[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Wed Jan 26 12:22:25 UTC 2022


Hello Stefan,

Thanks for your reply!

The permissions are correct and they didn't change during the Samba upgrade:
[root at vm-corp etc]# ls -l /usr/local/etc/padl.keytab
-rw------- 1 root root 60 Jan 26 11:06 /usr/local/etc/padl.keytab

The user does have a password.

How to disable preauth?

> I only now this error-message from openldap together with kerberos.
> There it means: Either the permission of the keytab-file is wrong or the
> user has no password set. Because you have preauth aktiv, the user must
> have a password, without password preauth failed. Can you disabel
> preauth? Just for testing or if the user has no password, set a random
> password and try again.

> Am 26.01.22 um 11:35 schrieb Alex via samba:
>> Hello,
>> 
>> There're two DCs backed by Samba (vm-dc3 and vm-dc4). I have a special AD user - padl - to provide SSO capability to corporate services (like apache, for example). Using this account I generated a keytab file which is used by other services:
>> # ktutil
>> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
>> Password:
>> wkt /usr/local/etc/padl.keytab
>> 
>> Based on this keytab, k5start daemon generates and updates a kerberos TGT:
>> ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid
>> 
>> Hence, for example, nslcd has this config options set:
>> sasl_mech GSSAPI
>> krb5_ccname /tmp/krb5cc_nslcd
>> 
>> Everything worked well until I upgraded Samba from 4.14 to 4.15. The new samba has stopped authenticating padl user from the keytab file (password authentication still works well).
>> 
>> Here is how it looks like when I restart k5start daemon to re-get the TGT on one of the corporate servers:
>> [root at vm-corp etc]# systemctl restart k5start at nslcd.service
>> 
>> Good:
>> [root at vm-dc4 var]# samba -V
>> Version 4.14.11
>> [root at vm-dc4 var]# tail -f log.samba | grep padl
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49197 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:44742 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: ENC-TS Pre-authentication succeeded -- padl at ABISOFT.BIZ using arcfour-hmac-md5
>>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Wed, 26 Jan 2022 12:27:57.383462 MSK] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.26.200.32:44742] became [ABISOFT]\[padl] [S-1-5-21-3729968760-1240331958-298020672-1205]. local host [NULL]
>>   {"timestamp": "2022-01-26T12:27:57.383593+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d14d44263a13476", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:44742", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "padl at ABISOFT.BIZ", "workstation": null, "becameAccount": "padl", "becameDomain": "ABISOFT", "becameSid": "S-1-5-21-3729968760-1240331958-298020672-1205", "mappedAccount": "padl", "mappedDomain": "ABISOFT", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 6872}}
>>   authsam_account_ok: Checking SMB password for user padl at ABISOFT.BIZ
>>   logon_hours_ok: No hours restrictions for user padl at ABISOFT.BIZ
>>   DSDB Change [Modify] at [Wed, 26 Jan 2022 12:27:57.388268 MSK] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=padl,CN=Users,DC=abisoft,DC=biz] attributes [replace: lastLogon [132876628773839510] replace: logonCount [18445]]
>>   {"timestamp": "2022-01-26T12:27:57.388513+0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=padl,CN=Users,DC=abisoft,DC=biz", "transactionId": "303b11dc-52d2-411b-8dc1-c2a1079c46f8", "sessionId": "84b8f2a0-4e9c-4696-bbb6-4a5df8d8de8c", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "132876628773839510"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "18445"}]}]}}}}
>> 
>> Bad:
>> [root at vm-dc4 samba]# samba -V
>> Version 4.15.4
>> [root at vm-dc4 var]# tail -f log.samba | grep padl
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:49563 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:42889 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:41471 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:40522 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>>   Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:51879 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
>>   Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
>>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
>> 
>> Any ideas what's going on and how to get that fixed? I've downgraded back to 4.14 so far, but that's a just temporary workaround.
>> 
>> Please, help!
>> 




-- 
Best regards,
Alex




More information about the samba mailing list