[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Thu Jan 27 12:01:34 UTC 2022 

Hello Louis,

Samba is already handling the system's keytab (/etc/krb5.keytab), but for some reason this error comes up when I try to acquire a TGT with k5start:
[root at vm-corp samba]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd -vvv
Kerberos initialization for host/vm-corp.abisoft.biz at ABISOFT.BIZ
k5start: authenticating as host/vm-corp.abisoft.biz at ABISOFT.BIZ
k5start: getting tickets for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/vm-corp.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database

[root at vm-corp samba]# net ads keytab list /etc/krb5.keytab | grep 'host/vm-corp.abisoft.biz at ABISOFT.BIZ'
  2  DES cbc mode with CRC-32                    host/vm-corp.abisoft.biz at ABISOFT.BIZ
  2  DES cbc mode with RSA-MD5                   host/vm-corp.abisoft.biz at ABISOFT.BIZ
  2  AES-128 CTS mode with 96-bit SHA-1 HMAC     host/vm-corp.abisoft.biz at ABISOFT.BIZ
  2  AES-256 CTS mode with 96-bit SHA-1 HMAC     host/vm-corp.abisoft.biz at ABISOFT.BIZ
  2  ArcFour with HMAC/md5                       host/vm-corp.abisoft.biz at ABISOFT.BIZ

Any ideas why?

The reason to use k5start is b/c some progs can't work with keytab file directly. For example, nslcd.

> Im wondering why you dont use winbind for the keytabs setup and let samba handle it. 
>  
> Thats what i suggest. 
> Install winbind only. 

> Use : 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab

>     # renew the kerberos ticket
>     winbind refresh tickets = yes

> Add the use that keytab or make separated keytab file as you do now. 

> You might have a reason to use k5start but i havent see it so far. 

>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
>> via samba
>> Verzonden: donderdag 27 januari 2022 9:12
>> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
>> Onderwerp: Re: [Samba] Kerberos authentication issue after 
>> upgrading from 4-14-stable to 4-15-stable
>> 
>> Hello Andrew,
>> 
>> > The big difference with 4.15 is likely to be that we disabled DES
>> > encryption types recently, so if you followed an old guide 
>> that said to
>> > force DES that would end badly.
>> 
>> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
>> Vno  Type                                        Principal
>>   1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
>> [root at vm-corp etc]#
>> 
>> There's no DES encryption as far as I see. Or I look at the 
>> wrong place?
>> 
>> -- 
>> Best regards,
>> Alex
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 





-- 
Best regards,
Alex

More information about the samba mailing list