[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Andrew Bartlett abartlet at samba.org
Fri Jan 28 02:41:04 UTC 2022

On Thu, 2022-01-27 at 18:30 +0300, Alex via samba wrote:
> > https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2 
> > Its a 10y old post but read it, i think it might help you find the
> > source of your problem. 
> > That link gives back some old memories here, as wil for Rowland..
> > ;-) 
> I will definitely check that thread, thank you! But we came to this
> after I put extra encryption algorithms in the keytab. They do not
> work with the old Samba as well, so I simply gonna leave a single
> entry in the keytab with ArcFour encryption.
> Once again. This works with Samba 4.14:
> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> Vno  Type                                        Principal
>   1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
> [root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L
> -l 1d -k /tmp/krb5cc_test -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> [root at vm-corp etc]# ^C
> And does not work with Samba 4.15:
> [root at vm-corp etc]# /usr/bin/k5start -f /usr/local/etc/padl.keytab -L
> -l 1d -k /tmp/krb5cc_test -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> k5start: error getting credentials: Pre-authentication failed: No key
> table entry found for padl at ABISOFT.BIZ
> It's not a problem with nslcd or anything like that. Something has
> changed in 4.15 and I'd like to find out what and how to get things
> back to work..

You have correctly managed to work past the noise and deduced that if
the client stays the same but the change in the server version gives a
different result, that they server change is the issue.  

(Yes, sometimes the fix is to change the client, eg change to NTLMv2
because NTLM was disabled, but you get my point).

A full .pcap file might be illuminating, as might just looking at the
difference in the server logs, but skilled as I am, I can't parse
Kerberos packets by eye.

We did change some kerberos encryption ordering in 4.15, and fixed it
in a later version, are you running the latest release?

My feeling certainly is that the account has an AES key, and so Samba
is expecting an AES encrypted enc-ts challenge, or at least your client
is wanting to provide that but only has an RC4 key.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list