Unable to authenticate on Samba AD DC server
1
I have a Raspberry Pi 3B+ that I use as a home server.
I have installed and setup Samba AD DC from the Raspbian pacakges (4.5.12+dfsg-2+deb9u4).
I have configured SSSD on the AD DC server to authenticate the local users.
My setup used to work fine, but, since the beginning of december, I started have all kinds of authentication problems. Almost all my problems are now resolved, except that I can't authenticate on the local server using AD accounts.
I can authenticate on another Raspberry Pi on my networked that is joined as a domain member and configured with SSSD.
I searched the web for solutions, but I can't figure it out.
Here is the contents of the relevant config files:
/etc/hostname
pitaya
/etc/resolv.conf
search gggm.int
nameserver 192.168.2.26
/etc/krb5.conf
[libdefaults]
default_realm = GGGM.INT
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.gggm.int = GGGM.INT
/etc/samba/smb.conf
[global]
netbios name = PITAYA
realm = GGGM.INT
workgroup = GGGM
server role = active directory domain controller
dns forwarder = 192.168.2.1
idmap_ldb:use rfc2307 = yes
log level = 2
server string = Pitaya
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
kerberos method = secrets and keytab
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/sambaKey.pem
tls certfile = /var/lib/samba/private/tls/sambaCert.pem
tls cafile = /var/lib/samba/private/tls/crt.ca-chain.pem
<Share configuration skipped...>
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo, ssh
config_file_version = 2
domains = GGGM.INT
full_name_format = %1$s
[domain/GGGM.INT]
ad_domain = gggm.int
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_referrals = false
override_homedir = /home/%u
enumerate = true
ldap_sudo_search_base = OU=sudoers,OU=gggm.int,DC=gggm,DC=int
ad_gpo_access_control = permissive
dyndns_update = false
Output of uname -a
Linux pitaya 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux
DNS resolution works fine
root@pitaya ~ # host pitaya
pitaya.gggm.int has address 192.168.2.26
root@pitaya ~ # host 192.168.2.26
26.2.168.192.in-addr.arpa domain name pointer pitaya.gggm.int.
root@pitaya ~ # host -t SRV _ldap._tcp.gggm.int
_ldap._tcp.gggm.int has SRV record 0 100 389 pitaya.gggm.int.
root@pitaya ~ # host -t SRV _kerberos._tcp.gggm.int
_kerberos._tcp.gggm.int has SRV record 0 100 88 pitaya.gggm.int.
root@pitaya ~ #
I can authenticate using Kerberos as a domain user:
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ghigad@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:38:35 03/01/19 22:38:35 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:38:32
root@pitaya ~ #
I can list the shares on the local server:
root@pitaya ~ # smbclient -k -L pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@pitaya ~ #
I can login using the machine principal.
root@pitaya ~ # kdestroy
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:43:17 03/01/19 22:43:17 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:43:17
root@pitaya ~ #
I can also list the shares of the server using smbclient -k -L pitaya using this ticket (same output as above).
Also, wbinfo -u and getent passwd lists the users of the domain. Likewise, wbinfo -g and getent group lists the groups of the domain.
Output of wbinfo -P
checking the NETLOGON for domain[GGGM] dc connection to "pitaya.gggm.int" succeeded
I tried to check my domain's DB, and I didn't get any error...
root@pitaya ~ # samba-tool dbcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
schema_fsmo_init: we are master[yes] updates allowed[no]
schema_fsmo_init: we are master[yes] updates allowed[no]
Checking 400 objects
Checked 400 objects (0 errors)
Here is the contents of krb5.keytab.
root@pitaya ~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-crc)
However, if I try to authenticate to the domain, plaintext authentication succeeds, but the challenge/response fails.
root@pitaya ~ # wbinfo -a ghigad
Enter ghigad's password:
plaintext password authentication succeeded
Enter ghigad's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(GGGMghigad): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user ghigad with challenge/response
root@pitaya ~ #
I tried to reset my user's password (samba-tool user setpassword ghigad), but it didn't change anything.
I can't login to my server using SSH and a domain account (on my other server I can...).
Another strange behavior, kinit -k fails:
root@pitaya ~ # kinit -k
kinit: Preauthentication failed while getting initial credentials
root@pitaya ~ #
Digging through the log files, I found this...
