[Samba] Problems runing kinit on a (wannabe) secondary DC

Lorenzo Milesi lorenzo.milesi at yetopen.com
Thu Jul 14 19:16:37 UTC 2022 

 
>> Hostname:   dc-contabo
>> DNS Domain: wdc.domain.it
>> Realm:      WDC.DOMAIN.IT
>> FQDN:       dc-contabo.wdc.domain.it
>> ipaddress:  75.119.x.y 192.168.8.1 10.8.0.1
> 
> It would be better if your DC only used one IP address.

Unfortunately it's not possible, that's why we added:
	interfaces = eth1
	bind interfaces only = yes

>> Checking file: /etc/resolv.conf
>> 
>> search wdc.domain.it
>> nameserver 127.0.0.1
> 
> Do not use 127.0.0.1, use the DC's ipaddress

fixed



>> dlz "domain.it" {
>> # For BIND 9.9.0
>> database "dlopen /usr/lib/x86_64-linux-
>> gnu/samba/bind9/dlz_bind9_10.so";
> 
> I feel sure that last line isn't correct, check your bind9 version.

You are right, Ubuntu 20 runs Bind 9.16. Fixed and ran again
samba_dnsupdate --verbose --use-samba-tool


>> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
>> 192.168.1.206 dc-lan.wdc.domain.it dclan
> 
> You should only have this DC's data in /etc/hosts , dns should supply
> everything else.

Fixed


>> # operation for /etc/resolv.conf.
>> 
>> nameserver 127.0.0.53
>> options edns0 trust-ad
>> search wdc.domain.it domain
> 
> I normally remove systemd-resolved but if it is set up correctly, it
> will work.

Removed, now it's:
nameserver 192.168.8.1
search wdc.domain.it

>> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
>> sample output:
>> Server:		127.0.0.53
>> Address:	127.0.0.53#53
> 
> It should be using the ipaddress of the first DC, until it has joined,
> then it should use its own ipaddress.

root at dc-lan:~# nslookup -type=SRV _kerberos._tcp.wdc.domain.it
Server:         192.168.8.1
Address:        192.168.8.1#53

_kerberos._tcp.wdc.domain.it  service = 0 100 88 dc-contabo.wdc.domain.it.

Is this better?


Despite of the changes, kinit still fails.
On the first DC, the kerberos auth seems to be successful:

[2022/07/14 21:11:21.070280,  3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:54947 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
[2022/07/14 21:11:21.143807,  3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 150, 149
[2022/07/14 21:11:21.144053,  3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.144143,  3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.144239,  3, pid=111396, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.457699,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:46237 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
[2022/07/14 21:11:21.464820,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2022/07/14 21:11:21.464880,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.464889,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.464970,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT using aes256-cts-hmac-sha1-96
[2022/07/14 21:11:21.465052,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.465035 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:46237] became [WORKGROUPNAME]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
  {"timestamp": "2022-07-14T21:11:21.465191+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "25e4c2f5e696d0a9", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:46237", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 8034}}
[2022/07/14 21:11:21.478771,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime: 2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21
[2022/07/14 21:11:21.478896,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/07/14 21:11:21.478927,  3, pid=111405, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok
[2022/07/14 21:11:21.544275,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:34060 for krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
[2022/07/14 21:11:21.556692,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2022/07/14 21:11:21.556794,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.556972,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
[2022/07/14 21:11:21.557093,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT using aes256-cts-hmac-sha1-96
[2022/07/14 21:11:21.557150,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.557135 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:34060] became [WORKGROUPNAME]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
  {"timestamp": "2022-07-14T21:11:21.557303+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "905d4d6e8a570428", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:34060", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13429}}
[2022/07/14 21:11:21.571677,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime: 2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21
[2022/07/14 21:11:21.571873,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/07/14 21:11:21.571936,  3, pid=111409, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok

-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list