[Samba] Problem with keytab: "Client not found in Kerberos database"
Brian Candler via samba
Samba's own LDAP server.
The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2
compiled from source.
The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been
joined directly to the Samba domain ("net ads join"). I have also
extracted a keytab ("net ads keytab create -P") which created
/etc/krb5.keytab.
Now if I try to authenticate, I can get a TGT, but I can't actually
authenticate to the LDAP server:
root@wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root@wrn-radtest:~# ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b
'dc=ad,dc=example,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Client not found in Kerberos database)
root@wrn-radtest:~# cat /tmp/trace.out
[17919] 1482170475.951771: ccselect module realm chose cache
FILE:/tmp/krb5cc_0 with client principal
host/wrn-radtest.a...@AD.EXAMPLE.NET for server principal
ldap/wrn-dc1.ad....@AD.EXAMPLE.NET
[17919] 1482170475.951821: Getting credentials
host/wrn-radtest.a...@AD.EXAMPLE.NET ->
ldap/wrn-dc1.ad....@AD.EXAMPLE.NET using ccache FILE:/tmp/krb5cc_0
[17919] 1482170475.951863: Retrieving
host/wrn-radtest.a...@AD.EXAMPLE.NET ->
ldap/wrn-dc1.ad....@AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with
result: -1765328243/Matching credential not found
[17919] 1482170475.951900: Retrieving
host/wrn-radtest.a...@AD.EXAMPLE.NET ->
krbtgt/AD.EXAM...@AD.EXAMPLE.NET from FILE:/tmp/krb5cc_0 with
result: 0/Success
[17919] 1482170475.951907: Starting with TGT for client realm:
host/wrn-radtest.a...@AD.EXAMPLE.NET ->
krbtgt/AD.EXAM...@AD.EXAMPLE.NET
[17919] 1482170475.951912: Requesting tickets for
ldap/wrn-dc1.ad....@AD.EXAMPLE.NET, referrals on
[17919] 1482170475.951929: Generated subkey for TGS request: rc4-hmac/5B25
[17919] 1482170475.951946: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.952023: Encoding request body and padata into FAST
request
[17919] 1482170475.952068: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.952489: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.952708: Sending initial UDP request to dgram
192.168.5.86:88
[17919] 1482170475.958164: Received answer (107 bytes) from dgram
192.168.5.86:88
[17919] 1482170475.958397: Response was not from master KDC
[17919] 1482170475.958420: TGS request result: -1765328378/Client not
found in Kerberos database
[17919] 1482170475.958429: Requesting tickets for
ldap/wrn-dc1.ad....@AD.EXAMPLE.NET, referrals off
[17919] 1482170475.958448: Generated subkey for TGS request: rc4-hmac/D306
[17919] 1482170475.958464: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[17919] 1482170475.958500: Encoding request body and padata into FAST
request
[17919] 1482170475.958537: Sending request (1794 bytes) to AD.EXAMPLE.NET
[17919] 1482170475.958782: Resolving hostname wrn-dc1.ad.example.net.
[17919] 1482170475.958937: Sending initial UDP request to dgram
192.168.5.86:88
[17919] 1482170475.963625: Received answer (107 bytes) from dgram
192.168.5.86:88
[17919] 1482170475.963784: Response was not from master KDC
[17919] 1482170475.963803: TGS request result: -1765328378/Client not
found in Kerberos database
But if I kinit with a real user, it works fine:
root@wrn-radtest:~# kinit brian
...
root@wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h
wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base
SASL/GSSAPI authentication started
SASL username: br...@AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=net> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
... etc
Any ideas what's going on, or where else I can look?
Aside: What I'm actually trying to do is to get freeradius to
authenticate using a keytab in order to do LDAP queries, which I've had
working with FreeIPA before and am now trying to replicate with Samba in
a different environment.
Thanks,
Brian.