[2019/01/03 12:51:23.391820, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2019/01/03 12:51:23.392318, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=PITAYA,OU=Domain Controllers,DC=gggm,DC=int after wrong password
[2019/01/03 12:51:23.392435, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT
Also, note that my Windows computers all work fine. Users can log in and use shared drives. I can also use RSAT tools (GPO, DNS, Users, Printers, etc.).
I feel my problems come from Kerberos authentication at the service level, but I'm stuck... I can't figure out how to solve this...
Can anyone help?
If you guys need anymore log, I can add extracts as well...
Edit
I kept searching for a solution did an experiment.
I setup another Linux machine as a PDC (samba-tool domain join gggm.int DC --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'). Everything went well, except, that after I joined the domain, the machine started to behave a little like the first one...
getent passwd returned the list of users, getent group returned the list of groups, but login ghigad always failed.
I finally found that enabling the pacservice in SSSD resolved the problem...
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
So I went on my other problematic server and enabled the pac service in SSSD and crossed fingers, hoping that the problem was solved.
Unfortunately, it's not that easy... I still have strange authentication problems...
I flushed the SSSD cache (sssctl cache-remove) and getent passwd can no longer list my domain users, and my domain turned offline in SSSD.
root@pitaya /usr/sbin # sssctl domain-status gggm.int
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- pitaya.gggm.int
I tried to regenerate my machine's Keytab, in case it helped.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # net ads keytab create -P
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
root@pitaya ~ # net ads keytab create -U ghigad
Enter ghigad's password:
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
The only way I could recreate the Keytab was by first authenticating with Kerberos.
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # net ads keytab create -k
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 host/PITAYA@GGGM.INT (des-cbc-crc)
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 host/PITAYA@GGGM.INT (des-cbc-md5)
3 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 host/PITAYA@GGGM.INT (arcfour-hmac)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (des-cbc-crc)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (arcfour-hmac)
I then restarted SSSD and checked the status. Still offline.
I tried to export the Keytab using samba-tool.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # samba-tool domain exportkeytab /etc/krb5.keytab --principal=PITAYA$
Export one principal to /etc/krb5.keytab
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 PITAYA$@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (des-cbc-crc)
root@pitaya ~ # service sssd restart
root@pitaya ~ # sssctl domain-status gggm.int
Online status: Online
Active servers:
AD Global Catalog: pitaya.gggm.int
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
- pitaya.gggm.int
Discovered AD Domain Controller servers:
- pitaya.gggm.int
After that, getent passwd listed my domain users, but the rest of my Keytab is screwed up.
kinit -k still doesn't work because the host/pitaya.gggm.int@GGGM.INT is not in the Keytab, but kinit -k PITAYA$ works properly.
After that, smbclient -kL pitaya works.
I really need to have all the SPNs in my Keytab, but net ads keytab create doesn't generate a valid one.
How could I generate a valid Keytab?
I will keep trying to make it work and post my progress here... Any help would be appreciated.
samba active-directory kerberos
asked Jan 7 at 17:59
ghigadghigad
62
add a comment |
1
I have a Raspberry Pi 3B+ that I use as a home server.
I have installed and setup Samba AD DC from the Raspbian pacakges (4.5.12+dfsg-2+deb9u4).
I have configured SSSD on the AD DC server to authenticate the local users.
My setup used to work fine, but, since the beginning of december, I started have all kinds of authentication problems. Almost all my problems are now resolved, except that I can't authenticate on the local server using AD accounts.
I can authenticate on another Raspberry Pi on my networked that is joined as a domain member and configured with SSSD.
I searched the web for solutions, but I can't figure it out.
Here is the contents of the relevant config files:
/etc/hostname
pitaya
/etc/resolv.conf
search gggm.int
nameserver 192.168.2.26
/etc/krb5.conf
[libdefaults]
default_realm = GGGM.INT
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.gggm.int = GGGM.INT
/etc/samba/smb.conf
[global]
netbios name = PITAYA
realm = GGGM.INT
workgroup = GGGM
server role = active directory domain controller
dns forwarder = 192.168.2.1
idmap_ldb:use rfc2307 = yes
log level = 2
server string = Pitaya
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
kerberos method = secrets and keytab
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/sambaKey.pem
tls certfile = /var/lib/samba/private/tls/sambaCert.pem
tls cafile = /var/lib/samba/private/tls/crt.ca-chain.pem
<Share configuration skipped...>
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo, ssh
config_file_version = 2
domains = GGGM.INT
full_name_format = %1$s
[domain/GGGM.INT]
ad_domain = gggm.int
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_referrals = false
override_homedir = /home/%u
enumerate = true
ldap_sudo_search_base = OU=sudoers,OU=gggm.int,DC=gggm,DC=int
ad_gpo_access_control = permissive
dyndns_update = false
Output of uname -a
Linux pitaya 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux
DNS resolution works fine
root@pitaya ~ # host pitaya
pitaya.gggm.int has address 192.168.2.26
root@pitaya ~ # host 192.168.2.26
26.2.168.192.in-addr.arpa domain name pointer pitaya.gggm.int.
