[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Alex samba at abisoft.biz
Mon Jan 31 14:05:33 UTC 2022 

Rowland,

>> 
>> How did you obtain the ticket in the cache? 

> Try reading this:
> https://wiki.samba.org/index.php/Nslcd

I did read it.

> I have it working in a VM, running Debian 11
> If you are trying to add the 'host/fqdn' principal to a keytab, then
> there isn't much point, it is in the standard /etc/krb5.keytab

I don't quite understand, sorry. Here's an example of joining a fresh Centos 7 VM to the AD domain:
[root at testad ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- ABISOFT
Joined 'TESTAD' to dns domain 'abisoft.biz'

[root at testad etc]# klist -k /etc/krb5.keytab -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)
   1 host/TESTAD at ABISOFT.BIZ (des-cbc-crc)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
   1 host/TESTAD at ABISOFT.BIZ (des-cbc-md5)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 host/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 host/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 host/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
   1 host/TESTAD at ABISOFT.BIZ (arcfour-hmac)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-crc)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-md5)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
   1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (arcfour-hmac)
   1 TESTAD$@ABISOFT.BIZ (des-cbc-crc)
   1 TESTAD$@ABISOFT.BIZ (des-cbc-md5)
   1 TESTAD$@ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
   1 TESTAD$@ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
   1 TESTAD$@ABISOFT.BIZ (arcfour-hmac)

[root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd -U -k ./krb5cc_test
Kerberos initialization for host/testad.abisoft.biz at ABISOFT.BIZ
k5start: error getting credentials: Client 'host/testad.abisoft.biz at ABISOFT.BIZ' not found in Kerberos database

Samba log:
[2022/01/31 17:02:43.178888,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- host/testad.abisoft.biz at ABISOFT.BIZ: no such entry found in hdb

[root at vm-corp tmp]# KRB5CCNAME=/tmp/krb5cc_nslcd ldapsearch -ZZ -b "cn=testad,CN=Computers,DC=abisoft,DC=biz"
dn: CN=TESTAD,CN=Computers,DC=abisoft,DC=biz
...
sAMAccountName: TESTAD$
sAMAccountType: 805306369
dNSHostName: testad.abisoft.biz
servicePrincipalName: HOST/TESTAD.abisoft.biz
servicePrincipalName: RestrictedKrbHost/TESTAD.abisoft.biz
servicePrincipalName: HOST/TESTAD
servicePrincipalName: RestrictedKrbHost/TESTAD
...

So, the entry exists in host's keytab as well as in the AD.

What's wrong here?

-- 
Best regards,
Alex

More information about the samba mailing list