >>>>>>>> Password for Administrator at EXAMPLE.COM: >>>>>>>> root at dc2:~# klist >>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>>>>> Default principal: Administrator at EXAMPLE.COM >>>>>>>> >>>>>>>> Valid starting Expires Service principal >>>>>>>> 10/05/14 09:58:56 10/05/14 19:58:56 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>>>>>> renew until 11/05/14 09:58:48 >>>>>>>> >>>>>>>> The other thing that is strange, is that you seem to refer to running >>>>>>>> the kinit command on the samba 4 server, but now you are referring to a >>>>>>>> client ? >>>>>>>> >>>>>>>> OK, just what is the problem that started you along the path of wanting >>>>>>>> to change the Administrators password ? >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> Hi >>>>>>> Trying to clarify. >>>>>>> You can only kinit as root if root is kinit-able. I think what we mean >>>>>>> is that is that the cache is owned by root, not by the object which is >>>>>>> asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note >>>>>>> the '0' bit at the end. The uid for root. >>>>>>> Steve >>>>>>> >>>>>>> >>>>>> Hi Steve, yes I know that the cache ends up being owned by account '0', >>>>>> but I cannot kinit as 'root', I have to do it as 'Administrator' and yes >>>>>> I get the cache in /tmp >>>>>> >>>>>> ls -la /tmp/krb5cc_0 >>>>>> -rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0 >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>> Hi >>>>> OK. IOW, it doesn't matter who gets the tgt. If you do it from the root >>>>> account, you will always get a root cache. e.g. you could equally well: >>>>> kinit MACHINE$ >>>>> you will still end up with /tmp/krb5cc_0 except that now, the principal >>>>> with the tgt will be that of the machine. As far as we can see, all the >>>>> tgt does is allows you to get a ticket for a service, e.g. the file >>>>> server. Maybe we should distinguish the terms: >>>>> - ticket granting ticket >>>>> - ticket >>>>> - ticket granting ticket cache >>>>> - ticket cache >>>>> on a calling-a-spade-a-spade level. My English is not up to that. >>>>> Cheers, >>>>> Steve >>>>> >>>>> >>>> Steve, I think you are misunderstanding what I am getting at, the OP >>>> posted that he can kinit as 'root', whilst I cannot, can you ? He then >>>> confused the issue by starting to talk about a 'client' when before he >>>> only talked about the server, is he having problems connecting a client >>>> to the server, or is it just a server problem ? I think that more info >>>> is needed here. >>>> >>>> Rowland >>> Hi >>> Sorry, I'm having to translate all this at the same time. Nightmare. >>> No, we can't: >>> kinit root >>> either. I could only successfully kinit root if there was indeed an >>> object called root in the directory. The current consensus down here is >>> that a user or a machine called 'root' would get you there. >>> Cheers, >>> Steve >>> >>> >> OK, so has the OP added a user or machine called 'root' to AD ?? if so >> why ?? As I said, more info needed here. >> >> Rowland > Guess. He has allocated: > uidNumber: 0 > gidNumber: 0 > to mimic local root on al clients? > That is what I am thinking, but I hope not, I think that would be a really bad idea. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba