[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Fri Jan 28 07:29:50 UTC 2022


Right after sending you pcaps and emails, I started to look at the wiki links Louis sent me yesterday, and I found that "samba-tool domain exportkeytab" command, so I went ahead and created a keytab for padl user on the DC. Then I copied that file back to vm-corp and tried to get new TGTs via k5start - and that worked!! And it works for the old 4.14 Samba! So, that's the solution - thank you all very much!

However, if we could triage why the old way of generating keytab is not working anymore, it'd be helpful to better understand what's going on under the hood. See below.

>> My issue is that k5start isn't able to get even the 1st ticket. Do
>> you use system's keytab or create a user keytab for this test case?
>> Can you show what "net ads keytab list ..." outputs?

> Just one thought before the weekend:

> Can you remind me how the keytab was obtained?

I used to use this procedure to generate the keytab file for padl user:
# ktutil
addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
Password: ..... (here I put padl's domain account password)
wkt /usr/local/etc/padl.keytab

My recent attempts were to add AES encryption, so I added two more entries with:
addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96

But that didn't help, error was:
Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96

> RC4 tickets work sometimes in places where AES does not because AES
> tickets are salted, and if you use the wrong salt it all goes very
> badly.

> A keytab extracted using 'samba-tool domain exportkeytab' (there is an
> option to extract just one principal) will always have the correct
> salt, and all the right keys, as this is a direct copy from the DB.

That makes sense! But why adding keys via ktutil has stopped working?

Best regards,

More information about the samba mailing list