root@pitaya ~ # host -t SRV _ldap._tcp.gggm.int
_ldap._tcp.gggm.int has SRV record 0 100 389 pitaya.gggm.int.
root@pitaya ~ # host -t SRV _kerberos._tcp.gggm.int
_kerberos._tcp.gggm.int has SRV record 0 100 88 pitaya.gggm.int.
root@pitaya ~ #
I can authenticate using Kerberos as a domain user:
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ghigad@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:38:35 03/01/19 22:38:35 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:38:32
root@pitaya ~ #
I can list the shares on the local server:
root@pitaya ~ # smbclient -k -L pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@pitaya ~ #
I can login using the machine principal.
root@pitaya ~ # kdestroy
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:43:17 03/01/19 22:43:17 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:43:17
root@pitaya ~ #
I can also list the shares of the server using smbclient -k -L pitaya using this ticket (same output as above).
Also, wbinfo -u and getent passwd lists the users of the domain. Likewise, wbinfo -g and getent group lists the groups of the domain.
Output of wbinfo -P
checking the NETLOGON for domain[GGGM] dc connection to "pitaya.gggm.int" succeeded
I tried to check my domain's DB, and I didn't get any error...
root@pitaya ~ # samba-tool dbcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
schema_fsmo_init: we are master[yes] updates allowed[no]
schema_fsmo_init: we are master[yes] updates allowed[no]
Checking 400 objects
Checked 400 objects (0 errors)
Here is the contents of krb5.keytab.
root@pitaya ~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-crc)
However, if I try to authenticate to the domain, plaintext authentication succeeds, but the challenge/response fails.
root@pitaya ~ # wbinfo -a ghigad
Enter ghigad's password:
plaintext password authentication succeeded
Enter ghigad's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(GGGMghigad): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user ghigad with challenge/response
root@pitaya ~ #
I tried to reset my user's password (samba-tool user setpassword ghigad), but it didn't change anything.
I can't login to my server using SSH and a domain account (on my other server I can...).
Another strange behavior, kinit -k fails:
root@pitaya ~ # kinit -k
kinit: Preauthentication failed while getting initial credentials
root@pitaya ~ #
Digging through the log files, I found this...
[2019/01/03 12:51:23.391820, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2019/01/03 12:51:23.392318, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=PITAYA,OU=Domain Controllers,DC=gggm,DC=int after wrong password
[2019/01/03 12:51:23.392435, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT
Also, note that my Windows computers all work fine. Users can log in and use shared drives. I can also use RSAT tools (GPO, DNS, Users, Printers, etc.).
I feel my problems come from Kerberos authentication at the service level, but I'm stuck... I can't figure out how to solve this...
Can anyone help?
If you guys need anymore log, I can add extracts as well...
Edit
I kept searching for a solution did an experiment.
I setup another Linux machine as a PDC (samba-tool domain join gggm.int DC --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'). Everything went well, except, that after I joined the domain, the machine started to behave a little like the first one...
getent passwd returned the list of users, getent group returned the list of groups, but login ghigad always failed.
I finally found that enabling the pacservice in SSSD resolved the problem...
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
So I went on my other problematic server and enabled the pac service in SSSD and crossed fingers, hoping that the problem was solved.
Unfortunately, it's not that easy... I still have strange authentication problems...
I flushed the SSSD cache (sssctl cache-remove) and getent passwd can no longer list my domain users, and my domain turned offline in SSSD.
root@pitaya /usr/sbin # sssctl domain-status gggm.int
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- pitaya.gggm.int
I tried to regenerate my machine's Keytab, in case it helped.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # net ads keytab create -P
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
root@pitaya ~ # net ads keytab create -U ghigad
Enter ghigad's password:
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
The only way I could recreate the Keytab was by first authenticating with Kerberos.
