[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Andrew Bartlett abartlet at samba.org
Sun Jan 30 21:25:27 UTC 2022

On Fri, 2022-01-28 at 10:29 +0300, Alex via samba wrote:
> Andrew,
> Right after sending you pcaps and emails, I started to look at the
> wiki links Louis sent me yesterday, and I found that "samba-tool
> domain exportkeytab" command, so I went ahead and created a keytab
> for padl user on the DC. Then I copied that file back to vm-corp and
> tried to get new TGTs via k5start - and that worked!! And it works
> for the old 4.14 Samba! So, that's the solution - thank you all very
> much!
> However, if we could triage why the old way of generating keytab is
> not working anymore, it'd be helpful to better understand what's
> going on under the hood. See below.

It will be the salt, it isn't the same on the server as you have
specified to your tool creating the keytab.

If the account is a proper computer account in AD (compared to a normal
user that has an SPN) the salt is different, for example.

This will trip more people up as we increasingly work to deprecate RC4

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list