P.S. Here are the config files from the client machine:
--- /etc/krb5.conf ---
[libdefaults]
default_realm = AD.EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
# I added this but it didn't make a difference
[domain_realm]
.ad.example.net = AD.EXAMPLE.NET
--- /etc/samba/smb.conf ---
[global]
security = ADS
workgroup = AD
realm = AD.EXAMPLE.NET
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 1
username map = /etc/samba/user.map
winbind enum users = yes
winbind enum groups = yes
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
imdap config AD : backend = rid
idmap config AD : range = 100000-999999
idmap config * : backend = autorid
idmap config * : range = 1000000-9999999
idmap config * : rangesize = 100000
The keytab itself looks OK to me:
root@wrn-radtest:~# net ads keytab list
Vno Type Principal
2 des-cbc-crc host/wrn-radtest.a...@AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 des-cbc-crc host/wrn-r...@AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-r...@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-r...@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-r...@AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-r...@AD.EXAMPLE.NET
2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Brian Candler via samba
when it joined:
root@wrn-dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(cn=wrn-radtest)'
# record 1
dn: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: wrn-radtest
instanceType: 4
whenCreated: 20161219120818.0Z
uSNCreated: 5055
name: wrn-radtest
objectGUID: db8fd9f5-4be3-4886-a459-71858010f4fa
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 515
objectSid: S-1-5-21-1073172920-2372885959-993370794-1109
accountExpires: 9223372036854775807
sAMAccountName: wrn-radtest$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=
net
isCriticalSystemObject: FALSE
userAccountControl: 69632
pwdLastSet: 131266228999887560
dNSHostName: wrn-radtest.ad.example.net
servicePrincipalName: HOST/WRN-RADTEST
servicePrincipalName: HOST/wrn-radtest.ad.example.net
logonCount: 1
lastLogon: 131266508988047120
lastLogonTimestamp: 131266508988047120
whenChanged: 20161219195459.0Z
uSNChanged: 7842
distinguishedName: CN=wrn-radtest,CN=Computers,DC=ad,DC=example,DC=net
I did a "net ads leave" and "net ads join", but it hasn't made a difference.
Regards,
Brian.
L.P.H. van Belle via samba
that wont help.
check again if host.fqdn a and ptr exists in the dns.
check resolv.conf
make sure your primary domain is listed first.
you left and rejoined the domain, so you can try regenerateing your keytab file also.
start with that
greetz
Louis
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> start with fixing the overlapping idmap config.
> that wont help.
>
> check again if host.fqdn a and ptr exists in the dns.
> check resolv.conf
> make sure your primary domain is listed first.
>
> you left and rejoined the domain, so you can try regenerateing your
> keytab file also.
>
> start with that
>
>
No, start by using the correct thing for '*':
idmap config * : backend = tdb
idmap config * : range = 1000000-9999999
--
Brian Candler via samba
> start with fixing the overlapping idmap config.
> that wont help.
I don't think they are overlapping: I used 100,000-999,999 for rid and
1,000,000 to 9,999,999 for autorid.
> check again if host.fqdn a and ptr exists in the dns.
# dig +short wrn-radtest.ad.example.net. a
192.168.5.83
# dig +short -x 192.168.5.83
wrn-radtest.ad.example.net.
> check resolv.conf
Points to two nearby instances of pdns recursor, which in turn forward
domains "ad.example.net" and "5.168.192.in-addr.arpa" to the Samba servers.
> make sure your primary domain is listed first.
It only has "ad.example.net" in the search section.
> you left and rejoined the domain, so you can try regenerateing your
keytab file also.
Yep, did that, no difference.
Rowland Penny wrote:
> No, start by using the correct thing for '*':
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-9999999
I wasn't aware that the default *had* to be tdb; the manpage at
https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
gives examples which don't use tdb at all, e.g.
[global]
security = ads
workgroup = CUSTOMER
realm = CUSTOMER.COM
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
Is it really wrong to use autorid for this?
Anyway: I have followed your advice, switched to tdb, left and rejoined
domain, and regenerated the keytab. The problem is still there.
While doing this I found one stupid problem which was visible in my
original post:
imdap config AD : backend = rid
Arrgh!!! (I noticed this because getent passwd 'AD\brian' started
returning a tdb-assigned ID 1000000 instead of the RID-based ID)
But after fixing that (and net cache flush and restarting winbind),
still no joy:
root@wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
DNS Update for wrn-radtest.ad.example.net failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
root@wrn-radtest:~# rm /etc/krb5.keytab
root@wrn-radtest:~# net ads keytab create -P
root@wrn-radtest:~# kdestroy
root@wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root@wrn-radtest:~# ldapsearch -Y GSSAPI -b 'dc=ad,dc=example,dc=net' -h
wrn-dc1.ad.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Client not found in Kerberos database)
root@wrn-radtest:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/wrn-radtest.a...@AD.EXAMPLE.NET
Valid starting Expires Service principal
12/20/2016 09:52:51 12/20/2016 19:52:51
krbtgt/AD.EXAM...@AD.EXAMPLE.NET
renew until 12/21/2016 09:52:51
I assume the DNS update error on re-joining is just because there was an
existing DNS entry. Indeed: if I leave the domain, remove the DNS
record, and then join again, there is no error:
root@wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
root@wrn-radtest:~#
But still I can't use the keytab ticket for LDAP auth.