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # net ads keytab create -k
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 host/PITAYA@GGGM.INT (des-cbc-crc)
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 host/PITAYA@GGGM.INT (des-cbc-md5)
3 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 host/PITAYA@GGGM.INT (arcfour-hmac)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (des-cbc-crc)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (arcfour-hmac)
I then restarted SSSD and checked the status. Still offline.
I tried to export the Keytab using samba-tool.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # samba-tool domain exportkeytab /etc/krb5.keytab --principal=PITAYA$
Export one principal to /etc/krb5.keytab
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 PITAYA$@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (des-cbc-crc)
root@pitaya ~ # service sssd restart
root@pitaya ~ # sssctl domain-status gggm.int
Online status: Online
Active servers:
AD Global Catalog: pitaya.gggm.int
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
- pitaya.gggm.int
Discovered AD Domain Controller servers:
- pitaya.gggm.int
After that, getent passwd listed my domain users, but the rest of my Keytab is screwed up.
kinit -k still doesn't work because the host/pitaya.gggm.int@GGGM.INT is not in the Keytab, but kinit -k PITAYA$ works properly.
After that, smbclient -kL pitaya works.
I really need to have all the SPNs in my Keytab, but net ads keytab create doesn't generate a valid one.
How could I generate a valid Keytab?
I will keep trying to make it work and post my progress here... Any help would be appreciated.
samba active-directory kerberos
asked Jan 7 at 17:59
ghigadghigad
62
add a comment |
1
1
1
I have a Raspberry Pi 3B+ that I use as a home server.
I have installed and setup Samba AD DC from the Raspbian pacakges (4.5.12+dfsg-2+deb9u4).
I have configured SSSD on the AD DC server to authenticate the local users.
My setup used to work fine, but, since the beginning of december, I started have all kinds of authentication problems. Almost all my problems are now resolved, except that I can't authenticate on the local server using AD accounts.
I can authenticate on another Raspberry Pi on my networked that is joined as a domain member and configured with SSSD.
I searched the web for solutions, but I can't figure it out.
Here is the contents of the relevant config files:
/etc/hostname
pitaya
/etc/resolv.conf
search gggm.int
nameserver 192.168.2.26
/etc/krb5.conf
[libdefaults]
default_realm = GGGM.INT
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.gggm.int = GGGM.INT
/etc/samba/smb.conf
[global]
netbios name = PITAYA
realm = GGGM.INT
workgroup = GGGM
server role = active directory domain controller
dns forwarder = 192.168.2.1
idmap_ldb:use rfc2307 = yes
log level = 2
server string = Pitaya
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
kerberos method = secrets and keytab
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/sambaKey.pem
tls certfile = /var/lib/samba/private/tls/sambaCert.pem
tls cafile = /var/lib/samba/private/tls/crt.ca-chain.pem
<Share configuration skipped...>
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo, ssh
config_file_version = 2
domains = GGGM.INT
full_name_format = %1$s
[domain/GGGM.INT]
ad_domain = gggm.int
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_referrals = false
override_homedir = /home/%u
enumerate = true
ldap_sudo_search_base = OU=sudoers,OU=gggm.int,DC=gggm,DC=int
ad_gpo_access_control = permissive
dyndns_update = false
Output of uname -a
Linux pitaya 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux
DNS resolution works fine
root@pitaya ~ # host pitaya
pitaya.gggm.int has address 192.168.2.26
root@pitaya ~ # host 192.168.2.26
26.2.168.192.in-addr.arpa domain name pointer pitaya.gggm.int.
root@pitaya ~ # host -t SRV _ldap._tcp.gggm.int
_ldap._tcp.gggm.int has SRV record 0 100 389 pitaya.gggm.int.
root@pitaya ~ # host -t SRV _kerberos._tcp.gggm.int
_kerberos._tcp.gggm.int has SRV record 0 100 88 pitaya.gggm.int.
root@pitaya ~ #
I can authenticate using Kerberos as a domain user:
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ghigad@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:38:35 03/01/19 22:38:35 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:38:32
root@pitaya ~ #
I can list the shares on the local server:
root@pitaya ~ # smbclient -k -L pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@pitaya ~ #
I can login using the machine principal.
root@pitaya ~ # kdestroy
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:43:17 03/01/19 22:43:17 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:43:17
root@pitaya ~ #
I can also list the shares of the server using smbclient -k -L pitaya using this ticket (same output as above).
