[Samba] samba creating keytabs... ( possible bug, can someone confirm this )
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 1 13:44:07 UTC 2017
Hai,
I noticed something strange in the keytab file on my member server.
This is a followup of : [Samba] winbind question. (challenge/response password authentication)
Samba 4.5.3 on Debian Jessie.
Leave the domain.
net ads leave -k
Deleted account for 'PROXY2' in realm 'REALM'
I checked in windows, and the computer is gone in the “Computer” ou.
Removed the keytab file.
rm krb5.keytab
net ads join –k
Using short domain name -- NTDOM
Joined 'PROXY2' to dns domain 'internal.domain.tld'
check the new keytab ( created at join )
klist -ket
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:01:34 host/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:01:34 host/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:01:34 host/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-crc)
2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-md5)
2 02/01/2017 14:01:34 PROXY2$@REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 PROXY2$@REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:01:34 PROXY2$@REALM (arcfour-hmac)
so far good.
I logged in on the DC with fsmo roles
Created the needed nfs entries.:
samba-tool spn add nfs/proxy2 proxy2$
samba-tool spn add nfs/proxy2.internal.domain.tld proxy2$
back to the member.
backuped the original keytab file.
mv krb5.keytab krb5.keytab-1
create new keytab file:
net ads keytab create -k
klist -ket
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:06:56 host/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:06:56 host/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:06:57 host/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:06:57 nfs/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-crc)
2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-md5)
2 02/01/2017 14:06:57 PROXY2$@REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 PROXY2$@REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:06:57 PROXY2$@REALM (arcfour-hmac)
all looks ok...
now the (not) funny part.
( on the DC )
samba-tool spn add HTTP/proxy2 proxy2$
samba-tool spn add HTTP/proxy2.internal.domain.tld proxy2$
backuped the keytab file again
( on the member )
mv krb5.keytab krb5.keytab-2
net ads keytab create -k
klist -ket
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:09:27 host/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:09:27 host/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:09:27 host/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:09:27 nfs/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (des-cbc-crc)
2 02/01/2017 14:09:28 http/PROXY2 at REALM (des-cbc-crc)
2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 02/01/2017 14:09:28 http/PROXY2 at REALM (des-cbc-md5)
2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 http/PROXY2 at REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 http/PROXY2 at REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 02/01/2017 14:09:28 http/PROXY2 at REALM (arcfour-hmac)
2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-crc)
2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-md5)
2 02/01/2017 14:09:28 PROXY2$@REALM (aes128-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 PROXY2$@REALM (aes256-cts-hmac-sha1-96)
2 02/01/2017 14:09:28 PROXY2$@REALM (arcfour-hmac)
Now why is the HTTP now http. some spn's need CAPS, some not.
squid needs HTTP/ not http.. :-(
when i now check in windows, user manager, goto the computer and
(OU=Computers) on the Attribute Editor tab, in the Attributes list,
select servicePrincipalName, and then click Edit.
i seeing here:
HOST/PROXY2
HOST/proxy2.internal.domain.tld
http/proxy2
HTTP/PROXY2
http/proxy2.internal.domain.tld
HTTP/proxy2.internal.domain.tld
nfs/proxy2
nfs/proxy2.internal.domain.tld
now why is there a http and HTTP while this didnt happen with the nfs spn?
and why is HOST in caps in the servicePrincipalName in windows but in keytab not.
Can someone confirm this, this make it all very unpredictable.
Im running samba 4.5.3
now, i remove the failty keytab again.
removed the failty entries http/.. so only HTTP/ is in windows under servicePrincipalName
created the keytab file
and same result, only lower cased http/ :-(
exporting on the DC.
samba-tool domain exportkeytab --principal=HTTP/proxy2.internal.domain.tld /root/keytabs/proxy2.keytab-new
klist -ke /root/keytabs/proxy2.keytab-new
Keytab name: FILE:/root/keytabs/proxy2.keytab-new
KVNO Principal
---- --------------------------------------------------------------------------
2 HTTP/proxy2.internal.domain.tld at REALM (arcfour-hmac)
2 HTTP/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
2 HTTP/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
2 HTTP/proxy2.internal.domain.tld at REALM (des-cbc-md5)
2 HTTP/proxy2.internal.domain.tld at REALM (des-cbc-crc)
which looks correct to me.
Did we find a real bug here?
Greetz,
Louis
More information about the samba
mailing list