[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"

Christian Naumer christian.naumer at greyfish.net
Wed Feb 19 10:54:07 UTC 2025 

Additional info again.

Also running

wbinfo --change-secret --domain=DOMAIN

causes no errors and updates the keytap as expected. It is basically 
from the logs as waiting for the machine password to timeout.



Regards

Christian



Am 19.02.25 um 11:22 schrieb Pavel Fiipenský via samba:
> Hi Christian,
> 
> 
> 
> On 2/18/25 3:28 PM, Christian Naumer via samba wrote:
>> This is from the man page of Samba:
>>
>> "This path is relative to private dir if the path does not start with 
>> a/."
>>
>> Having said that this is wat We have on our DCs:
>>
>>
>>         tls enabled  = yes
>>         tls keyfile  = tls/server_de.key
>>         tls certfile = tls/server.pem
>>         tls cafile   = tls/ca.pem
>>         tls priority = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>>
>> The problem is only on the member servers and only when using:
>>
>> net ads changetrustpw
>>
>>
>> The DCs are on 4.20.7-SerNet-RedHat-7.el8. So not on the latest as the 
>> file servers.
>>
>> Have you tried "net ads changetrustpw" on a member with "sync machine 
>> password to keytab" in the smb.conf?
> 
> Yes, "net ads changetrustpw" is part of upstream tests:
> 
> https://gitlab.com/samba-team/samba/-/blob/ 
> ccc3b2b2fba7b5d223c79bffc0f655490aed19cf/source3/script/tests/ 
> test_update_keytab.sh#L601
> 
> 
> Does the issue happens also with samba 4.21.3?
> 
> Kind regards,
> 
> Pavel
> 
>>
>>
>>
>> Regards
>>
>> Christian
>>
>>
>>
>>
>> Am 18.02.25 um 15:21 schrieb Sami Hulkko via samba:
>>> My penny on it:
>>>
>>>          tls enabled = Yes
>>>          tls cafile = /var/lib/samba/private/tls/ca.crt
>>>          tls certfile = /var/lib/samba/private/tls/dc.crt
>>>          tls crlfile = /var/lib/samba/private/tls/pki.crl
>>>          tls dh params file = /var/lib/samba/private/tls/dh.pem
>>>          tls keyfile = /var/lib/samba/private/tls/secure/dc.key
>>>
>>> Works and needs absolute paths.
>>>
>>> #        tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
>>>
>>> opt out old ciphers is possible.
>>>
>>> SH
>>>
>>> On 18/02/2025 14:38, Christian Naumer via samba wrote:
>>>> Hi all,
>>>> some additional info. If I supply a CRL file in the smb.conf like this:
>>>>
>>>> #tls verify peer = ca_and_name
>>>> tls crlfile = tls/root.crl.pem
>>>>
>>>> And comment "tls verify peer" which then uses the default "tls 
>>>> verify peer = as_strict_as_possible"
>>>>
>>>> the "gensec_gse_client_prepare_ccache" error is not logged during 
>>>> "normal" password change. However, the behaviour of "net ads 
>>>> changetrustpw" is still the same.
>>>>
>>>> Any thoughts on this?
>>>>
>>>> Regards
>>>>
>>>> Christian
>>>>
>>>>
>>>> Am 18.02.25 um 12:48 schrieb Christian Naumer via samba:
>>>>> Hi all,
>>>>> I have been trying to use the new options "sync machine password to 
>>>>> keytab" and "client ldap sasl wrapping" in Samba 4.21 together with 
>>>>> "client ldap sasl wrapping"
>>>>>
>>>>> When this is set:
>>>>>
>>>>> client ldap sasl wrapping = ldaps (or starttls)
>>>>> tls cafile = tls/ca.pem
>>>>> tls verify peer = ca_and_name
>>>>> sync machine password to keytab = /etc/ 
>>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>>>
>>>>>
>>>>>
>>>>> And I do a:
>>>>>
>>>>> net ads changetrustpw
>>>>>
>>>>>
>>>>> I get this:
>>>>>
>>>>>
>>>>> Changing password for principal: host$@DOMAIN.COM
>>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>>> NT_STATUS_LOGON_FAILURE
>>>>> pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned 
>>>>> Invalid credentials
>>>>> secrets_finish_password_change: Sync of machine password failed.
>>>>> Password change failed: An internal error occurred.
>>>>>
