[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Mon Jan 31 11:55:41 UTC 2022


>> One last thing. I decided to try to use a system keytab
>> (/etc/krb5.keytab) instead of a specially generated user keytab (like
>> above) like Rowland advised recently, and I can't get it to work:
>> [root at vm-corp tmp]# /usr/bin/k5start -f /etc/krb5.keytab -L -l 1d -k
>> /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru

> You could use /etc/krb5.keytab, but you would have to add the required
> principal to it. I also have never run the above command, it just works
> for myself:

I forgot to list keys from the system keytab, sorry. Here they are:
[root at vm-corp tmp]# klist -k /etc/krb5.keytab -e | grep host/vm-corp.abisoft.spb.ru
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-crc)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (des-cbc-md5)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (arcfour-hmac)

So, the principal is there.

> adminuser at deb11:~$ sudo klist -c /tmp/nslcd.tkt 
> Ticket cache: FILE:/tmp/nslcd.tkt
> Default principal: nslcd-ad at SAMDOM.EXAMPLE.COM

How did you obtain the ticket in the cache? I've tried to create the keytab via exportkeytab on the DC and that also doesn't work:
[root at vm-dc4 var]# samba-tool domain exportkeytab vm-corp.keytab --principal=host/vm-corp.abisoft.spb.ru
...
Export one principal to vm-corp.keytab
Unsupported keytype ignored - type 3
Unsupported keytype ignored - type 1
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (18) and version (2)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0011
../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ.
../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (17) and version (2)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [18] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ.
../../lib/krb5_wrap/krb5_samba.c:1718: Saving entry with kvno [2] enctype [17] for principal: host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ.
../../lib/krb5_wrap/krb5_samba.c:1880: adding keytab entry for (host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ) with encryption type (23) and version (2)
[root at vm-dc4 var]# klist -k vm-corp.keytab -e
Keytab name: FILE:vm-corp.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   2 host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ (DEPRECATED:arcfour-hmac)

[root at vm-dc4 var]# scp vm-corp.keytab vm-corp:/tmp
Password:
vm-corp.keytab                                                                                              100%  276    11.7KB/s   00:00

[root at vm-corp tmp]# /usr/bin/k5start -f ./vm-corp.keytab -L -l 1d -k /tmp/krb5cc_test -o nslcd -u host/vm-corp.abisoft.spb.ru
Kerberos initialization for host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ' not found in Kerberos database

Samba log entry is the same:
[2022/01/31 14:54:31.830366,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- host/vm-corp.abisoft.spb.ru at ABISOFT.BIZ: no such entry found in hdb

Any ideas?

-- 
Best regards,
Alex




More information about the samba mailing list