[Samba] Kerberos issues

Kees van Vloten keesvanvloten at gmail.com
Wed Jun 26 11:37:14 UTC 2024

On 26-06-2024 13:00, Сергій Дегтярь via samba wrote:
> Hello Samba community!
> I have an legacy system with 7 Windows VM.
> In this system, the domain user is used to run services and interact 
> with individual parts.
> I also have one PC on a domain from which I can run RSAT and can check 
> the Zentyal webconfig.
> domain controller objectVersion: 47
> #samba-tool domain level show
> Domain and forest function level for domain
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
> MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already 
> installed.
>  -Samba 4.7.6-Ubuntu
>  -BIND 9.11.3-1ubuntu1.17-Ubuntu
> I’m not at all sure that everything is in order with this domain 
> controller, but it somehow coped with its role for 5 years.
> I found the following error when I did # samba-tool ldapcmp ldap://DC1 
> ldap://DC2 -Uadministrator
>> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
>> GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl', 
>> 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL', 
>> 'ntlmssp', 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm'
>> 'krb5', 'fake_gssapi_krb5'  registered
>> Password for [MYDOMAIN\administrator]:
>> Wrong username or password: kinit for administrator at MYDOMAIN.LAN 
>> failed (Client not found in Kerberos database)
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed 
>> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
>> ...
>> resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20>
>> Wrong username or password: kinit for administrator at MYDOMAIN.LAN 
>> failed (Client not found in Kerberos database)
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed 
>> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
>> ...
>> * Comparing [DOMAIN] context...
> but ldapcmp on BDC dc2.mydomain.lan don't show any errors.
> and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan
>  -Samba 4.17.12-Debian
>  -BIND 9.18.24-1-Debian
> I'm starting with this manual:
> https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html 
> After kinit administrator failed failed due to an error, I tried 
> editing /etc/krb5kdc/kdc.conf but this cant help.
> I used Kerberos client configuration file (/etc/krb5.conf) from this 
> manual(dns_lookup_kdc = true)
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
> added a [realms] section to the Kerberos client configuration file and 
> "kinit administrator" worked.
> Today I had errors with identifiers 40970, 40960, 8019 so i think i 
> have problems with kerberos.
> So what needs to be done to remove errors and prevent machines from 
> being disconnected from the domain?
> Since I am planning to demote and remove DC1 due to security issues, 
> what should I do to move the KDC to DC2?
> I found manual how set up a secondary KDC: 
> https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc
> Is this manual suitable for use with samba?

Something called a BDC is terminolgy from NT-domain, which was replaced 
by Active Directory in Windows 2000.

In AD every DC runs a KDC. In principal every DC is equal except that 
one holds the FSMO roles to provide backward compatibility with NT-domains.

The procedure to follow is more or less: deploy more DCs (follow the 
docs on the Samba-wiki: wiki.samba.org ), then you transfer the FSMO 
roles, demote the old DC and remove it from the domain.

The docs from Tranquil.it are also up-to-date and well written. It is 
hard to give advice on any other docs, there are too many and lots of 
them are out-dated.

- Kees.


More information about the samba mailing list