[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 28 08:23:17 UTC 2022
Hai Ales,
Great to hear it now all works.
If i may ask, can/did you document your steps for this setup with kstart?
This might be one thats very handy to have in the wiki.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex
> via samba
> Verzonden: vrijdag 28 januari 2022 8:30
> Aan: Andrew Bartlett; Rowland Penny via samba; Rowland Penny
> Onderwerp: Re: [Samba] Kerberos authentication issue after
> upgrading from 4-14-stable to 4-15-stable
>
> Andrew,
>
> Right after sending you pcaps and emails, I started to look
> at the wiki links Louis sent me yesterday, and I found that
> "samba-tool domain exportkeytab" command, so I went ahead and
> created a keytab for padl user on the DC. Then I copied that
> file back to vm-corp and tried to get new TGTs via k5start -
> and that worked!! And it works for the old 4.14 Samba! So,
> that's the solution - thank you all very much!
>
> However, if we could triage why the old way of generating
> keytab is not working anymore, it'd be helpful to better
> understand what's going on under the hood. See below.
>
> >> My issue is that k5start isn't able to get even the 1st ticket. Do
> >> you use system's keytab or create a user keytab for this test case?
> >> Can you show what "net ads keytab list ..." outputs?
> >>
>
> > Just one thought before the weekend:
>
> > Can you remind me how the keytab was obtained?
>
> I used to use this procedure to generate the keytab file for
> padl user:
> # ktutil
> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
> Password: ..... (here I put padl's domain account password)
> wkt /usr/local/etc/padl.keytab
>
> My recent attempts were to add AES encryption, so I added two
> more entries with:
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
>
> But that didn't help, error was:
> Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ
> (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity
> check failed for checksum type hmac-sha1-96-aes256, key type
> aes256-cts-hmac-sha1-96
>
> > RC4 tickets work sometimes in places where AES does not because AES
> > tickets are salted, and if you use the wrong salt it all goes very
> > badly.
>
> > A keytab extracted using 'samba-tool domain exportkeytab'
> (there is an
> > option to extract just one principal) will always have the correct
> > salt, and all the right keys, as this is a direct copy from the DB.
>
> That makes sense! But why adding keys via ktutil has stopped working?
>
> --
> Best regards,
> Alex
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list