[Samba] Kerberos issues
Kees van Vloten
keesvanvloten at gmail.com
Wed Jun 26 11:37:14 UTC 2024
On 26-06-2024 13:00, Сергій Дегтярь via samba wrote:
> Hello Samba community!
>
> I have an legacy system with 7 Windows VM.
> In this system, the domain user is used to run services and interact
> with individual parts.
> I also have one PC on a domain from which I can run RSAT and can check
> the Zentyal webconfig.
>
> domain controller objectVersion: 47
> #samba-tool domain level show
> Domain and forest function level for domain
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
>
>
> MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already
> installed.
> -Samba 4.7.6-Ubuntu
> -BIND 9.11.3-1ubuntu1.17-Ubuntu
> I’m not at all sure that everything is in order with this domain
> controller, but it somehow coped with its role for 5 years.
> I found the following error when I did # samba-tool ldapcmp ldap://DC1
> ldap://DC2 -Uadministrator
>> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
>> GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl',
>> 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL',
>> 'ntlmssp', 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm'
>> 'krb5', 'fake_gssapi_krb5' registered
>> Password for [MYDOMAIN\administrator]:
>> Wrong username or password: kinit for administrator at MYDOMAIN.LAN
>> failed (Client not found in Kerberos database)
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed
>> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
>> ...
>> resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20>
>> Wrong username or password: kinit for administrator at MYDOMAIN.LAN
>> failed (Client not found in Kerberos database)
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed
>> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
>> ...
>>
>> * Comparing [DOMAIN] context...
> but ldapcmp on BDC dc2.mydomain.lan don't show any errors.
>
> and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan
> -Samba 4.17.12-Debian
> -BIND 9.18.24-1-Debian
> I'm starting with this manual:
> https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html
>
> After kinit administrator failed failed due to an error, I tried
> editing /etc/krb5kdc/kdc.conf but this cant help.
> I used Kerberos client configuration file (/etc/krb5.conf) from this
> manual(dns_lookup_kdc = true)
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> added a [realms] section to the Kerberos client configuration file and
> "kinit administrator" worked.
>
>
> Today I had errors with identifiers 40970, 40960, 8019 so i think i
> have problems with kerberos.
> So what needs to be done to remove errors and prevent machines from
> being disconnected from the domain?
> Since I am planning to demote and remove DC1 due to security issues,
> what should I do to move the KDC to DC2?
> I found manual how set up a secondary KDC:
> https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc
> Is this manual suitable for use with samba?
Something called a BDC is terminolgy from NT-domain, which was replaced
by Active Directory in Windows 2000.
In AD every DC runs a KDC. In principal every DC is equal except that
one holds the FSMO roles to provide backward compatibility with NT-domains.
The procedure to follow is more or less: deploy more DCs (follow the
docs on the Samba-wiki: wiki.samba.org ), then you transfer the FSMO
roles, demote the old DC and remove it from the domain.
The docs from Tranquil.it are also up-to-date and well written. It is
hard to give advice on any other docs, there are too many and lots of
them are out-dated.
- Kees.
>
>
More information about the samba
mailing list