[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

L.P.H. van Belle belle at bazuin.nl
Fri Jan 28 08:23:17 UTC 2022

Hai Ales, 

Great to hear it now all works. 

If i may ask, can/did you document your steps for this setup with kstart? 
This might be one thats very handy to have in the wiki. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: vrijdag 28 januari 2022 8:30
> Aan: Andrew Bartlett; Rowland Penny via samba; Rowland Penny
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> Andrew,
> Right after sending you pcaps and emails, I started to look 
> at the wiki links Louis sent me yesterday, and I found that 
> "samba-tool domain exportkeytab" command, so I went ahead and 
> created a keytab for padl user on the DC. Then I copied that 
> file back to vm-corp and tried to get new TGTs via k5start - 
> and that worked!! And it works for the old 4.14 Samba! So, 
> that's the solution - thank you all very much!
> However, if we could triage why the old way of generating 
> keytab is not working anymore, it'd be helpful to better 
> understand what's going on under the hood. See below.
> >> My issue is that k5start isn't able to get even the 1st ticket. Do
> >> you use system's keytab or create a user keytab for this test case?
> >> Can you show what "net ads keytab list ..." outputs?
> >> 
> > Just one thought before the weekend:
> > Can you remind me how the keytab was obtained?
> I used to use this procedure to generate the keytab file for 
> padl user:
> # ktutil
> addent -password -p padl at ABISOFT.BIZ -k 1 -e RC4-HMAC
> Password: ..... (here I put padl's domain account password)
> wkt /usr/local/etc/padl.keytab
> My recent attempts were to add AES encryption, so I added two 
> more entries with:
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes128-cts-hmac-sha1-96
> addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
> But that didn't help, error was:
> Kerberos: Failed to decrypt PA-DATA -- padl at ABISOFT.BIZ 
> (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity 
> check failed for checksum type hmac-sha1-96-aes256, key type 
> aes256-cts-hmac-sha1-96
> > RC4 tickets work sometimes in places where AES does not because AES
> > tickets are salted, and if you use the wrong salt it all goes very
> > badly.
> > A keytab extracted using 'samba-tool domain exportkeytab' 
> (there is an
> > option to extract just one principal) will always have the correct
> > salt, and all the right keys, as this is a direct copy from the DB.
> That makes sense! But why adding keys via ktutil has stopped working?
> -- 
> Best regards,
> Alex
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list