[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Thu Jan 27 15:30:37 UTC 2022 

> https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2 
> Its a 10y old post but read it, i think it might help you find the source of your problem. 

> That link gives back some old memories here, as wil for Rowland.. ;-) 

I will definitely check that thread, thank you! But we came to this after I put extra encryption algorithms in the keytab. They do not work with the old Samba as well, so I simply gonna leave a single entry in the keytab with ArcFour encryption.

Once again. This works with Samba 4.14:
[root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
Vno  Type                                        Principal
  1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
[root at vm-corp etc]# ^C

And does not work with Samba 4.15:
[root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L -l 1d -k /tmp/krb5cc_test -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
k5start: error getting credentials: Pre-authentication failed: No key table entry found for padl at ABISOFT.BIZ

It's not a problem with nslcd or anything like that. Something has changed in 4.15 and I'd like to find out what and how to get things back to work..

Obviously the new Samba sends back something to k5start tool which it can't match with the keytab entry. Here are tcpdump outputs for both cases:
v4.14:
18:22:03.617311 IP 172.26.200.32.43659 > 172.26.1.84.88:  v5
E..... at .@...... ...T...X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ. 0........0...krbtgt..ABISOFT.BIZ....20220128152203Z....20220203152203Z......$...0.........................
18:22:03.622709 IP 172.26.1.84.88 > 172.26.200.32.43659:
E..... at .@..w...T... .X.....Y~..0................20220127152203Z....     ~..........ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ. 0........0...krbtgt..ABISOFT.BIZ.+.)Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ.M.K0I0        .........0      .........0      .........0.........     0.0......0.........
<here goes further communication>

v4.15:
18:22:40.781201 IP 172.26.200.32.57417 > 172.26.1.84.88:  v5
E....;@. at .O/... ...T.I.X..".j..0...........
..0.0
.............0....... at .....0........0...padl....ABISOFT.BIZ. 0........0...krbtgt..ABISOFT.BIZ....20220128152240Z....20220203152240Z....P.....0.........................
18:22:40.832462 IP 172.26.1.84.88 > 172.26.200.32.57417:
E..8.. at .@.A&...T... .X.I.$u.~...0.................20220127152240Z................ABISOFT.BIZ..0........0...padl....ABISOFT.BIZ. 0........0...krbtgt..ABISOFT.BIZ.+.)Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ.i.g0e0  .........0      .........0      .........0B......;.90705......&.$ABISOFT.BIZnslcdmy
<no further communication happened>

>> -----Oorspronkelijk bericht-----
>> Van: Alex [mailto:samba at abisoft.biz] 
>> Verzonden: donderdag 27 januari 2022 15:03
>> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
>> Onderwerp: Re: [Samba] Kerberos authentication issue after 
>> upgrading from 4-14-stable to 4-15-stable
>> 
>> >> Any ideas why?
>> > No, sorry, thats one i dont know, except that k5start might 
>> look in a different place which does not exist. 
>> 
>> I checked that - it does read the file I specified.
>> 
>> >> The reason to use k5start is b/c some progs can't work with 
>> >> keytab file directly. For example, nslcd.
>> 
>> > Aha..  But wait, if samba is already handle-ing it. 
>> > Why not this way.. 
>> 
>> > (example for kerberos auth in squid ) 
>> > kinit Administrator
>> 
>> > export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
>> 
>> > net ads_update keytab ADD HTTP/$(hostname -f)
>> 
>> > chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
>> 
>> > Adjust it to you needs for nlscd but it shows how todo it. 
>> > I think what will work also. 
>> 
>> B/c (as I said) nslcd is not able to work thru a keytab file. 
>> It only supports ready-to-use TGT:
>> sasl_mech       GSSAPI
>> krb5_ccname /tmp/krb5cc_nslcd
>> 
>> 
>> -- 
>> Best regards,
>> Alex
>> 
>> 





-- 
Best regards,
Alex

More information about the samba mailing list