[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Christian Naumer
christian.naumer at greyfish.net
Tue Feb 18 14:28:51 UTC 2025
This is from the man page of Samba:
"This path is relative to private dir if the path does not start with a/."
Having said that this is wat We have on our DCs:
tls enabled = yes
tls keyfile = tls/server_de.key
tls certfile = tls/server.pem
tls cafile = tls/ca.pem
tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
The problem is only on the member servers and only when using:
net ads changetrustpw
The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the
file servers.
Have you tried "net ads changetrustpw" on a member with "sync machine
password to keytab" in the smb.conf?
Regards
Christian
Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:
> My penny on it:
>
> tls enabled = Yes
> tls cafile = /var/lib/samba/private/tls/ca.crt
> tls certfile = /var/lib/samba/private/tls/dc.crt
> tls crlfile = /var/lib/samba/private/tls/pki.crl
> tls dh params file = /var/lib/samba/private/tls/dh.pem
> tls keyfile = /var/lib/samba/private/tls/secure/dc.key
>
> Works and needs absolute paths.
>
> # tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>
> opt out old ciphers is possible.
>
> SH
>
> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>> Hi all,
>> some additional info. If I supply a CRL file in the smb.conf like this:
>>
>> #tls verify peer = ca_and_name
>> tls crlfile = tls/root.crl.pem
>>
>> And comment "tls verify peer" which then uses the default "tls verify
>> peer = as_strict_as_possible"
>>
>> the "gensec_gse_client_prepare_ccache" error is not logged during
>> "normal" password change. However, the behaviour of "net ads
>> changetrustpw" is still the same.
>>
>> Any thoughts on this?
>>
>> Regards
>>
>> Christian
>>
>>
>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>> Hi all,
>>> I have been trying to use the new options "sync machine password to
>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with
>>> "client ldap sasl wrapping"
>>>
>>> When this is set:
>>>
>>> client ldap sasl wrapping = ldaps (or starttls)
>>> tls cafile = tls/ca.pem
>>> tls verify peer = ca_and_name
>>> sync machine password to keytab = /etc/
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>
>>>
>>>
>>> And I do a:
>>>
>>> net ads changetrustpw
>>>
>>>
>>> I get this:
>>>
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>> access ldap/dc2.domain.com failed: Preauthentication failed:
>>> NT_STATUS_LOGON_FAILURE
>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned
>>> Invalid credentials
>>> secrets_finish_password_change: Sync of machine password failed.
>>> Password change failed: An internal error occurred.
>>>
>>>
>>> The keytab is still updated with the new KVNO and the machine
>>> password in AD is updated. However the new KVNO is appended to the
>>> keytab. There are two new KVNOs in the keytab as if the password was
>>> updated twice.
>>>
>>>
>>> When I remove the ldaps/startrls options from the smb.confI get this
>>> result:
>>>
>>> Changing password for principal: host$@DOMAIN.COM
>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>
>>>
>>> The keytab is updated with the new KVNO and the machine password in
>>> AD is updated. In the keytab there are then always 3 KVNOs the
>>> current and the two previous ones.
>>>
>>> Additional info. If I wait for the machine password to timeout and
>>> winbind changes the password. This "works" as far as the keytab has
>>> only one additional KVNO and all other KVNOs more then the current
>>> and the last two are removed. However the error
>>>
>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to
>>> access ldap/dc2.domain.com failed: Preauthentication failed:
>>> NT_STATUS_LOGON_FAILURE
>>>
>>> is still logged.
>>>
>>> Should I file a bug for this? I can reproduce this also on a Debian
>>> 12 system.
>>>
>>> Regards
>>>
>>> Christian
>>>
>>>
>>>
>>>
>>>
>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the
>>> release this morning.
>>>
>>> Here is the rest of the global section:
>>>
>>> [global]
>>> netbios name = HOST
>>> server string = Daten
>>> security = ADS
>>> realm = HQ.DOMAIN.COM
>>> workgroup = DOMAIN-02
>>> disable netbios = yes
>>> smb ports = 445
>>> interfaces = eth0
>>> bind interfaces only = yes
>>> server min protocol = SMB2
>>> client min protocol = SMB2
>>> log level = 1 auth_audit:5
>>> client ldap sasl wrapping = starttls
>>> tls cafile = tls/ca.pem
>>> tls verify peer = ca_and_name
>>> logging = syslog only
>>> sync machine password to keytab = /etc/
>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>> writeable =YES
>>> map acl inherit = yes
>>> store dos attributes = yes
>>> inherit acls = Yes
>>> vfs objects = acl_xattr full_audit
>>> full_audit:success = pwrite write unlinkat renameat
>>> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>> full_audit:priority = NOTICE
>>> full_audit:facility = local7
>>> full_audit:failure = none
>>> apply group policies = yes
>>> username map = /etc/samba/smbusers
>>>
>>> interfaces = lo eth0
>>> bind interfaces only = Yes
>>> ##idmap##
>>> # Default idmap config used for BUILTIN and local windows
>>> accounts/groups
>>> idmap config *:backend = tdb
>>> idmap config *:range = 1000000-2000000
>>>
>>> # idmap config for domain DOMAIN-02
>>> idmap config DOMAIN-02:backend = ad
>>> idmap config DOMAIN-02:range = 500-65555
>>> idmap config DOMAIN-02:unix_nss_info = yes
>>> idmap config DOMAIN-02:schema_mode = rfc2307
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = Yes
>>> machine password timeout = 604800
>>> winbind reconnect delay = 5
>>> winbind refresh tickets = yes
>>> min domain uid = 500
>>>
>>>
>>>
>>>
>>
>>
More information about the samba
mailing list