To be honest: I think the UID mapping is a red herring. If I underestand
correctly, mapping RID to unix UID is something which is local to the
client system. I can't see how it would affect our Kerberos ticket being
accepted by the LDAP server.
I will keep digging...
Thanks,
Brian.
Rowland Penny via samba
Brian Candler via samba <sa...@lists.samba.org> wrote:
> L.P.H. van Belle wrote:
>
> > check resolv.conf
>
> Points to two nearby instances of pdns recursor, which in turn
> forward domains "ad.example.net" and "5.168.192.in-addr.arpa" to the
> Samba servers.
Can I suggest you stop doing this, point your domain member at the DC
only.
>
> Rowland Penny wrote:
>
> > No, start by using the correct thing for '*':
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-9999999
>
> I wasn't aware that the default *had* to be tdb; the manpage at
> https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
> gives examples which don't use tdb at all, e.g.
>
> [global]
> security = ads
> workgroup = CUSTOMER
> realm = CUSTOMER.COM
>
> idmap config * : backend = autorid
> idmap config * : range = 1000000-1999999
>
>
> Is it really wrong to use autorid for this?
Best practice is to use 'tdb', there is no need to actually know the
IDs for any of the '*' domain users & groups. 'tdb' is known to work.
>
> Anyway: I have followed your advice, switched to tdb, left and
> rejoined domain, and regenerated the keytab. The problem is still
> there.
When you join the domain with 'kerberos method = secrets and keytab',
you should get a keytab created without having to manually create it.
>
> While doing this I found one stupid problem which was visible in my
> original post:
>
> imdap config AD : backend = rid
>
>
> Arrgh!!! (I noticed this because getent passwd 'AD\brian' started
> returning a tdb-assigned ID 1000000 instead of the RID-based ID)
>
> But after fixing that (and net cache flush and restarting winbind),
> still no joy:
How did you 'fix' this, on face value, there is nothing wrong with that
line.
Rowland
Brian Candler via samba
https://wiki.archlinux.org/index.php/Active_Directory_Integration
This works:
kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'
These don't work:
kinit -k -t /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
kinit -k -t /etc/krb5.keytab host/wrn-radtest
That is: the keytab contains three different principals:
root@wrn-radtest:~# net ads keytab list
Vno Type Principal
2 des-cbc-crc host/wrn-radtest.a...@AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-radtest.a...@AD.EXAMPLE.NET
2 des-cbc-crc host/wrn-r...@AD.EXAMPLE.NET
2 des-cbc-md5 host/wrn-r...@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 host/wrn-r...@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 host/wrn-r...@AD.EXAMPLE.NET
2 arcfour-hmac-md5 host/wrn-r...@AD.EXAMPLE.NET
2 des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
2 des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
2 arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET
I can get a TGT for any of them, and by default kinit chooses the
first. But the LDAP server won't talk to me unless I choose the
'WRN-RADTEST$' principal.
Now I just need to work out how to get freeradius to choose the right
principal - but at worst I should be able to make a new keytab which
doesn't have the other two.
Regards,
L.P.H. van Belle via samba
Maybe something like this in freeradius but im not 100% sure here.
Im also working on my freeradius skills here, its hard.. :-/ ( for me .. )
I used this site:
http://deployingradius.com/documents/configuration/active_directory.html
for the basics and start with a working set.
Now im trying to get rid of ntlm_auth and switch to ldaps or kerberos.
This is what i found, dont know if thats exact what your looking for.
( module )
krb5 {
keytab = /etc/freeradius/keytab
service_principal = radius/radius.example.com
}
authenticate {
Auth-Type PAP {
krb5
}
Auth-Type Kerberos {
krb5
}
}
For my squid server i needed the correct SPN also.
For that ive added these to the environment file to load.
KRB5_KTNAME=/etc/squid/keytab.PROXY
export KRB5_KTNAME
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
And the SPN which squid needs ( the only one ) is in keytab.PROXY
The CA root cert merged in /etc/ssl/certs/ca-certificates.crt to make sure my ldaps work ok.
I hope this helps you a bit.
And if you got it working i would be very nice to post it here for when i working on freeradius again.
