[Samba] samba4 : [kerberos part kinit work but no kpasswd

steve steve at steve-ss.com
Tue May 13 02:18:29 MDT 2014 

On Tue, 2014-05-13 at 09:42 +0200, MARTIN boris wrote:
> hi,
> 
>  
> 
> i want to clarify the situation here.
> 
> i have no user root, when i do my kinit, i do it on the administrator account, a hight privilege samba 4 account.
> 
>  
> 
> I do it being the local root user on the client machine, but the fact that i am root have no releavance here, i could user a standard local account on the client and do my
> 
> kinit administrator, the behavior would be the same.
> 
>  
> 
> the missanderstood come from a bad copy/cut when i do a kinit ,I always do a kinit administrator... ;)
> 
>  
> 
> And for me the computer i use to authentify against samba 4 is always a "client" no matter it is the server itself or another linux client, as long as i do a kinit , the machine is a samba4/AD/kerberos client ?
> 
>  
> 
> Does this clarify the situation ? does anyone have any idea on why my kpasswd are failing ?
> 
>  
> 
> best regards 

OK
Can you send us the output from the DC? If not, here is a successful
kpasswd for a domain user 'julie'. Administrator has the tgt and I'm
sitting at the DC logged in as my local user:

steve at hh16:~> kinit Administrator
Password for Administrator at HH3.SITE: 
steve at hh16:~> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator at HH3.SITE

Valid starting     Expires            Service principal
13/05/14 10:11:07  13/05/14 20:11:07  krbtgt/HH3.SITE at HH3.SITE
        renew until 14/05/14 10:11:02
steve at hh16:~> kpasswd julie
Password for julie at HH3.SITE: 
Enter new password: 
Enter it again: 
Password changed.

And here is the log:
Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.16:49497 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator at HH3.SITE
Calling samba_kcc script
Completed samba_kcc OK
Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.16:48605 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at HH3.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-05-13T10:11:07 starttime: unset endtime:
2014-05-13T20:11:07 renew till: 2014-05-14T10:11:02
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: AS-REQ julie at HH3.SITE from ipv4:192.168.1.16:57108 for
kadmin/changepw at HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- julie at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- julie at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- julie at HH3.SITE
Kerberos: AS-REQ julie at HH3.SITE from ipv4:192.168.1.16:50261 for
kadmin/changepw at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- julie at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- julie at HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- julie at HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-05-13T10:11:34 starttime: unset endtime:
2014-05-13T10:16:27 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Found account name from PAC: julie []
Changing password of HH3\julie
(S-1-5-21-451355595-2219208293-2714859210-1175)

Anything different?
HTH
Steve

More information about the samba mailing list