>>>>>
>>>>> The keytab is still updated with the new KVNO and the machine 
>>>>> password in AD is updated. However the new KVNO is appended to the 
>>>>> keytab. There are two new KVNOs in the keytab as if the password 
>>>>> was updated twice.
>>>>>
>>>>>
>>>>> When I remove the ldaps/startrls options from the smb.confI get 
>>>>> this result:
>>>>>
>>>>> Changing password for principal: host$@DOMAIN.COM
>>>>> Password change for principal host$@DOMAIN.COM succeeded.
>>>>>
>>>>>
>>>>> The keytab is updated with the new KVNO and the machine password in 
>>>>> AD is updated. In the keytab there are then always 3 KVNOs the 
>>>>> current and the two previous ones.
>>>>>
>>>>> Additional info. If I wait for the machine password to timeout and 
>>>>> winbind changes the password. This "works" as far as the keytab has 
>>>>> only one additional KVNO and all other KVNOs more then the current 
>>>>> and the last two are removed. However the error
>>>>>
>>>>> gensec_gse_client_prepare_ccache: Kinit for HOST$@DOMAIN.COM to 
>>>>> access ldap/dc2.domain.com failed: Preauthentication failed: 
>>>>> NT_STATUS_LOGON_FAILURE
>>>>>
>>>>> is still logged.
>>>>>
>>>>> Should I file a bug for this? I can reproduce this also on a Debian 
>>>>> 12 system.
>>>>>
>>>>> Regards
>>>>>
>>>>> Christian
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Samba version is 4.21.4-SerNet-RedHat-6.el8 just updated with the 
>>>>> release this morning.
>>>>>
>>>>> Here is the rest of the global section:
>>>>>
>>>>> [global]
>>>>>          netbios name = HOST
>>>>>          server string = Daten
>>>>>          security = ADS
>>>>>          realm = HQ.DOMAIN.COM
>>>>>          workgroup = DOMAIN-02
>>>>>          disable netbios = yes
>>>>>          smb ports = 445
>>>>>          interfaces = eth0
>>>>>          bind interfaces only = yes
>>>>>          server min protocol = SMB2
>>>>>          client min protocol = SMB2
>>>>>          log level = 1 auth_audit:5
>>>>>          client ldap sasl wrapping = starttls
>>>>>          tls cafile = tls/ca.pem
>>>>>          tls verify peer = ca_and_name
>>>>>          logging = syslog only
>>>>>          sync machine password to keytab = /etc/ 
>>>>> krb5.keytab:sync_spns:sync_kvno:machine_password
>>>>>          writeable =YES
>>>>>          map acl inherit = yes
>>>>>          store dos attributes = yes
>>>>>          inherit acls = Yes
>>>>>          vfs objects = acl_xattr full_audit
>>>>>          full_audit:success = pwrite write unlinkat renameat
>>>>>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>>>>>          full_audit:priority = NOTICE
>>>>>          full_audit:facility = local7
>>>>>          full_audit:failure = none
>>>>>          apply group policies = yes
>>>>>          username map = /etc/samba/smbusers
>>>>>
>>>>>          interfaces = lo eth0
>>>>>          bind interfaces only = Yes
>>>>>          ##idmap##
>>>>>          # Default idmap config used for BUILTIN and local windows 
>>>>> accounts/groups
>>>>>          idmap config *:backend = tdb
>>>>>          idmap config *:range = 1000000-2000000
>>>>>
>>>>>          # idmap config for domain DOMAIN-02
>>>>>          idmap config DOMAIN-02:backend = ad
>>>>>          idmap config DOMAIN-02:range = 500-65555
>>>>>          idmap config DOMAIN-02:unix_nss_info = yes
>>>>>          idmap config DOMAIN-02:schema_mode = rfc2307
>>>>>          winbind enum users = yes
>>>>>          winbind enum groups = yes
>>>>>          winbind use default domain = Yes
>>>>>          machine password timeout = 604800
>>>>>          winbind reconnect delay = 5
>>>>>          winbind refresh tickets = yes
>>>>>          min domain uid = 500
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>>
>

More information about the samba mailing list