[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Rowland Penny rpenny at samba.org
Mon Jan 31 14:18:34 UTC 2022 

On Mon, 2022-01-31 at 17:05 +0300, Alex wrote:
> Rowland,
> 
> > > How did you obtain the ticket in the cache? 
> > Try reading this:
> > https://wiki.samba.org/index.php/Nslcd
> 
> I did read it.

Please read it again.

> 
> > I have it working in a VM, running Debian 11
> > If you are trying to add the 'host/fqdn' principal to a keytab,
> > then
> > there isn't much point, it is in the standard /etc/krb5.keytab
> 
> I don't quite understand, sorry. Here's an example of joining a fresh
> Centos 7 VM to the AD domain:
> [root at testad ~]# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- ABISOFT
> Joined 'TESTAD' to dns domain 'abisoft.biz'
> 
> [root at testad etc]# klist -k /etc/krb5.keytab -e
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)

As you can see, 'host/fqdn' is in the standard keytab

>    1 host/TESTAD at ABISOFT.BIZ (des-cbc-crc)
>    1 host/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
>    1 host/TESTAD at ABISOFT.BIZ (des-cbc-md5)
>    1 host/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
>    1 host/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
>    1 host/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
>    1 host/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
>    1 host/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
>    1 host/TESTAD at ABISOFT.BIZ (arcfour-hmac)
>    1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-crc)
>    1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-crc)
>    1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (des-cbc-md5)
>    1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (des-cbc-md5)
>    1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes128-cts-
> hmac-sha1-96)
>    1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
>    1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (aes256-cts-
> hmac-sha1-96)
>    1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
>    1 restrictedkrbhost/testad.abisoft.biz at ABISOFT.BIZ (arcfour-hmac)
>    1 restrictedkrbhost/TESTAD at ABISOFT.BIZ (arcfour-hmac)
>    1 TESTAD$@ABISOFT.BIZ (des-cbc-crc)
>    1 TESTAD$@ABISOFT.BIZ (des-cbc-md5)
>    1 TESTAD$@ABISOFT.BIZ (aes128-cts-hmac-sha1-96)
>    1 TESTAD$@ABISOFT.BIZ (aes256-cts-hmac-sha1-96)
>    1 TESTAD$@ABISOFT.BIZ (arcfour-hmac)
> 
> [root at testad ~]# /usr/bin/k5start -f /etc/krb5.keytab -l 1d -o nslcd
> -U -k ./krb5cc_test

Please stop doing that, I have never run that command and nslcd works
for myself, mind you I do not use the hosts ticket

Let me try and break my test setup by trying to use the host ticket.

Rowland

More information about the samba mailing list