[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04

Sun Apr 23 07:39:53 UTC 2017

Hi!

I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
stayed the same, but then some crazy miracles started to
happen. 4.3.11+dfsg-0ubuntu0.16.04.6

I cannot log in now with my Windows machines, yet I can view the files on
Linux using smbclient.

My smb.conf
[global]
        workgroup = Gsomething
        realm = BIURO.domain
        netbios name = PDC
        security = auto
        server role = active directory domain controller
        dns forwarder = 192.168.0.252
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
        server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
        client use spnego = yes
        map acl inherit = Yes
        hosts allow = ALL
        max open files = 57000

        vfs objects = acl_xattr, full_audit

        full_audit:prefix = %u|%I|%m|%S
        full_audit:success = mkdir rename unlink rmdir pwrite
        full_audit:failure = none
        full_audit:facility = local7
        full_audit:priority = NOTICE

        log level = 1
tls enabled  = yes
tls keyfile  = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile   = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
server signing = auto
ldap server require strong auth = no
raw NTLMv2 auth = yes
client ipc signing = auto
client ldap sasl wrapping = plain

idmap config GPMV : backend = ad
idmap config GPMV : range = 1000-9999999
map untrusted to domain = Yes
winbind enum groups = yes
winbind enum users = yes

store dos attributes = yes

kerberos method = secrets and keytab
usershare max shares = 0

encrypt passwords = yes
password server = pdc.biuro.domain

[netlogon]
        path = /var/local/samba/var/lib/samba/netlogon
        read only = No

(and then come the shares)

My krb5.conf:

[logging]
        default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = BIURO.domain
dns_lookup_realm = false
dns_lookup_kdc = true
default_keytab_name = /etc/krb5.keytab
allow_weak_crypto = true

[realms]
BIURO.domain = {
kdc = pdc.biuro.domain
admin_server = pdc.biuro.domain
}

this is what kerberos throws in auth.log when I try to log in with a
win2008 client:

Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31
Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, Client
not found in Kerberos database
Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:56 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain, Client not found in Kerberos database
Apr 23 09:17:56 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
krbtgt/BIURO.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain for
krbtgt/BIURO.domain at BIURO.domain Client not found in Kerberos database
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15
Apr 23 09:17:57 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for
LDAP/pdc.biuro.domain/biuro.domain at BIURO.domain, Bad encryption type
Apr 23 09:17:57 pdc krb5kdc[643]: closing down fd 15

samba does not log anything funny, apart from winbind exiting with "1". I
guess this is due to the fact that I have winbind in server services.

wbinfo -u works
getent passwd works

kinit Administrator FAILS
kinit: Client 'Administrator at BIURO.domain' not found in Kerberos database
while getting initial credentials

kinit admin/admin succeeds

any sugestions?

shouldn't I have kdc in server services?