[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Andrew Bartlett
abartlet at samba.org
Fri Jan 28 07:02:48 UTC 2022
On Fri, 2022-01-28 at 09:51 +0300, Alex via samba wrote:
> Thanks Rowland.
>
>
>
> My issue is that k5start isn't able to get even the 1st ticket. Do
> you use system's keytab or create a user keytab for this test case?
> Can you show what "net ads keytab list ..." outputs?
>
Just one thought before the weekend:
Can you remind me how the keytab was obtained?
RC4 tickets work sometimes in places where AES does not because AES
tickets are salted, and if you use the wrong salt it all goes very
badly.
A keytab extracted using 'samba-tool domain exportkeytab' (there is an
option to extract just one principal) will always have the correct
salt, and all the right keys, as this is a direct copy from the DB.
I'll look over the .pcap when I get a chance.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list