[Samba] Problem with keytab: "Client not found in Kerberos database"
Brian Candler
b.candler at pobox.com
Mon Dec 19 18:21:08 UTC 2016
I am trying to use a keytab for a client machine to authenticate to
Samba's own LDAP server.
The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2
compiled from source.
The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been
joined directly to the Samba domain ("net ads join"). I have also
extracted a keytab ("net ads keytab create -P") which created
/etc/krb5.keytab.
Now if I try to authenticate, I can get a TGT, but I can't actually
authenticate to the LDAP server:
root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b
'dc=ad,dc=example,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Client not found in Kerberos database)
root at wrn-radtest:~# cat /tmp/trace.out
[17919] 1482170475.951771: ccselect module realm chose cache
FILE:/tmp/krb5cc_0 with client principal
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET for server principal
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET
[17919] 1482170475.951821: Getting credentials
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET ->
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET using ccache FILE:/tmp/krb5cc_0
[17919] 1482170475.951863: Retrieving
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET ->
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with
result: -1765328243/Matching credential not found
[17919] 1482170475.951900: Retrieving
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET ->
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with
result: 0/Success
[17919] 1482170475.951907: Starting with TGT for client realm:
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET ->
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
[17919] 1482170475.951912: Requesting tickets for
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals on
[17919] 1482170475.951929: Generated subkey for TGS request: rc4-hmac/5B25
[17919] 1482170475.951946: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.952023: Encoding request body and padata into FAST
request
[17919] 1482170475.952068: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.952489: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.952708: Sending initial UDP request to dgram
192.168.5.86:88
[17919] 1482170475.958164: Received answer (107 bytes) from dgram
192.168.5.86:88
[17919] 1482170475.958397: Response was not from master KDC
[17919] 1482170475.958420: TGS request result: -1765328378/Client not
found in Kerberos database
[17919] 1482170475.958429: Requesting tickets for
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals off
[17919] 1482170475.958448: Generated subkey for TGS request: rc4-hmac/D306
[17919] 1482170475.958464: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.958500: Encoding request body and padata into FAST
request
[17919] 1482170475.958537: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.958782: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.958937: Sending initial UDP request to dgram
192.168.5.86:88
[17919] 1482170475.963625: Received answer (107 bytes) from dgram
192.168.5.86:88
[17919] 1482170475.963784: Response was not from master KDC
[17919] 1482170475.963803: TGS request result: -1765328378/Client not
found in Kerberos database
But if I kinit with a real user, it works fine:
root at wrn-radtest:~# kinit brian
...
root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h
wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base
SASL/GSSAPI authentication started
SASL username: brian at AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=net> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
... etc
Any ideas what's going on, or where else I can look?
Aside: What I'm actually trying to do is to get freeradius to
authenticate using a keytab in order to do LDAP queries, which I've had
working with FreeIPA before and am now trying to replicate with Samba in
a different environment.
Thanks,
Brian.
P.S. Here are the config files from the client machine:
--- /etc/krb5.conf ---
[libdefaults]
default_realm = AD.EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
# I added this but it didn't make a difference
[domain_realm]
.ad.example.net = AD.EXAMPLE.NET
--- /etc/samba/smb.conf ---
[global]
security = ADS
workgroup = AD
realm = AD.EXAMPLE.NET
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 1
username map = /etc/samba/user.map
winbind enum users = yes
winbind enum groups = yes
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
imdap config AD : backend = rid
idmap config AD : range = 100000-999999
idmap config * : backend = autorid
idmap config * : range = 1000000-9999999
idmap config * : rangesize = 100000
The keytab itself looks OK to me:
root at wrn-radtest:~# net ads keytab list
Vno Type Principal
2 des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
2 des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
More information about the samba
mailing list