Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.samba > #60432

Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions

From Gaiseric Vandal via samba <samba@lists.samba.org>
Newsgroups linux.samba
Subject Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions
Date 2017-03-16 19:50 +0100
Message-ID <tlIDf-2mJ-1@gated-at.bofh.it> (permalink)
References <tjf2G-363-7@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Samba expects the keytab file as /etc/krb5.keytab.

Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab

When samba joins the domain it (probably) updates the machine password  
and then updates its krb5.keytab file.       When connecting via ssh, 
the system would use a keytab file that had the wrong kvno and probably 
the wrong password key.


The following symlink command fixed ssh logins

     ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab





On 03/09/17 17:42, Gaiseric Vandal wrote:
>
> I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.)
>
>
> I am trying to join a Solaris 11 machine  to the domain for both Samba 
> and other services.  For "unix" logins and ssh, Solaris 11 is 
> configured to use LDAP for user and group lookup and kerberos for 
> authentication.
>
>
> The "kclient -T ms_ad" command joins the Solaris machine to the AD 
> domain.    It even creates the /etc/krb5/krb5.keytab file with several 
> service principal entries.    (I pasted this at the bottom of this 
> e-mail.)  This allows me to ssh in to the machine using my kerberos 
> password.
>
>
> When I run "net ads join -S domaincontroller -U Administration" , the 
> samba join appears to work.     However, I can no longer ssh in .
>
> The log files shows
>
>     sshd[12225]: [ID 537602 auth.error] PAM-KRB5 (auth): 
> krb5_verify_init_creds failed: Key version number for principal in key 
> table is incorrect
>
>
> I ran kvno prior to "net join" to see if I could find any changes on 
> any of the principals.   I did not find any. However the "pwdLastSet" 
> attribute was updated (which means, not surprisingly, that the samba 
> "net ads join" changed machine's password when joining.      I also 
> notice that the "msDS-SupportedEncryptionTypes" attribute is reset to 
> 31 (i.e all encryption types.)   I had change it to 28 (to exclude DES)
>
>
> I tried setting "kerberos method = secrets and keytab" in smb.conf, 
> but did not help.      I would think solution might be to create a new 
> krb5.keytab file on the AD server that has a single principal that can 
> provide authentication for both unix logins and samba.     The kutil 
> command in Windows makes it pretty much impossible to create a 
> krb5.keytab file  with multiple service principals.
>
>
> What service principal is Samba using ?   Assuming my machine is 
> "client1" in the realm "MYREALM"  I would expect the principal to be 
> "CLIENT1$@MYREALM."
>
>
> If I set  "kerberos method = keytab" while samba try to create a keytab ?
>
>
> I appreciate any advice
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>             root@client1:/etc/krb5# klist -ke
>
>             Keytab name: FILE:/etc/krb5/krb5.keytab
>
>             KVNO Principal
>
>             ----
>             --------------------------------------------------------------------------
>
>             2 host/client1.mydomain.com@MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 host/client1.mydomain.com@MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 host/client1.mydomain.com@MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 host/client1.mydomain.com@MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 nfs/client1.mydomain.com@MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 nfs/client1.mydomain.com@MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 nfs/client1.mydomain.com@MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 nfs/client1.mydomain.com@MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 HTTP/client1.mydomain.com@MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 HTTP/client1.mydomain.com@MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 HTTP/client1.mydomain.com@MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 HTTP/client1.mydomain.com@MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 root/client1.mydomain.com@MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 root/client1.mydomain.com@MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 root/client1.mydomain.com@MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 root/client1.mydomain.com@MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 cifs/client1.mydomain.com@MYREALM.COM (AES-256 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 cifs/client1.mydomain.com@MYREALM.COM (AES-128 CTS mode
>             with 96-bit SHA-1 HMAC)
>
>             2 cifs/client1.mydomain.com@MYREALM.COM (ArcFour with
>             HMAC/md5)
>
>             2 cifs/client1.mydomain.com@MYREALM.COM (DES cbc mode with
>             RSA-MD5)
>
>             2 CLIENT1$@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1
>             HMAC)
>
>             2 CLIENT1$@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1
>             HMAC)
>
>             2 CLIENT1$@MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 CLIENT1$@MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             2 host/CLIENT1@MYREALM.COM (AES-256 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 host/CLIENT1@MYREALM.COM (AES-128 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 host/CLIENT1@MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 host/CLIENT1@MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             2 cifs/CLIENT1@MYREALM.COM (AES-256 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 cifs/CLIENT1@MYREALM.COM (AES-128 CTS mode with 96-bit
>             SHA-1 HMAC)
>
>             2 cifs/CLIENT1@MYREALM.COM (ArcFour with HMAC/md5)
>
>             2 cifs/CLIENT1@MYREALM.COM (DES cbc mode with RSA-MD5)
>
>             root@client1:/etc/krb5#
>
>
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Back to linux.samba | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

[Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos  functions Gaiseric Vandal via samba <samba@lists.samba.org> - 2017-03-09 23:50 +0100
  Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other  kerberos functions Gaiseric Vandal via samba <samba@lists.samba.org> - 2017-03-16 19:50 +0100
    Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other  kerberos functions Rowland Penny via samba <samba@lists.samba.org> - 2017-03-16 20:10 +0100
      Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other  kerberos functions Gaiseric Vandal via samba <samba@lists.samba.org> - 2017-03-21 14:10 +0100
        Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other  kerberos functions Rowland Penny via samba <samba@lists.samba.org> - 2017-03-21 14:30 +0100

csiph-web