[Samba] Kerberos issues
Сергій Дегтярь
degtyar.s at mkip.gov.ua
Wed Jun 26 11:00:03 UTC 2024
Hello Samba community!
I have an legacy system with 7 Windows VM.
In this system, the domain user is used to run services and interact
with individual parts.
I also have one PC on a domain from which I can run RSAT and can check
the Zentyal webconfig.
domain controller objectVersion: 47
#samba-tool domain level show
Domain and forest function level for domain
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2
MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already
installed.
-Samba 4.7.6-Ubuntu
-BIND 9.11.3-1ubuntu1.17-Ubuntu
I’m not at all sure that everything is in order with this domain
controller, but it somehow coped with its role for 5 years.
I found the following error when I did # samba-tool ldapcmp ldap://DC1
ldap://DC2 -Uadministrator
> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
> GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl',
> 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL', 'ntlmssp',
> 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm'
> 'krb5', 'fake_gssapi_krb5' registered
> Password for [MYDOMAIN\administrator]:
> Wrong username or password: kinit for administrator at MYDOMAIN.LAN failed
> (Client not found in Kerberos database)
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed
> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
> ...
> resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20>
> Wrong username or password: kinit for administrator at MYDOMAIN.LAN failed
> (Client not found in Kerberos database)
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed
> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
> ...
>
> * Comparing [DOMAIN] context...
but ldapcmp on BDC dc2.mydomain.lan don't show any errors.
and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan
-Samba 4.17.12-Debian
-BIND 9.18.24-1-Debian
I'm starting with this manual:
https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html
After kinit administrator failed failed due to an error, I tried editing
/etc/krb5kdc/kdc.conf but this cant help.
I used Kerberos client configuration file (/etc/krb5.conf) from this
manual(dns_lookup_kdc = true)
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
added a [realms] section to the Kerberos client configuration file and
"kinit administrator" worked.
Today I had errors with identifiers 40970, 40960, 8019 so i think i have
problems with kerberos.
So what needs to be done to remove errors and prevent machines from
being disconnected from the domain?
Since I am planning to demote and remove DC1 due to security issues,
what should I do to move the KDC to DC2?
I found manual how set up a secondary KDC:
https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc
Is this manual suitable for use with samba?
More information about the samba
mailing list