[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Mon Jan 31 11:18:05 UTC 2022

Andrew, Rowland,

>> However, if we could triage why the old way of generating keytab is
>> not working anymore, it'd be helpful to better understand what's
>> going on under the hood. See below.

> It will be the salt, it isn't the same on the server as you have
> specified to your tool creating the keytab.

> If the account is a proper computer account in AD (compared to a normal
> user that has an SPN) the salt is different, for example.

> This will trip more people up as we increasingly work to deprecate RC4
> cryptography. 

I think I managed to find a source of the issue (thanks for the salt idea!). The padl user was created in 2004 and since then its password has never been updated. Today I updated its password and now creating a keytab via ktutil with AES encryption seems to work:
[root at vm-corp tmp]# ktutil
ktutil:  addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-hmac-sha1-96
Password for padl at ABISOFT.BIZ:
ktutil:  wkt ./test.keytab

[root at vm-corp tmp]# klist -k ./test.keytab -e
Keytab name: FILE:./test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)

[root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k /tmp/krb5cc_test2 -U -o nslcd
Kerberos initialization for padl at ABISOFT.BIZ
[root at vm-corp tmp]#

Ta-da! :)

One last thing. I decided to try to use a system keytab (/etc/krb5.keytab) instead of a specially generated user keytab (like above) like Rowland advised recently, and I can't get it to work:
[root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ' not found in Kerberos database

Samba's log:
[2022/01/31 14:12:51.776200,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ from ipv4:172.26.200.32:54074 for krbtgt/ABISOFT.BIZ at ABISOFT.BIZ
[2022/01/31 14:12:51.779602,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry found in hdb
[2022/01/31 14:12:51.779727,  2] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ] at [Mon, 31 Jan 2022 14:12:51.779695 MSK] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:172.26.200.32:54074] mapped to [(null)]\[(null)]. local host [NULL]
  {"timestamp": "2022-01-31T14:12:51.779899+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "a2891bb833e6ef27", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:172.26.200.32:54074", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 3855}}

So, it says there's no such entry in the AD. Let's check:
[root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b "cn=vm-corp,cn=Computers,dc=abisoft,dc=biz" | grep host/vm-corp.abisoft.spb.ru
SASL/GSSAPI authentication started
SASL username: padl at ABISOFT.BIZ
SASL SSF: 0
servicePrincipalName: host/vm-corp.abisoft.spb.ru

It's there!

Could you please explain why it's not working? What's wrong?

-- 
Best regards,
Alex