[Samba] Password change error when using mskutil to setup service keytab
Robert Marcano
robert at marcanoonline.com
Thu Jan 18 15:28:18 UTC 2018
When using mskutil in order to setup a keytab fail for Squid Kerberos
authentication, it stops with an error: Error: Unable to set machine
password for FIREWALL-K$: (2) Server error
This is the output of the mskutil command:
##########################################################
# msktutil -f -b "CN=COMPUTERS" -s HTTP/firewall.example.com -k
/etc/squid/squid.keytab --computer-name FIREWALL-K --upn HTTP/
firewall.example.com --server dc.example.com --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 87
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-gjU224
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: FIREWALL-K$
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: admin at example.com
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=COM
-- ldap_check_account: Checking that a computer account for FIREWALL-K$
exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x11000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = firewall.example.com
-- ldap_check_account: Found User Principal: HTTP/firewall.example.com
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
userPrincipalName to HTTP/firewall.example.com at EXAMPLE.COM
-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed
0x11000
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x10000 to 0x1
-- ldap_set_userAccountControl_flag: userAccountControl not changed
0x11000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 131607622799660050
Error: Unable to set machine password for FIREWALL-K$: (2) Server error
Error: set_password failed
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
##########################################################
And this is written on log.samba
##########################################################
[2018/01/18 15:18:51.613525, 0]
../source4/kdc/kpasswd-service.c:244(kpasswd_process)
kpasswd_process: gensec_unwrap failed - NT_STATUS_ACCESS_DENIED
##########################################################
Everything is run within "kinit administrator", For some reason changing
the machine account password is failing with NT_STATUS_ACCESS_DENIED. Any
help is appreciated.
Running Samba Version 4.7.4.
--
Robert Marcano
More information about the samba
mailing list