[Samba] samba4 : [kerberos part kinit work but no kpasswd
MARTIN boris
i have recently installed a samba 4 in a DC role.
The distribution is a debian jessie/sid, the version of samba is 4.1.7.
The server is globally working but there is some litle trouble.
on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
root@station:/var/log/samba# kinit
Password for admini...@TOTO.FR:
root@station:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@TOTO.FR
Valid starting Expires Service principal
09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOT...@TOTO.FR
renew until 10/05/2014 09:23:38
root@station:/var/log/samba# kpasswd
[10 sec later ....]
kpasswd: Cannot contact any KDC for requested realm getting initial ticket
the smb.conf file is the following :
[global]
workgroup = TOTO
realm = TOTO.FR
netbios name = station
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
dns forwarder = 129.20.128.39
allow dns updates = nonsecure
# winbind rpc only = yes
log level = 4
ntp signd socket directory = /var/lib/samba/ntp_signd
[netlogon]
path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[demo]
path = /share/demo
read only = no
and the krb5.conf is the following :
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = TOTO.FR
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
IETR.UNIV-RENNES1.FR = {
kdc = admin.toto.fr:88
admin_server = admin.toto.fr
}
...
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.toto.fr= TOTO.FR
[login]
krb4_convert = true
krb4_get_tickets = false
the tcp dump for a failed attempt of kpasswd give the folllowing :
client -> station Kerberos AS-REQ
MSG Type : AS-REQ(10)
Server Name(principal): kadmin/changepw
Encryption type rc4-hmac
station-> client BER Error : Empty choice was found ...
and the log on the server side gives
Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
So my questions are :
- is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
- what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
- does any one see what i can do to fix this mess ?
best regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
kinit: Client 'ro...@EXAMPLE.COM' not found in Kerberos database while
getting initial credentials
root@dc1:~# kinit Administrator
Password for Admini...@EXAMPLE.COM:
root@dc1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Admini...@EXAMPLE.COM
Valid starting Expires Service principal
renew until 10/05/14 09:06:33
root@dc1:~# kpasswd
Password for Admini...@EXAMPLE.COM:
Enter new password:
Enter it again:
Password change rejected: Try a more complex password, or contact your
administrator.
NOTE: I deliberately used a non complex password.
What do you have in /etc/resolv.conf ? is the nameserver line set to
either your samba 4's ipaddress or 127.0.0.1 ?
Rowland
MARTIN boris
the resolv.conf have the ip of the DC server first , then to other dns from the site.
But as far as i can see in the tcpdump trace, this is not dns related cause, every answer the client have get the good response from the server.
best regards
> Message du 09/05/14 10:29
> De : "Rowland Penny"
> A : sa...@lists.samba.org
> Copie à :
> Objet : Re: [Samba] samba4 : [kerberos part kinit work but no kpasswd
Rowland Penny
root@station:/var/log/samba# kinit
Password for admini...@TOTO.FR:
When I try it, I get this:
root@dc2:~# kinit
kinit: Client 'ro...@EXAMPLE.COM' not found in Kerberos database while
getting initial credentials
I have to kinit as Administrator:
root@dc2:~# kinit Administrator
Password for Admini...@EXAMPLE.COM:
root@dc2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Admini...@EXAMPLE.COM
Valid starting Expires Service principal
10/05/14 09:58:56 10/05/14 19:58:56 krbtgt/EXAMP...@EXAMPLE.COM
renew until 11/05/14 09:58:48
The other thing that is strange, is that you seem to refer to running
the kinit command on the samba 4 server, but now you are referring to a
client ?
OK, just what is the problem that started you along the path of wanting
to change the Administrators password ?
steve
Trying to clarify.
You can only kinit as root if root is kinit-able. I think what we mean
is that is that the cache is owned by root, not by the object which is
asking for the tgt. IOW, /tmp/krb5cc_0 is the root ticket cache, note
the '0' bit at the end. The uid for root.
Steve
Rowland Penny
but I cannot kinit as 'root', I have to do it as 'Administrator' and yes
I get the cache in /tmp
ls -la /tmp/krb5cc_0
-rw------- 1 root root 1339 May 10 09:58 /tmp/krb5cc_0
steve
OK. IOW, it doesn't matter who gets the tgt. If you do it from the root
account, you will always get a root cache. e.g. you could equally well:
kinit MACHINE$
you will still end up with /tmp/krb5cc_0 except that now, the principal
with the tgt will be that of the machine. As far as we can see, all the
tgt does is allows you to get a ticket for a service, e.g. the file
server. Maybe we should distinguish the terms:
- ticket granting ticket
- ticket
- ticket granting ticket cache
- ticket cache
on a calling-a-spade-a-spade level. My English is not up to that.