;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Brian Candler via
> samba
> Verzonden: dinsdag 20 december 2016 11:57
> Aan: samba
> Onderwerp: Re: [Samba] Problem with keytab: "Client not found in Kerberos
> database"
>
> I finally found it, thanks to a clue from
> https://wiki.archlinux.org/index.php/Active_Directory_Integration
>
> This works:
>
> kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'
>
> These don't work:
>
> kinit -k -t /etc/krb5.keytab
> kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
> kinit -k -t /etc/krb5.keytab host/wrn-radtest
>
> That is: the keytab contains three different principals:
>
> root@wrn-radtest:~# net ads keytab list
> Vno Type Principal
> 2 des-cbc-crc host/wrn-radtest.a...@AD.EXAMPLE.NET
> 2 des-cbc-md5 host/wrn-radtest.a...@AD.EXAMPLE.NET
> 2 aes128-cts-hmac-sha1-96 host/wrn-
> radtest.ad....@AD.EXAMPLE.NET
> 2 aes256-cts-hmac-sha1-96 host/wrn-
> radtest.ad....@AD.EXAMPLE.NET
Brian Candler via samba
> >/imdap config AD : backend = rid /> >/ > /> How did you 'fix' this, on face value, there is nothing wrong with that line.
"imdap" is not "idmap"
(so now you understand why I missed it after staring at it so long :-)
> When you join the domain with 'kerberos method = secrets and keytab',
> you should get a keytab created without having to manually create it.
Ah cool, yes that does happen now.
L.P.H. van Belle wrote:
> This is what i found, dont know if thats exact what your looking for.
>
> ( module )
> krb5 {
> keytab = /etc/freeradius/keytab
> service_principal = radius/radius.example.com
> }
I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
authentication. The krb5 module requires a cleartext password, but
MSCHAP does not pass a cleartext password. (It is possible to use krb5
authentication with TTLS+PAP or TTLS+GTC, both of which send a cleartext
password)
However, I'm not actually at that point yet. First I'm configuring
freeradius to do the LDAP query. To do this I'm setting environment
variables:
KRB5_CLIENT_KTNAME=/etc/krb5.keytab
KRB5CCNAME=MEMORY:
Using KRB5_CLIENT_KTNAME means that the Kerberos library will
automatically fetch and renew ticket when required. And I'm telling it
to use the in-process MEMORY cache to hold those tickets.
Aside: there is a nasty failure mode if you don't do it like this.
Suppose you type "kinit" to get a ticket, then start your radius server.
Everything appears to work fine, since radius uses the ticket you
generated. But then it stops working 12 hours later when the ticket
expires :-(
(Incidentally, this is all stuff I have working with FreeIPA; I'm trying
to port these working configs over to a Samba environment)
So, back to the situation I'm in, where /etc/krb5.keytab has three
principals, but the first two don't work for authenticating the RADIUS
server to the LDAP server to do LDAP queries.
POSSIBLE CAUSE: I found the following:
http://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial
/"Active Directory does not typically allow you to authenticate as a
service principal (specifically, does not let it acquire a TGT via an
AS_REQ); in theory, service principals are supposed to be for accepting
user credentials, not for authenticating to your kerberos realm.//
//
//This is different from Unix KDCs, which typically do not distinguish
between "service principals" and "user principals" by default, allowing
either to authenticate via kinit"//
//
/This doesn't mention *host* principals as such, but it seems likely
that host/foo@realm and service/foo@realm are both not allowed to
authenticate to Active Directory.
This also says you must kinit as '<computername>$'
WORKAROUND: I couldn't get freeradius to select a principal to use for
authentication, so instead I used ktutil to generate a keytab containing
only the 'WRN-RADTEST$' principal.
rkt /etc/krb5.keytab
delent 1 # repeat this 10 times
wkt /etc/radius.keytab
and chown'd this file so the radius server can access it. This now
works, yay! - freeradius can establish a connection to the LDAP server.
However:
(1) Does Samba change the host kerberos key periodically?
If it does, I'll need to automate the updating of the radius keytab as
well. Unfortunately ktutil is not well suited to this role, unless you
are happy to type commands 'blind' to delete the first 10 entries (ugh)
(2) Can "net ads keytab create" be told to extract just a single named
principal? That would simplify things. But I can't see how to.
As usual... clues gratefully received.
Rowland Penny via samba
Brian Candler via samba <sa...@lists.samba.org> wrote:
> Rowland Perry wrote:
> > >/imdap config AD : backend = rid /> >/ > /> How did you 'fix'
> > >this, on face value, there is nothing wrong with that line.
>
>
> "imdap" is not "idmap"
>
> (so now you understand why I missed it after staring at it so long :-)
Oh yes ;-)
> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
> authentication. The krb5 module requires a cleartext password, but
> MSCHAP does not pass a cleartext password. (It is possible to use
> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
> cleartext password)
You might want to read this:
https://www.samba.org/samba/history/samba-4.5.0.html
Rowland
L.P.H. van Belle via samba
About the "POSSIBLE CAUSE: I found the following.. " part.
