[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

[Rowland Penny]

On Mon, 2022-01-31 at 14:18 +0300, Alex wrote:
> Andrew, Rowland,
> 
> > > 
> 
> I think I managed to find a source of the issue (thanks for the salt
> idea!). The padl user was created in 2004 and since then its password
> has never been updated. Today I updated its password and now creating
> a keytab via ktutil with AES encryption seems to work:
> [root at vm-corp tmp]# ktutil
> ktutil:  addent -password -p padl at ABISOFT.BIZ -k 1 -e aes256-cts-
> hmac-sha1-96
> Password for padl at ABISOFT.BIZ:
> ktutil:  wkt ./test.keytab
> 
> [root at vm-corp tmp]# klist -k ./test.keytab -e
> Keytab name: FILE:./test.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 padl at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
> 
> [root at vm-corp tmp]# /usr/bin/k5start -f ./test.keytab -L -l 1d -k
> /tmp/krb5cc_test2 -U -o nslcd
> Kerberos initialization for padl at ABISOFT.BIZ
> [root at vm-corp tmp]#
> 
> Ta-da! :)
> 
> One last thing. I decided to try to use a system keytab
> (/etc/krb5.keytab) instead of a specially generated user keytab (like
> above) like Rowland advised recently, and I can't get it to work:
> [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k
> /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru

You could use /etc/krb5.keytab, but you would have to add the required
principal to it. I also have never run the above command, it just works
for myself:

adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt 
Ticket cache: FILE:/tmp/nslcd.tkt
Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
31/01/22 09:20:04  31/01/22 19:20:04  
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
31/01/22 10:17:01  31/01/22 19:20:04  
ldap/rpidc1.samdom.example.com at SAMDOM.EXAMPLE.COM

adminuser at deb11:~$ getent passwd rowland
rowland:*:10000:513:Rowland Penny::/bin/bash

Rowland