Cheers,
Steve
Rowland Penny
posted that he can kinit as 'root', whilst I cannot, can you ? He then
confused the issue by starting to talk about a 'client' when before he
only talked about the server, is he having problems connecting a client
to the server, or is it just a server problem ? I think that more info
is needed here.
steve
Sorry, I'm having to translate all this at the same time. Nightmare.
No, we can't:
kinit root
either. I could only successfully kinit root if there was indeed an
object called root in the directory. The current consensus down here is
that a user or a machine called 'root' would get you there.
Cheers,
Steve
Rowland Penny
why ?? As I said, more info needed here.
steve
Guess. He has allocated:
uidNumber: 0
gidNumber: 0
to mimic local root on al clients?
Rowland Penny
really bad idea.
MARTIN boris
i want to clarify the situation here.
i have no user root, when i do my kinit, i do it on the administrator account, a hight privilege samba 4 account.
I do it being the local root user on the client machine, but the fact that i am root have no releavance here, i could user a standard local account on the client and do my
kinit administrator, the behavior would be the same.
the missanderstood come from a bad copy/cut when i do a kinit ,I always do a kinit administrator... ;)
And for me the computer i use to authentify against samba 4 is always a "client" no matter it is the server itself or another linux client, as long as i do a kinit , the machine is a samba4/AD/kerberos client ?
Does this clarify the situation ? does anyone have any idea on why my kpasswd are failing ?
best regards
> Message du 10/05/14 18:58
steve
> hi,
>
>
>
>
> i have no user root, when i do my kinit, i do it on the administrator account, a hight privilege samba 4 account.
>
>
>
> I do it being the local root user on the client machine, but the fact that i am root have no releavance here, i could user a standard local account on the client and do my
>
> kinit administrator, the behavior would be the same.
>
>
>
> the missanderstood come from a bad copy/cut when i do a kinit ,I always do a kinit administrator... ;)
>
>
>
> And for me the computer i use to authentify against samba 4 is always a "client" no matter it is the server itself or another linux client, as long as i do a kinit , the machine is a samba4/AD/kerberos client ?
>
>
>
> Does this clarify the situation ? does anyone have any idea on why my kpasswd are failing ?
>
>
>
> best regards
Can you send us the output from the DC? If not, here is a successful
kpasswd for a domain user 'julie'. Administrator has the tgt and I'm
sitting at the DC logged in as my local user:
steve@hh16:~> kinit Administrator
Password for Admini...@HH3.SITE:
steve@hh16:~> klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Admini...@HH3.SITE
Valid starting Expires Service principal
renew until 14/05/14 10:11:02
steve@hh16:~> kpasswd julie
Password for ju...@HH3.SITE:
Enter it again:
And here is the log:
Kerberos: AS-REQ Admini...@HH3.SITE from ipv4:192.168.1.16:49497 for
krbtgt/HH3....@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Admini...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Admini...@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Admini...@HH3.SITE
Calling samba_kcc script
Completed samba_kcc OK
Kerberos: AS-REQ Admini...@HH3.SITE from ipv4:192.168.1.16:48605 for
krbtgt/HH3....@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Admini...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Admini...@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- Admini...@HH3.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-05-13T10:11:07 starttime: unset endtime:
2014-05-13T20:11:07 renew till: 2014-05-14T10:11:02
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: AS-REQ ju...@HH3.SITE from ipv4:192.168.1.16:57108 for
kadmin/chan...@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- ju...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- ju...@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ju...@HH3.SITE
Kerberos: AS-REQ ju...@HH3.SITE from ipv4:192.168.1.16:50261 for
kadmin/chan...@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- ju...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- ju...@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- ju...@HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-05-13T10:11:34 starttime: unset endtime:
2014-05-13T10:16:27 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Found account name from PAC: julie []
Changing password of HH3\julie
(S-1-5-21-451355595-2219208293-2714859210-1175)
Anything different?
HTH
Steve
Rowland Penny
> hi,
>
>
>
>
> i have no user root, when i do my kinit, i do it on the administrator account, a hight privilege samba 4 account.
>
>
>
> I do it being the local root user on the client machine, but the fact that i am root have no releavance here, i could user a standard local account on the client and do my
>
> kinit administrator, the behavior would be the same.
>
>
>
> the missanderstood come from a bad copy/cut when i do a kinit ,I always do a kinit administrator... ;)
see here, posting partial commands can lead to confusion.
>
>
> And for me the computer i use to authentify against samba 4 is always a "client" no matter it is the server itself or another linux client, as long as i do a kinit , the machine is a samba4/AD/kerberos client ?
>
any other machine would be a client. You are probably technically
correct, but again it confused the issue.
>
>
> Does this clarify the situation ? does anyone have any idea on why my kpasswd are failing ?
>
There is a possibility that you are using the wrong kpasswd, if you run
'man kpasswd' does it say 'MIT' at the top ?
If so, try 'apt-get install heimdal-clients' and then try again.
Rowland
>
>
> best regards