Thats exactly why my squid kerberos group didnt work.
I manualy added this where it was needed.
...
A PROGRAM "login" to Windows Active Directory or Unix kdc as user <SERVICE/<fqdn-hostname>@REALM >.
(! Beware SERVICE must match what your program needed )
Squid need HTTP/SPN
Zarafa needs http/SPN
It requires Active Directory to have an attribute userPrincipalname set to
< SERVICE/<fqdn-hostname>@REALM > for the associated acount.
This is usaully done by using msktutil.
But this is not done by samba-tools
So you need to add this manualy.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Brian Candler via
> samba
> Verzonden: dinsdag 20 december 2016 14:51
> Aan: samba
> Onderwerp: Re: [Samba] Problem with keytab: "Client not found in Kerberos
> database"
>
Achim Gottinger via samba
Am 20.12.2016 um 14:50 schrieb Brian Candler via samba:
> (2) Can "net ads keytab create" be told to extract just a single named
> principal? That would simplify things. But I can't see how to.
>
> As usual... clues gratefully received.
samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN]
In your case
samba-tool domain exportkeytab /etc/krb5.keytab --principal=WRN-RADTEST$
Brian Candler via samba
>> I can't use rlm_krb5, because I plan to use PEAP+MSCHAP for wifi
>> authentication. The krb5 module requires a cleartext password, but
>> MSCHAP does not pass a cleartext password. (It is possible to use
>> krb5 authentication with TTLS+PAP or TTLS+GTC, both of which send a
>> cleartext password)
> You might want to read this:
>
> https://www.samba.org/samba/history/samba-4.5.0.html
I'm not sure which section you mean is relevant. Maybe this:
"When doing a PKINIT based Kerberos logon the KDC adds the
required PAC_CREDENTIAL_INFO element to the authorization data.
That means the NTHASH is shared between the PKINIT based client and
the domain controller, which allows the client to do NTLM based
authentication on behalf of the user."
That sounds cool, but I can already use ntlm_auth to validate the MSCHAP
passwords. Modifying FreeRADIUS to be able to do this via Kerberos
doesn't gain me much.
The other thing which I'd already noticed was the server-side storage of
GPG-encrypted plaintext passwords. It doesn't make a difference to
MSCHAP, but it'll be useful if I end up using an auth method which
requires the server to have the cleartext password (e.g. EAP-PWD)
Cheers,
Brian.
Brian Candler via samba
>
>
> Am 20.12.2016 um 14:50 schrieb Brian Candler via samba:
>> (2) Can "net ads keytab create" be told to extract just a single
>> named principal? That would simplify things. But I can't see how to.
>>
>> As usual... clues gratefully received.
> samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN]
>
> In your case
>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=WRN-RADTEST$
Thank you, that looks promising.
Am I supposed to be able to run this on the host itself? Because if I
try, I get an error:
root@wrn-radtest:~# samba-tool domain exportkeytab /etc/misc.keytab
--principal='WRN-RADTEST$'
Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for
a base search
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
samba_kdc_setup_db_ctx: Cannot determine if we are an RODC in KDC
backend: operations error at ../source4/dsdb/common/util.c:3385
ERROR(runtime): uncaught exception - Invalid argument
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
117, in run
net.export_keytab(keytab=keytab, principal=principal)
Adding '-P' option (to authenticate using machine credentials) doesn't
make any difference.
But it *does* work on the domain controller itself:
root@wrn-dc1:~# samba-tool domain exportkeytab /etc/misc.keytab
--principal='WRN-RADTEST$'
Export one principal to /etc/misc.keytab
root@wrn-dc1:~# ktutil
ktutil: rkt /etc/misc.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 2 WRN-RADTEST$@AD.EXAMPLE.NET
2 2 WRN-RADTEST$@AD.EXAMPLE.NET
3 2 WRN-RADTEST$@AD.EXAMPLE.NET
4 2 WRN-RADTEST$@AD.EXAMPLE.NET
5 2 WRN-RADTEST$@AD.EXAMPLE.NET
ktutil:
Unfortunately, doing it that way I would have to copy the keytab
manually (and securely) to where it's needed.
Thanks again,
Brian.
Rowland Penny via samba
No, I meant the info at the top that now states that MSCHAP probably
wont work without modifying smb.conf.
Rowland
Brian Candler via samba
> wont work without modifying smb.conf.
Thank you. You will have saved me a ton of head scratching :-)