[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Alex
samba at abisoft.biz
Thu Jan 27 12:16:57 UTC 2022
Hello Rowland,
I've added AES encryption and it still fails:
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab2
Vno Type Principal
1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ
2 AES-128 CTS mode with 96-bit SHA-1 HMAC padl at ABISOFT.BIZ
3 AES-256 CTS mode with 96-bit SHA-1 HMAC padl at ABISOFT.BIZ
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab2 -L -l 1d -k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
k5start: error getting credentials: Preauthentication failed
[root at vm-dc4 var]# tail -f log.samba|grep padl
Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:48275 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- padl at ABISOFT.BIZ
Kerberos: AS-REQ padl at ABISOFT.BIZ from ipv4:172.26.200.32:39557 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
Kerberos: Looking for PKINIT pa-data -- padl at ABISOFT.BIZ
Kerberos: Looking for ENC-TS pa-data -- padl at ABISOFT.BIZ
Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=padl,CN=Users,DC=abisoft,DC=biz after wrong password
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[padl at ABISOFT.BIZ] at [Thu, 27 Jan 2022 15:14:07.270453 MSK] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:172.26.200.32:39557] mapped to [ABISOFT]\[padl]. local host [NULL]
> On Thu, 2022-01-27 at 12:14 +0100, L.P.H. van Belle via samba wrote:
>> Im wondering why you dont use winbind for the keytabs setup and let
>> samba handle it.
>>
>> Thats what i suggest.
>> Install winbind only.
>>
>> Use :
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> # renew the kerberos ticket
>> winbind refresh tickets = yes
>>
>> Add the use that keytab or make separated keytab file as you do now.
>>
>> You might have a reason to use k5start but i havent see it so far.
>>
>> Greetz,
>>
>> Louis
> The other question is, why limit the keytab to RC4-HMAC ?
> Rowland
--
Best regards,
Alex
More information about the samba
mailing list