[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"

pfilipensky at samba.org pfilipensky at samba.org
Wed Feb 19 10:22:14 UTC 2025 

Hi Christian,



On 2/18/25 3:28 PM, Christian Naumer via samba wrote:
> This is from the man page of Samba:
>
> "This path is relative to private dir if the path does not start with 
> a/."
>
> Having said that this is wat We have on our DCs:
>
>
>         tls enabled  = yes
>         tls keyfile  = tls/server_de.key
>         tls certfile = tls/server.pem
>         tls cafile   = tls/ca.pem
>         tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>
> The problem is only on the member servers and only when using:
>
> net ads changetrustpw
>
>
> The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the 
> file servers.
>
> Have you tried "net ads changetrustpw" on a member with "sync machine 
> password to keytab" in the smb.conf?

Yes, "net ads changetrustpw" is part of upstream tests:

https://gitlab.com/samba-team/samba/-/blob/ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/test_update_keytab.sh#L601


Does the issue happens also with samba 4.21.3?

Kind regards,

Pavel

>
>
>
> Regards
>
> Christian
>
>
>
>
> Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:
>> My penny on it:
>>
>>          tls enabled = Yes
>>          tls cafile = /var/lib/samba/private/tls/ca.crt
>>          tls certfile = /var/lib/samba/private/tls/dc.crt
>>          tls crlfile = /var/lib/samba/private/tls/pki.crl
>>          tls dh params file = /var/lib/samba/private/tls/dh.pem
>>          tls keyfile = /var/lib/samba/private/tls/secure/dc.key
>>
>> Works and needs absolute paths.
>>
>> #        tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>>
>> opt out old ciphers is possible.
>>
>> SH
>>
>> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>>> Hi all,
>>> some additional info. If I supply a CRL file in the smb.conf like this:
>>>
>>> #tls verify peer = ca_and_name
>>> tls crlfile = tls/root.crl.pem
>>>
>>> And comment "tls verify peer" which then uses the default "tls 
>>> verify peer = as_strict_as_possible"
>>>
>>> the "gensec_gse_client_prepare_ccache" error is not logged during 
>>> "normal" password change. However, the behaviour of "net ads 
>>> changetrustpw" is still the same.
>>>
>>> Any thoughts on this?
>>>
>>> Regards
>>>
>>> Christian
>>>
>>>
>>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>>> Hi all,
>>>> I have been trying to use the new options "sync machine password to 
>>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with 
>>>> "client ldap sasl wrapping"
>>>>
>>>> When this is set:
>>>>
>>>> client ldap sasl wrapping = ldaps (or starttls)
>>>> tls cafile = tls/ca.pem
>>>> tls verify peer = ca_and_name
>>>> sync machine password to keytab = /etc/ 
>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>>
>>>>
>>>>
>>>> And I do a:
>>>>
>>>> net ads changetrustpw
>>>>
>>>>
>>>> I get this:
>>>>
>>>>
>>>> Changing password for principal: host$@DOMAIN.COM
>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>> NT_STATUS_LOGON_FAILURE
>>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned 
>>>> Invalid credentials
>>>> secrets_finish_password_change: Sync of machine password failed.
>>>> Password change failed: An internal error occurred.
>>>>
>>>>
>>>> The keytab is still updated with the new KVNO and the machine 
>>>> password in AD is updated. However the new KVNO is appended to the 
>>>> keytab. There are two new KVNOs in the keytab as if the password 
>>>> was updated twice.
>>>>
>>>>
>>>> When I remove the ldaps/startrls options from the smb.confI get 
>>>> this result:
>>>>
>>>> Changing password for principal: host$@DOMAIN.COM
>>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>>
>>>>
>>>> The keytab is updated with the new KVNO and the machine password in 
>>>> AD is updated. In the keytab there are then always 3 KVNOs the 
>>>> current and the two previous ones.
>>>>
>>>> Additional info. If I wait for the machine password to timeout and 
>>>> winbind changes the password. This "works" as far as the keytab has 
>>>> only one additional KVNO and all other KVNOs more then the current 
>>>> and the last two are removed. However the error
>>>>
>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>> NT_STATUS_LOGON_FAILURE
>>>>
>>>> is still logged.
>>>>
>>>> Should I file a bug for this? I can reproduce this also on a Debian 
>>>> 12 system.
>>>>
>>>> Regards
>>>>
>>>> Christian
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the 
>>>> release this morning.
>>>>
>>>> Here is the rest of the global section:
>>>>
>>>> [global]
>>>>          netbios name = HOST
>>>>          server string = Daten
>>>>          security = ADS
>>>>          realm = HQ.DOMAIN.COM
>>>>          workgroup = DOMAIN-02
>>>>          disable netbios = yes
>>>>          smb ports = 445
>>>>          interfaces = eth0
>>>>          bind interfaces only = yes
>>>>          server min protocol = SMB2
>>>>          client min protocol = SMB2
>>>>          log level = 1 auth_audit:5
>>>>          client ldap sasl wrapping = starttls
>>>>          tls cafile = tls/ca.pem
>>>>          tls verify peer = ca_and_name
>>>>          logging = syslog only
>>>>          sync machine password to keytab = /etc/ 
>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>>          writeable =YES
>>>>          map acl inherit = yes
>>>>          store dos attributes = yes
>>>>          inherit acls = Yes
>>>>          vfs objects = acl_xattr full_audit
>>>>          full_audit:success = pwrite write unlinkat renameat
>>>>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>>>          full_audit:priority = NOTICE
>>>>          full_audit:facility = local7
>>>>          full_audit:failure = none
>>>>          apply group policies = yes
>>>>          username map = /etc/samba/smbusers
>>>>
>>>>          interfaces = lo eth0
>>>>          bind interfaces only = Yes
>>>>          ##idmap##
>>>>          # Default idmap config used for BUILTIN and local windows 
>>>> accounts/groups
>>>>          idmap config *:backend = tdb
>>>>          idmap config *:range = 1000000-2000000
>>>>
>>>>          # idmap config for domain DOMAIN-02
>>>>          idmap config DOMAIN-02:backend = ad
>>>>          idmap config DOMAIN-02:range = 500-65555
>>>>          idmap config DOMAIN-02:unix_nss_info = yes
>>>>          idmap config DOMAIN-02:schema_mode = rfc2307
>>>>          winbind enum users = yes
>>>>          winbind enum groups = yes
>>>>          winbind use default domain = Yes
>>>>          machine password timeout = 604800
>>>>          winbind reconnect delay = 5
>>>>          winbind refresh tickets = yes
>>>>          min domain uid = 500
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>
>

More information about the samba mailing list