[Samba] Password change error when using mskutil to setup service keytab

Thu Jan 18 15:28:18 UTC 2018

When using mskutil in order to setup a keytab fail for Squid Kerberos
authentication, it stops with an error: Error: Unable to set machine
password for FIREWALL-K$: (2) Server error

This is the output of the mskutil command:

##########################################################
# msktutil -f -b "CN=COMPUTERS" -s HTTP/firewall.example.com -k
/etc/squid/squid.keytab --computer-name FIREWALL-K --upn HTTP/
firewall.example.com --server dc.example.com --verbose

 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 87
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-gjU224
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: FIREWALL-K$
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=YES
 -- ldap_connect: Connecting to LDAP server: dc.example.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: admin at example.com
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=COM
 -- ldap_check_account: Checking that a computer account for FIREWALL-K$
exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x11000

 -- ldap_check_account: Found supportedEncryptionTypes = 28

 -- ldap_check_account: Found dNSHostName = firewall.example.com

 -- ldap_check_account:   Found User Principal: HTTP/firewall.example.com
 -- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
userPrincipalName to HTTP/firewall.example.com at EXAMPLE.COM
 -- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28

 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed
0x11000

 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x10000 to 0x1
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed
0x11000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 131607622799660050
Error: Unable to set machine password for FIREWALL-K$: (2) Server error
Error: set_password failed
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context
##########################################################

And this is written on log.samba

##########################################################
[2018/01/18 15:18:51.613525,  0]
../source4/kdc/kpasswd-service.c:244(kpasswd_process)
  kpasswd_process: gensec_unwrap failed - NT_STATUS_ACCESS_DENIED
##########################################################

Everything is run within "kinit administrator", For some reason changing
the machine account password is failing with NT_STATUS_ACCESS_DENIED. Any
help is appreciated.

Running Samba Version 4.7.4.

-- 
Robert Marcano