[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

L.P.H. van Belle belle at bazuin.nl
Tue Jun 20 09:13:25 UTC 2017 

Hai Baptiste,

What you can try;
Type: 
ktutil (enter)
rkt /etc/krb5.keytab 
rkt /var/lib/samba/private/krb5.keytab 
list

Now check if you see, 
host/server.internal.domain.tld at REALM
host/server at REALM
(same (both) for nfs/.. at REALM) 

And 
NETBIOSNAME$@REALM

If you see all, you can write this back to a new file. 
wkt /etc/krb5.keytab.new1
And if needed you can also cleanup the keytab file before writing. 

Now choose, of 
dedicated keytab file = /etc/krb5.keytab 

Or use the samba default in /var/lib/samba/private/krb5.keytab 
In case of the samba default 
rm /etc/krb5.keytab 
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

Some extra info on the keytab things. 
https://wiki.samba.org/index.php/Generating_Keytabs 
https://wiki.samba.org/index.php/Keytab_Extraction 




Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Prunk Dump via samba
> Verzonden: dinsdag 20 juni 2017 10:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> 
> Thanks for the help !!!
> 
> 2017-06-19 23:58 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:
> >> Hello Samba team !
> >>
> >> I'am in a very delicate situation. After an upgrade to 
> debian Stretch 
> >> my DRS stopped working.
> >
> > Have you ever had MIT krb5 installed, or is krb5kdc now running?
> >
> > Samba doesn't use /etc/krb5.keytab, so this may be related to some 
> > previous install (or may be related to how you are trying 
> to use NFS).
> >
> >
> 
> I have checked, MIT kerberos is not installed, just the "krb5-user"
> kerberos client package.
> 
> >>
> >> This seem to be a computer account problem. But I can't find any 
> >> problem in Kerberos :
> >>
> >>
> >>  --------------------------------
> >> # kinit -k FICHDC$
> >> # klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> >
> > Can you do this against the secrets.keytab in Samba's private/ dir?
> >
> > You can reset the Samba machine account pw with 
> > ./source4/scripting/devel/chgtdcpass, but:
> >  - it wont be packaged so you will have to build Samba and 
> tell it to 
> > operate against the right paths
> >  - it shouldn't be needed, upgrades shouldn't break this, and 
> > understanding the root cause would be better
> >
> > Does 'samba-tool time -P' work?  It is any different with 
> 'samba-tool 
> > time -P -k no'?  (It seems you issue is related primarily 
> to kerberos 
> > and a keytab out of sync somehow).
> >
> 
> Yes you're right ! I need to understand the root of the 
> problem as I have some other DC to upgrade the same manner. 
> And you're right authentication with the private keytab does 
> not work. But strangely it works with /etc/krb5.keytab.
> 
> --------------------------------
> --------------------------------
> ~# klist -e -k /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------
> ------------
>    1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
>    1 
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
>    1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
>    1 
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
>    1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 
> (arcfour-hmac)
>    1 
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
>    1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
>    1 
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 
> (aes128-cts-hmac-sha1-96)
>    1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
>    1 
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 
> (aes256-cts-hmac-sha1-96)
> 
> 
> ~# kinit -V -k -t /var/lib/samba/private/secrets.keytab 
> FICHDC$ Using default cache: /tmp/krb5cc_0 Using principal: 
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> Using keytab: /var/lib/samba/private/secrets.keytab
> kinit: Preauthentication failed while getting initial credentials
> 
> ~# samba-tool time -P
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered GENSEC backend 
> 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' 
> registered GENSEC backend 'spnego' registered GENSEC backend 
> 'schannel' registered GENSEC backend 'naclrpc_as_system' 
> registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC 
> backend 'ntlmssp' registered GENSEC backend 
> 'ntlmssp_resume_ccache' registered GENSEC backend 
> 'http_basic' registered GENSEC backend 'http_ntlm' registered 
> GENSEC backend 'krb5' registered GENSEC backend 
> 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name 
> fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
> Wrong username or password: kinit for
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed 
> (Preauthentication failed)
> 
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: 
> NT_STATUS_LOGON_FAILURE Failed initial gensec_update with 
> mechanism spnego: NT_STATUS_LOGON_FAILURE
> ERROR(runtime): uncaught exception - (-1073741715, 
> "Connection to SRVSVC pipe of server 
> 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
> failed: NT_STATUS_LOGON_FAILURE")
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
> line 59, in run
>     self.outf.write(net.time(server_name)+"\n")
> 
> ~# samba-tool time -P -k no
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered GENSEC backend 
> 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' 
> registered GENSEC backend 'spnego' registered GENSEC backend 
> 'schannel' registered GENSEC backend 'naclrpc_as_system' 
> registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC 
> backend 'ntlmssp' registered GENSEC backend 
> 'ntlmssp_resume_ccache' registered GENSEC backend 
> 'http_basic' registered GENSEC backend 'http_ntlm' registered 
> GENSEC backend 'krb5' registered GENSEC backend 
> 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name 
> fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> ERROR(runtime): uncaught exception - (-1073741715, 
> "Connection to SRVSVC pipe of server 
> 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
> failed: NT_STATUS_LOGON_FAILURE")
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
> line 59, in run
>     self.outf.write(net.time(server_name)+"\n")
> 
> ~# klist -e -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------
> ------------
>    1 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
>    1 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
>    1 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
>    2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
>    2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
>    2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
>    2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 
> (aes128-cts-hmac-sha1-96)
>    2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR 
> (aes256-cts-hmac-sha1-96)
>    2 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
>    2 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
>    2 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
>    2 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
>    2 
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 
> ~# kinit -k -t /etc/krb5.keytab FICHDC$
> 
> --------------------------------
> --------------------------------
> 
> I don't know what is "KVNO". But on the "/etc/krb5.keytab" 
> there is "1" and "2" FICHDC$ principals entries. But on 
> "/var/lib/samba/private/secret.keytab" there is only "1".
> 
> And on the samba log file I have :
> 
> --------------------------------
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): Failed to find
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in 
> keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> --------------------------------
> 
> How "/var/lib/samba/private/secrets.keytab" is updated by samba ?
> 
> Thank you very much for the help !
> 
> Baptiste.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list