Also, wbinfo -u and getent passwd lists the users of the domain. Likewise, wbinfo -g and getent group lists the groups of the domain.
Output of wbinfo -P
checking the NETLOGON for domain[GGGM] dc connection to "pitaya.gggm.int" succeeded
I tried to check my domain's DB, and I didn't get any error...
root@pitaya ~ # samba-tool dbcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
schema_fsmo_init: we are master[yes] updates allowed[no]
schema_fsmo_init: we are master[yes] updates allowed[no]
Checking 400 objects
Checked 400 objects (0 errors)
Here is the contents of krb5.keytab.
root@pitaya ~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-crc)
However, if I try to authenticate to the domain, plaintext authentication succeeds, but the challenge/response fails.
root@pitaya ~ # wbinfo -a ghigad
Enter ghigad's password:
plaintext password authentication succeeded
Enter ghigad's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(GGGMghigad): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user ghigad with challenge/response
root@pitaya ~ #
I tried to reset my user's password (samba-tool user setpassword ghigad), but it didn't change anything.
I can't login to my server using SSH and a domain account (on my other server I can...).
Another strange behavior, kinit -k fails:
root@pitaya ~ # kinit -k
kinit: Preauthentication failed while getting initial credentials
root@pitaya ~ #
Digging through the log files, I found this...
[2019/01/03 12:51:23.391820, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2019/01/03 12:51:23.392318, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=PITAYA,OU=Domain Controllers,DC=gggm,DC=int after wrong password
[2019/01/03 12:51:23.392435, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT
Also, note that my Windows computers all work fine. Users can log in and use shared drives. I can also use RSAT tools (GPO, DNS, Users, Printers, etc.).
I feel my problems come from Kerberos authentication at the service level, but I'm stuck... I can't figure out how to solve this...
Can anyone help?
If you guys need anymore log, I can add extracts as well...
Edit
I kept searching for a solution did an experiment.
I setup another Linux machine as a PDC (samba-tool domain join gggm.int DC --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'). Everything went well, except, that after I joined the domain, the machine started to behave a little like the first one...
getent passwd returned the list of users, getent group returned the list of groups, but login ghigad always failed.
I finally found that enabling the pacservice in SSSD resolved the problem...
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
So I went on my other problematic server and enabled the pac service in SSSD and crossed fingers, hoping that the problem was solved.
Unfortunately, it's not that easy... I still have strange authentication problems...
I flushed the SSSD cache (sssctl cache-remove) and getent passwd can no longer list my domain users, and my domain turned offline in SSSD.
root@pitaya /usr/sbin # sssctl domain-status gggm.int
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- pitaya.gggm.int
I tried to regenerate my machine's Keytab, in case it helped.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # net ads keytab create -P
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
root@pitaya ~ # net ads keytab create -U ghigad
Enter ghigad's password:
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
The only way I could recreate the Keytab was by first authenticating with Kerberos.
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # net ads keytab create -k
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 host/PITAYA@GGGM.INT (des-cbc-crc)
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 host/PITAYA@GGGM.INT (des-cbc-md5)
3 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 host/PITAYA@GGGM.INT (arcfour-hmac)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (des-cbc-crc)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (arcfour-hmac)
I then restarted SSSD and checked the status. Still offline.
I tried to export the Keytab using samba-tool.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # samba-tool domain exportkeytab /etc/krb5.keytab --principal=PITAYA$
Export one principal to /etc/krb5.keytab
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 PITAYA$@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (des-cbc-crc)
root@pitaya ~ # service sssd restart
root@pitaya ~ # sssctl domain-status gggm.int
Online status: Online
Active servers:
AD Global Catalog: pitaya.gggm.int
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
- pitaya.gggm.int
Discovered AD Domain Controller servers:
- pitaya.gggm.int
After that, getent passwd listed my domain users, but the rest of my Keytab is screwed up.
kinit -k still doesn't work because the host/pitaya.gggm.int@GGGM.INT is not in the Keytab, but kinit -k PITAYA$ works properly.
After that, smbclient -kL pitaya works.
I really need to have all the SPNs in my Keytab, but net ads keytab create doesn't generate a valid one.
How could I generate a valid Keytab?
I will keep trying to make it work and post my progress here... Any help would be appreciated.
samba active-directory kerberos
asked Jan 7 at 17:59
ghigadghigad
62
I have a Raspberry Pi 3B+ that I use as a home server.
