[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
Jakub Kulesza
jakkul+samba at gmail.com
Sun Apr 23 07:39:53 UTC 2017
Hi!
I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
stayed the same, but then some crazy miracles started to
happen. 4.3.11+dfsg-0ubuntu0.16.04.6
I cannot log in now with my Windows machines, yet I can view the files on
Linux using smbclient.
My smb.conf
[global]
workgroup = Gsomething
realm = BIURO.domain
netbios name = PDC
security = auto
server role = active directory domain controller
dns forwarder = 192.168.0.252
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
client use spnego = yes
map acl inherit = Yes
hosts allow = ALL
max open files = 57000
vfs objects = acl_xattr, full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
log level = 1
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
server signing = auto
ldap server require strong auth = no
raw NTLMv2 auth = yes
client ipc signing = auto
client ldap sasl wrapping = plain
idmap config GPMV : backend = ad
idmap config GPMV : range = 1000-9999999
map untrusted to domain = Yes
winbind enum groups = yes
winbind enum users = yes
store dos attributes = yes
kerberos method = secrets and keytab
usershare max shares = 0
encrypt passwords = yes
password server = pdc.biuro.domain
[netlogon]
path = /var/local/samba/var/lib/samba/netlogon
read only = No
(and then come the shares)
My krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = BIURO.domain
dns_lookup_realm = false
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
allow_weak_crypto = true
[realms]
BIURO.domain = {
kdc = pdc.biuro.domain
admin_server = pdc.biuro.domain
}
this is what kerberos throws in auth.log when I try to log in with a
win2008 client:
Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31
Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, Client
not found in Kerberos database
Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain, Client not found in Kerberos database
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain Client not found in Kerberos database
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for
LDAP/pdc.biuro.domain/biuro.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
samba does not log anything funny, apart from winbind exiting with "1". I
guess this is due to the fact that I have winbind in server services.
wbinfo -u works
getent passwd works
kinit Administrator FAILS
kinit: Client 'Administrator at BIURO.domain' not found in Kerberos database
while getting initial credentials
kinit admin/admin succeeds
any sugestions?
shouldn't I have kdc in server services?
More information about the samba
mailing list