[Samba] Kerberos issues
Rowland Penny
rpenny at samba.org
Wed Jun 26 12:41:03 UTC 2024
On Wed, 26 Jun 2024 14:00:03 +0300
Сергій Дегтярь via samba <samba at lists.samba.org> wrote:
> Hello Samba community!
>
> I have an legacy system with 7 Windows VM.
> In this system, the domain user is used to run services and interact
> with individual parts.
> I also have one PC on a domain from which I can run RSAT and can
> check the Zentyal webconfig.
>
> domain controller objectVersion: 47
> #samba-tool domain level show
> Domain and forest function level for domain
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
>
>
> MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already
> installed.
> -Samba 4.7.6-Ubuntu
> -BIND 9.11.3-1ubuntu1.17-Ubuntu
That is very old and hopelessly out of date.
> I’m not at all sure that everything is in order with this domain
> controller, but it somehow coped with its role for 5 years.
> I found the following error when I did # samba-tool ldapcmp
> ldap://DC1 ldap://DC2 -Uadministrator
> > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
> > GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl',
> > 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL',
> > 'ntlmssp', 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm'
> > 'krb5', 'fake_gssapi_krb5' registered
> > Password for [MYDOMAIN\administrator]:
> > Wrong username or password: kinit for administrator at MYDOMAIN.LAN
> > failed (Client not found in Kerberos database)
It could just be that the Administrator password has expired, try
resetting it with samba-tool, see:
samba-tool user setpassword --help
For more info.
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed
> > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
> > ...
> > resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20>
> > Wrong username or password: kinit for administrator at MYDOMAIN.LAN
> > failed (Client not found in Kerberos database)
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed
> > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
> > ...
> >
> > * Comparing [DOMAIN] context...
> but ldapcmp on BDC dc2.mydomain.lan don't show any errors.
>
> and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan
> -Samba 4.17.12-Debian
> -BIND 9.18.24-1-Debian
> I'm starting with this manual:
> https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html
The Tranquil IT stuff is usually pretty good.
> After kinit administrator failed failed due to an error, I tried
> editing /etc/krb5kdc/kdc.conf but this cant help.
Thing is, you shouldn't have /etc/krb5kdc/kdc.conf on a Samba AD DC.
Have you installed the krb5-kdc package, if so remove it immediately,
if not sooner.
> I used Kerberos client configuration file (/etc/krb5.conf) from this
> manual(dns_lookup_kdc = true)
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> added a [realms] section to the Kerberos client configuration file
> and "kinit administrator" worked.
>
>
> Today I had errors with identifiers 40970, 40960, 8019 so i think i
> have problems with kerberos.
> So what needs to be done to remove errors and prevent machines from
> being disconnected from the domain?
> Since I am planning to demote and remove DC1 due to security issues,
> what should I do to move the KDC to DC2?
> I found manual how set up a secondary KDC:
> https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc
> Is this manual suitable for use with samba?
Absolutely not, Kerberos is built into a Samba AD DC and you shouldn't
run a separate kdc, unless you have specifically built Samba to use MIT
kerberos instead of Heimdal, in which case you are running an
experimental DC that you shouldn't use in production.
Rowland
More information about the samba
mailing list