[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Thu Jan 27 12:16:57 UTC 2022 

Hello Rowland,

I've added AES encryption and it still fails:
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab2
Vno  Type                                        Principal
  1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
  2  AES-128 CTS mode with 96-bit SHA-1 HMAC     padl at ABISOFT.BIZ
  3  AES-256 CTS mode with 96-bit SHA-1 HMAC     padl at ABISOFT.BIZ

[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab2 -L -l 1d -k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
k5start: error getting credentials: Preauthentication failed

[root at vm-dc4 var]# tail -f log.samba|grep padl
  Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:48275 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
  Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
  Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
  Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:39557 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
  Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
  Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
  Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
  Not updating badPwdCount on CN=padl,CN=Users,DC=abisoft,DC=biz after wrong password
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Thu, 27 Jan 2022 15:14:07.270453 MSK] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:172.26.200.32:39557] mapped to [ABISOFT]\[padl]. local host [NULL]

> On Thu, 2022-01-27 at 12:14 +0100, L.P.H. van Belle via samba wrote:
>> Im wondering why you dont use winbind for the keytabs setup and let
>> samba handle it. 
>>  
>> Thats what i suggest. 
>> Install winbind only. 
>> 
>> Use : 
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>> 
>>     # renew the kerberos ticket
>>     winbind refresh tickets = yes
>> 
>> Add the use that keytab or make separated keytab file as you do now. 
>> 
>> You might have a reason to use k5start but i havent see it so far. 
>> 
>> Greetz, 
>> 
>> Louis

> The other question is, why limit the keytab to RC4-HMAC ?

> Rowland






-- 
Best regards,
Alex

More information about the samba mailing list