[Samba] Problem with keytab: "Client not found in Kerberos database"

Brian Candler b.candler at pobox.com
Mon Dec 19 18:21:08 UTC 2016


I am trying to use a keytab for a client machine to authenticate to 
Samba's own LDAP server.

The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2 
compiled from source.

The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been 
joined directly to the Samba domain ("net ads join"). I have also 
extracted a keytab ("net ads keytab create -P") which created 
/etc/krb5.keytab.

Now if I try to authenticate, I can get a TGT, but I can't actually 
authenticate to the LDAP server:

root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b 
'dc=ad,dc=example,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Client not found in Kerberos database)

root at wrn-radtest:~# cat /tmp/trace.out
[17919] 1482170475.951771: ccselect module realm chose cache 
FILE:/tmp/krb5cc_0 with client principal 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET for server principal 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET
[17919] 1482170475.951821: Getting credentials 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET using ccache FILE:/tmp/krb5cc_0
[17919] 1482170475.951863: Retrieving 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with 
result: -1765328243/Matching credential not found
[17919] 1482170475.951900: Retrieving 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with 
result: 0/Success
[17919] 1482170475.951907: Starting with TGT for client realm: 
host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET -> 
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
[17919] 1482170475.951912: Requesting tickets for 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals on
[17919] 1482170475.951929: Generated subkey for TGS request: rc4-hmac/5B25
[17919] 1482170475.951946: etypes requested in TGS request: aes256-cts, 
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.952023: Encoding request body and padata into FAST 
request
[17919] 1482170475.952068: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.952489: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.952708: Sending initial UDP request to dgram 
192.168.5.86:88
[17919] 1482170475.958164: Received answer (107 bytes) from dgram 
192.168.5.86:88
[17919] 1482170475.958397: Response was not from master KDC
[17919] 1482170475.958420: TGS request result: -1765328378/Client not 
found in Kerberos database
[17919] 1482170475.958429: Requesting tickets for 
ldap/wrn-dc1.ad.example.net at AD.EXAMPLE.NET, referrals off
[17919] 1482170475.958448: Generated subkey for TGS request: rc4-hmac/D306
[17919] 1482170475.958464: etypes requested in TGS request: aes256-cts, 
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.958500: Encoding request body and padata into FAST 
request
[17919] 1482170475.958537: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.958782: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.958937: Sending initial UDP request to dgram 
192.168.5.86:88
[17919] 1482170475.963625: Received answer (107 bytes) from dgram 
192.168.5.86:88
[17919] 1482170475.963784: Response was not from master KDC
[17919] 1482170475.963803: TGS request result: -1765328378/Client not 
found in Kerberos database

But if I kinit with a real user, it works fine:

root at wrn-radtest:~# kinit brian

...

root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h 
wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base
SASL/GSSAPI authentication started
SASL username: brian at AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=net> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
... etc

Any ideas what's going on, or where else I can look?

Aside: What I'm actually trying to do is to get freeradius to 
authenticate using a keytab in order to do LDAP queries, which I've had 
working with FreeIPA before and am now trying to replicate with Samba in 
a different environment.

Thanks,

Brian.

P.S. Here are the config files from the client machine:

--- /etc/krb5.conf ---

[libdefaults]
     default_realm = AD.EXAMPLE.NET
     dns_lookup_realm = false
     dns_lookup_kdc = true

# I added this but it didn't make a difference
[domain_realm]
     .ad.example.net = AD.EXAMPLE.NET

--- /etc/samba/smb.conf ---

[global]
        security = ADS
        workgroup = AD
        realm = AD.EXAMPLE.NET
        kerberos method = secrets and keytab

        log file = /var/log/samba/%m.log
        log level = 1

        username map = /etc/samba/user.map

        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        imdap config AD : backend = rid
        idmap config AD : range = 100000-999999

        idmap config * : backend = autorid
        idmap config * : range = 1000000-9999999
        idmap config * : rangesize = 100000


The keytab itself looks OK to me:

root at wrn-radtest:~# net ads keytab list
Vno  Type                                        Principal
   2  des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
   2  des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET




More information about the samba mailing list