[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04

Jakub Kulesza jakkul+samba at gmail.com
Sun Apr 23 09:40:45 UTC 2017 

OK, I've deleted everything what Rowland suggested. THANKS

Now smb.conf looks like this

[global]
workgroup = GPMV
realm = BIURO.domain
netbios name = PDC
server role = active directory domain controller
dns forwarder = 192.168.0.252
max open files = 57000

full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

log level = 1
tls enabled  = yes
tls keyfile  = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile   = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no
winbind enum groups = yes
winbind enum users = yes

[netlogon]
  path = /var/local/samba/var/lib/samba/netlogon
#path = /var/lib/samba/sysvol/biuro.domain/scripts
read only = No
guest ok = yes

The result - the same. logging on a win2008 with user jkadmin gives the
following:

Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: jkadmin at biuro.domain.pl for krbtgt/
biuro.domain.pl at biuro.domain.pl, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for LDAP/
pdc.biuro.domain.pl/biuro.domain.pl at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15

funny thing, with ads testjoin

# net ads testjoin -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=192.168.0.251 bcast=192.168.0.255
netmask=255.255.255.0
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
resolve_hosts: Attempting host lookup for name pdc.biuro.gpm-vindexus.pl
<0x20>
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
Join to domain is not valid: Logon failure
return code = -1

2017-04-23 10:32 GMT+02:00 Rowland Penny <rpenny at samba.org>:

> On Sun, 23 Apr 2017 09:39:53 +0200
> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
>
> > Hi!
> >
> > I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
> > stayed the same, but then some crazy miracles started to
> > happen. 4.3.11+dfsg-0ubuntu0.16.04.6
> >
>
> You haven't got a PDC, you have an AD DC
>
> Can I suggest you remove these lines:
>
>         security = auto
>         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, winreg, srvsvc
>         client use spnego = yes
>         map acl inherit = Yes
>         hosts allow = ALL
>         server signing = auto
>         raw NTLMv2 auth = yes
>         client ipc signing = auto
>         client ldap sasl wrapping = plain
>         idmap config GPMV : backend = ad
>         idmap config GPMV : range = 1000-9999999
>         map untrusted to domain = Yes
>         store dos attributes = yes
>         kerberos method = secrets and keytab
>         usershare max shares = 0
>         encrypt passwords = yes
>         password server = pdc.biuro.domain
>
> Change this :
>
> vfs objects = acl_xattr, full_audit
>
> To:
>
> vfs objects = full_audit
>
> But put it into a share!
>
> Also finally, there is this:
> server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
> ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
>
> I suggest you remove this as well because you have all the default
> settings and 'winbind' & 'winbindd'
>
> Rowland
>
>
>

More information about the samba mailing list