I have installed and setup Samba AD DC from the Raspbian pacakges (4.5.12+dfsg-2+deb9u4).
I have configured SSSD on the AD DC server to authenticate the local users.
My setup used to work fine, but, since the beginning of december, I started have all kinds of authentication problems. Almost all my problems are now resolved, except that I can't authenticate on the local server using AD accounts.
I can authenticate on another Raspberry Pi on my networked that is joined as a domain member and configured with SSSD.
I searched the web for solutions, but I can't figure it out.
Here is the contents of the relevant config files:
/etc/hostname
pitaya
/etc/resolv.conf
search gggm.int
nameserver 192.168.2.26
/etc/krb5.conf
[libdefaults]
default_realm = GGGM.INT
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.gggm.int = GGGM.INT
/etc/samba/smb.conf
[global]
netbios name = PITAYA
realm = GGGM.INT
workgroup = GGGM
server role = active directory domain controller
dns forwarder = 192.168.2.1
idmap_ldb:use rfc2307 = yes
log level = 2
server string = Pitaya
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
kerberos method = secrets and keytab
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/sambaKey.pem
tls certfile = /var/lib/samba/private/tls/sambaCert.pem
tls cafile = /var/lib/samba/private/tls/crt.ca-chain.pem
<Share configuration skipped...>
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo, ssh
config_file_version = 2
domains = GGGM.INT
full_name_format = %1$s
[domain/GGGM.INT]
ad_domain = gggm.int
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_referrals = false
override_homedir = /home/%u
enumerate = true
ldap_sudo_search_base = OU=sudoers,OU=gggm.int,DC=gggm,DC=int
ad_gpo_access_control = permissive
dyndns_update = false
Output of uname -a
Linux pitaya 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux
DNS resolution works fine
root@pitaya ~ # host pitaya
pitaya.gggm.int has address 192.168.2.26
root@pitaya ~ # host 192.168.2.26
26.2.168.192.in-addr.arpa domain name pointer pitaya.gggm.int.
root@pitaya ~ # host -t SRV _ldap._tcp.gggm.int
_ldap._tcp.gggm.int has SRV record 0 100 389 pitaya.gggm.int.
root@pitaya ~ # host -t SRV _kerberos._tcp.gggm.int
_kerberos._tcp.gggm.int has SRV record 0 100 88 pitaya.gggm.int.
root@pitaya ~ #
I can authenticate using Kerberos as a domain user:
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ghigad@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:38:35 03/01/19 22:38:35 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:38:32
root@pitaya ~ #
I can list the shares on the local server:
root@pitaya ~ # smbclient -k -L pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@pitaya ~ #
I can login using the machine principal.
root@pitaya ~ # kdestroy
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
03/01/19 12:43:17 03/01/19 22:43:17 krbtgt/GGGM.INT@GGGM.INT
renew until 04/01/19 12:43:17
root@pitaya ~ #
I can also list the shares of the server using smbclient -k -L pitaya using this ticket (same output as above).
Also, wbinfo -u and getent passwd lists the users of the domain. Likewise, wbinfo -g and getent group lists the groups of the domain.
Output of wbinfo -P
checking the NETLOGON for domain[GGGM] dc connection to "pitaya.gggm.int" succeeded
I tried to check my domain's DB, and I didn't get any error...
root@pitaya ~ # samba-tool dbcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
schema_fsmo_init: we are master[yes] updates allowed[no]
schema_fsmo_init: we are master[yes] updates allowed[no]
Checking 400 objects
Checked 400 objects (0 errors)
Here is the contents of krb5.keytab.
root@pitaya ~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 host/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:18 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:18 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (arcfour-hmac)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-md5)
3 31/12/18 12:16:19 PITAYA$@GGGM.INT (des-cbc-crc)
However, if I try to authenticate to the domain, plaintext authentication succeeds, but the challenge/response fails.
root@pitaya ~ # wbinfo -a ghigad
Enter ghigad's password:
plaintext password authentication succeeded
Enter ghigad's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(GGGMghigad): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user ghigad with challenge/response
root@pitaya ~ #
I tried to reset my user's password (samba-tool user setpassword ghigad), but it didn't change anything.
I can't login to my server using SSH and a domain account (on my other server I can...).
