[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Alex
samba at abisoft.biz
Thu Jan 27 12:01:34 UTC 2022
Hello Louis,
Samba is already handling the system's keytab (/etc/krb5.keytab), but for some reason this error comes up when I try to acquire a TGT with k5start:
[root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd -vvv
Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ
k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ
k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database
[root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep 'host/vm-corp.abisoft.biz at ABISOFT.BIZ'
2 DES cbc mode with CRC-32 host/vm-corp.abisoft.biz at ABISOFT.BIZ
2 DES cbc mode with RSA-MD5 host/vm-corp.abisoft.biz at ABISOFT.BIZ
2 AES-128 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ
2 AES-256 CTS mode with 96-bit SHA-1 HMAC host/vm-corp.abisoft.biz at ABISOFT.BIZ
2 ArcFour with HMAC/md5 host/vm-corp.abisoft.biz at ABISOFT.BIZ
Any ideas why?
The reason to use k5start is b/c some progs can't work with keytab file directly. For example, nslcd.
> Im wondering why you dont use winbind for the keytabs setup and let samba handle it.
>
> Thats what i suggest.
> Install winbind only.
> Use :
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> # renew the kerberos ticket
> winbind refresh tickets = yes
> Add the use that keytab or make separated keytab file as you do now.
> You might have a reason to use k5start but i havent see it so far.
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex
>> via samba
>> Verzonden: donderdag 27 januari 2022 9:12
>> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
>> Onderwerp: Re: [Samba] Kerberos authentication issue after
>> upgrading from 4-14-stable to 4-15-stable
>>
>> Hello Andrew,
>>
>> > The big difference with 4.15 is likely to be that we disabled DES
>> > encryption types recently, so if you followed an old guide
>> that said to
>> > force DES that would end badly.
>>
>> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
>> Vno Type Principal
>> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ
>> [root at vm-corp etc]#
>>
>> There's no DES encryption as far as I see. Or I look at the
>> wrong place?
>>
>> --
>> Best regards,
>> Alex
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
--
Best regards,
Alex
More information about the samba
mailing list