[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

Prunk Dump prunkdump at gmail.com
Tue Jun 20 08:58:04 UTC 2017 

Thanks for the help !!!

2017-06-19 23:58 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:
>> Hello Samba team !
>>
>> I'am in a very delicate situation. After an upgrade to debian Stretch
>> my DRS stopped working.
>
> Have you ever had MIT krb5 installed, or is krb5kdc now running?
>
> Samba doesn't use /etc/krb5.keytab, so this may be related to some
> previous install (or may be related to how you are trying to use NFS).
>
>

I have checked, MIT kerberos is not installed, just the "krb5-user"
kerberos client package.

>>
>> This seem to be a computer account problem. But I can't find any
>> problem in Kerberos :
>>
>>
>>  --------------------------------
>> # kinit -k FICHDC$
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
>
> Can you do this against the secrets.keytab in Samba's private/ dir?
>
> You can reset the Samba machine account pw with
> ./source4/scripting/devel/chgtdcpass, but:
>  - it wont be packaged so you will have to build Samba and tell it to
> operate against the right paths
>  - it shouldn't be needed, upgrades shouldn't break this, and
> understanding the root cause would be better
>
> Does 'samba-tool time -P' work?  It is any different with 'samba-tool
> time -P -k no'?  (It seems you issue is related primarily to kerberos
> and a keytab out of sync somehow).
>

Yes you're right ! I need to understand the root of the problem as I
have some other DC to upgrade the same manner. And you're right
authentication with the private keytab does not work. But strangely it
works with /etc/krb5.keytab.

--------------------------------
--------------------------------
~# klist -e -k /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
   1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
   1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
   1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
   1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
   1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
   1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
   1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
   1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
   1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)


~# kinit -V -k -t /var/lib/samba/private/secrets.keytab FICHDC$
Using default cache: /tmp/krb5cc_0
Using principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Using keytab: /var/lib/samba/private/secrets.keytab
kinit: Preauthentication failed while getting initial credentials

~# samba-tool time -P
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")

~# samba-tool time -P -k no
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")

~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
   1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
   1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
   1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
   2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
   2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
   2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
   2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
   2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)

~# kinit -k -t /etc/krb5.keytab FICHDC$

--------------------------------
--------------------------------

I don't know what is "KVNO". But on the "/etc/krb5.keytab" there is
"1" and "2" FICHDC$ principals entries. But on
"/var/lib/samba/private/secret.keytab" there is only "1".

And on the samba log file I have :

--------------------------------
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
--------------------------------

How "/var/lib/samba/private/secrets.keytab" is updated by samba ?

Thank you very much for the help !

Baptiste.

More information about the samba mailing list