[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"

Sami Hulkko sahulkko at gmail.com
Tue Feb 18 14:21:58 UTC 2025 

My penny on it:

         tls enabled = Yes
         tls cafile = /var/lib/samba/private/tls/ca.crt
         tls certfile = /var/lib/samba/private/tls/dc.crt
         tls crlfile = /var/lib/samba/private/tls/pki.crl
         tls dh params file = /var/lib/samba/private/tls/dh.pem
         tls keyfile = /var/lib/samba/private/tls/secure/dc.key

Works and needs absolute paths.

#        tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1

opt out old ciphers is possible.

SH

On 18/02/2025 14:38, Christian Naumer via samba wrote:
> Hi all,
> some additional info. If I supply a CRL file in the smb.conf like this:
>
> #tls verify peer = ca_and_name
> tls crlfile = tls/root.crl.pem
>
> And comment "tls verify peer" which then uses the default "tls verify 
> peer = as_strict_as_possible"
>
> the "gensec_gse_client_prepare_ccache" error is not logged during 
> "normal" password change. However, the behaviour of "net ads 
> changetrustpw" is still the same.
>
> Any thoughts on this?
>
> Regards
>
> Christian
>
>
> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>> Hi all,
>> I have been trying to use the new options "sync machine password to 
>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with 
>> "client ldap sasl wrapping"
>>
>> When this is set:
>>
>> client ldap sasl wrapping = ldaps (or starttls)
>> tls cafile = tls/ca.pem
>> tls verify peer = ca_and_name
>> sync machine password to keytab = /etc/ 
>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>
>>
>>
>> And I do a:
>>
>> net ads changetrustpw
>>
>>
>> I get this:
>>
>>
>> Changing password for principal: host$@DOMAIN.COM
>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>> NT_STATUS_LOGON_FAILURE
>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned 
>> Invalid credentials
>> secrets_finish_password_change: Sync of machine password failed.
>> Password change failed: An internal error occurred.
>>
>>
>> The keytab is still updated with the new KVNO and the machine 
>> password in AD is updated. However the new KVNO is appended to the 
>> keytab. There are two new KVNOs in the keytab as if the password was 
>> updated twice.
>>
>>
>> When I remove the ldaps/startrls options from the smb.confI get this 
>> result:
>>
>> Changing password for principal: host$@DOMAIN.COM
>> Password change for principal host$@DOMAIN.COM succeeded.
>>
>>
>> The keytab is updated with the new KVNO and the machine password in 
>> AD is updated. In the keytab there are then always 3 KVNOs the 
>> current and the two previous ones.
>>
>> Additional info. If I wait for the machine password to timeout and 
>> winbind changes the password. This "works" as far as the keytab has 
>> only one additional KVNO and all other KVNOs more then the current 
>> and the last two are removed. However the error
>>
>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>> NT_STATUS_LOGON_FAILURE
>>
>> is still logged.
>>
>> Should I file a bug for this? I can reproduce this also on a Debian 
>> 12 system.
>>
>> Regards
>>
>> Christian
>>
>>
>>
>>
>>
>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the 
>> release this morning.
>>
>> Here is the rest of the global section:
>>
>> [global]
>>          netbios name = HOST
>>          server string = Daten
>>          security = ADS
>>          realm = HQ.DOMAIN.COM
>>          workgroup = DOMAIN-02
>>          disable netbios = yes
>>          smb ports = 445
>>          interfaces = eth0
>>          bind interfaces only = yes
>>          server min protocol = SMB2
>>          client min protocol = SMB2
>>          log level = 1 auth_audit:5
>>          client ldap sasl wrapping = starttls
>>          tls cafile = tls/ca.pem
>>          tls verify peer = ca_and_name
>>          logging = syslog only
>>          sync machine password to keytab = /etc/ 
>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>          writeable =YES
>>          map acl inherit = yes
>>          store dos attributes = yes
>>          inherit acls = Yes
>>          vfs objects = acl_xattr full_audit
>>          full_audit:success = pwrite write unlinkat renameat
>>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>          full_audit:priority = NOTICE
>>          full_audit:facility = local7
>>          full_audit:failure = none
>>          apply group policies = yes
>>          username map = /etc/samba/smbusers
>>
>>          interfaces = lo eth0
>>          bind interfaces only = Yes
>>          ##idmap##
>>          # Default idmap config used for BUILTIN and local windows 
>> accounts/groups
>>          idmap config *:backend = tdb
>>          idmap config *:range = 1000000-2000000
>>
>>          # idmap config for domain DOMAIN-02
>>          idmap config DOMAIN-02:backend = ad
>>          idmap config DOMAIN-02:range = 500-65555
>>          idmap config DOMAIN-02:unix_nss_info = yes
>>          idmap config DOMAIN-02:schema_mode = rfc2307
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          winbind use default domain = Yes
>>          machine password timeout = 604800
>>          winbind reconnect delay = 5
>>          winbind refresh tickets = yes
>>          min domain uid = 500
>>
>>
>>
>>
>
>
-- 
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com

More information about the samba mailing list