[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"

Christian Naumer christian.naumer at greyfish.net
Tue Feb 18 12:38:29 UTC 2025 

Hi all,
some additional info. If I supply a CRL file in the smb.conf like this:

#tls verify peer = ca_and_name
tls crlfile = tls/root.crl.pem

And comment "tls verify peer" which then uses the default "tls verify 
peer = as_strict_as_possible"

the "gensec_gse_client_prepare_ccache" error is not logged during 
"normal" password change. However, the behaviour of "net ads 
changetrustpw" is still the same.

Any thoughts on this?

Regards

Christian


Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
> Hi all,
> I have been trying to use the new options "sync machine password to 
> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with 
> "client ldap sasl wrapping"
> 
> When this is set:
> 
> client ldap sasl wrapping = ldaps (or starttls)
> tls cafile = tls/ca.pem
> tls verify peer = ca_and_name
> sync machine password to keytab = /etc/ 
> krb5.keytab:sync_spns:sync_kvno:machine_password
> 
> 
> 
> And I do a:
> 
> net ads changetrustpw
> 
> 
> I get this:
> 
> 
> Changing password for principal: host$@DOMAIN.COM
> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access 
> ldap/dc2.domain.com failed: Preauthentication failed: 
> NT_STATUS_LOGON_FAILURE
> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned 
> Invalid credentials
> secrets_finish_password_change: Sync of machine password failed.
> Password change failed: An internal error occurred.
> 
> 
> The keytab is still updated with the new KVNO and the machine password 
> in AD is updated. However the new KVNO is appended to the keytab. There 
> are two new KVNOs in the keytab as if the password was updated twice.
> 
> 
> When I remove the ldaps/startrls options from the smb.confI get this 
> result:
> 
> Changing password for principal: host$@DOMAIN.COM
> Password change for principal host$@DOMAIN.COM succeeded.
> 
> 
> The keytab is updated with the new KVNO and the machine password in AD 
> is updated. In the keytab there are then always 3 KVNOs the current and 
> the two previous ones.
> 
> Additional info. If I wait for the machine password to timeout and 
> winbind changes the password. This "works" as far as the keytab has only 
> one additional KVNO and all other KVNOs more then the current and the 
> last two are removed. However the error
> 
> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to access 
> ldap/dc2.domain.com failed: Preauthentication failed: 
> NT_STATUS_LOGON_FAILURE
> 
> is still logged.
> 
> Should I file a bug for this? I can reproduce this also on a Debian 12 
> system.
> 
> Regards
> 
> Christian
> 
> 
> 
> 
> 
> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the 
> release this morning.
> 
> Here is the rest of the global section:
> 
> [global]
>          netbios name = HOST
>          server string = Daten
>          security = ADS
>          realm = HQ.DOMAIN.COM
>          workgroup = DOMAIN-02
>          disable netbios = yes
>          smb ports = 445
>          interfaces = eth0
>          bind interfaces only = yes
>          server min protocol = SMB2
>          client min protocol = SMB2
>          log level = 1 auth_audit:5
>          client ldap sasl wrapping = starttls
>          tls cafile = tls/ca.pem
>          tls verify peer = ca_and_name
>          logging = syslog only
>          sync machine password to keytab = /etc/ 
> krb5.keytab:sync_spns:sync_kvno:machine_password
>          writeable =YES
>          map acl inherit = yes
>          store dos attributes = yes
>          inherit acls = Yes
>          vfs objects = acl_xattr full_audit
>          full_audit:success = pwrite write unlinkat renameat
>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>          full_audit:priority = NOTICE
>          full_audit:facility = local7
>          full_audit:failure = none
>          apply group policies = yes
>          username map = /etc/samba/smbusers
> 
>          interfaces = lo eth0
>          bind interfaces only = Yes
>          ##idmap##
>          # Default idmap config used for BUILTIN and local windows 
> accounts/groups
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-2000000
> 
>          # idmap config for domain DOMAIN-02
>          idmap config DOMAIN-02:backend = ad
>          idmap config DOMAIN-02:range = 500-65555
>          idmap config DOMAIN-02:unix_nss_info = yes
>          idmap config DOMAIN-02:schema_mode = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = Yes
>          machine password timeout = 604800
>          winbind reconnect delay = 5
>          winbind refresh tickets = yes
>          min domain uid = 500
> 
> 
> 
>

More information about the samba mailing list