Another strange behavior, kinit -k fails:
root@pitaya ~ # kinit -k
kinit: Preauthentication failed while getting initial credentials
root@pitaya ~ #
Digging through the log files, I found this...
[2019/01/03 12:51:23.391820, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2019/01/03 12:51:23.392318, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=PITAYA,OU=Domain Controllers,DC=gggm,DC=int after wrong password
[2019/01/03 12:51:23.392435, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- host/pitaya.gggm.int@GGGM.INT
Also, note that my Windows computers all work fine. Users can log in and use shared drives. I can also use RSAT tools (GPO, DNS, Users, Printers, etc.).
I feel my problems come from Kerberos authentication at the service level, but I'm stuck... I can't figure out how to solve this...
Can anyone help?
If you guys need anymore log, I can add extracts as well...
Edit
I kept searching for a solution did an experiment.
I setup another Linux machine as a PDC (samba-tool domain join gggm.int DC --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'). Everything went well, except, that after I joined the domain, the machine started to behave a little like the first one...
getent passwd returned the list of users, getent group returned the list of groups, but login ghigad always failed.
I finally found that enabling the pacservice in SSSD resolved the problem...
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
So I went on my other problematic server and enabled the pac service in SSSD and crossed fingers, hoping that the problem was solved.
Unfortunately, it's not that easy... I still have strange authentication problems...
I flushed the SSSD cache (sssctl cache-remove) and getent passwd can no longer list my domain users, and my domain turned offline in SSSD.
root@pitaya /usr/sbin # sssctl domain-status gggm.int
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- pitaya.gggm.int
I tried to regenerate my machine's Keytab, in case it helped.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # net ads keytab create -P
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
root@pitaya ~ # net ads keytab create -U ghigad
Enter ghigad's password:
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
kerberos_kinit_password GGGM@GGGM.INT failed: Client not found in Kerberos database
The only way I could recreate the Keytab was by first authenticating with Kerberos.
root@pitaya ~ # kinit ghigad
Password for ghigad@GGGM.INT:
root@pitaya ~ # net ads keytab create -k
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 host/PITAYA@GGGM.INT (des-cbc-crc)
3 host/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 host/PITAYA@GGGM.INT (des-cbc-md5)
3 host/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 host/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 host/PITAYA@GGGM.INT (arcfour-hmac)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 gc/PITAYA@GGGM.INT (des-cbc-crc)
3 gc/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 gc/PITAYA@GGGM.INT (des-cbc-md5)
3 gc/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 gc/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 gc/PITAYA@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-crc)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (des-cbc-md5)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 e3514235-4b06-11d1-ab04-00c04fc2dcd2/PITAYA@GGGM.INT (arcfour-hmac)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 ldap/PITAYA@GGGM.INT (des-cbc-crc)
3 ldap/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 ldap/PITAYA@GGGM.INT (des-cbc-md5)
3 ldap/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 ldap/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 ldap/PITAYA@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-crc)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/PITAYA@GGGM.INT (des-cbc-md5)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 restrictedkrbhost/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 restrictedkrbhost/PITAYA@GGGM.INT (arcfour-hmac)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-crc)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-crc)
3 krbtgt/pitaya.gggm.int@GGGM.INT (des-cbc-md5)
3 krbtgt/PITAYA@GGGM.INT (des-cbc-md5)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes128-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/PITAYA@GGGM.INT (aes256-cts-hmac-sha1-96)
3 krbtgt/pitaya.gggm.int@GGGM.INT (arcfour-hmac)
3 krbtgt/PITAYA@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (des-cbc-crc)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (arcfour-hmac)
I then restarted SSSD and checked the status. Still offline.
I tried to export the Keytab using samba-tool.
root@pitaya ~ # rm /etc/krb5.keytab
root@pitaya ~ # samba-tool domain exportkeytab /etc/krb5.keytab --principal=PITAYA$
Export one principal to /etc/krb5.keytab
root@pitaya ~ # klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 PITAYA$@GGGM.INT (arcfour-hmac)
3 PITAYA$@GGGM.INT (aes256-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (aes128-cts-hmac-sha1-96)
3 PITAYA$@GGGM.INT (des-cbc-md5)
3 PITAYA$@GGGM.INT (des-cbc-crc)
root@pitaya ~ # service sssd restart
root@pitaya ~ # sssctl domain-status gggm.int
Online status: Online
Active servers:
AD Global Catalog: pitaya.gggm.int
AD Domain Controller: pitaya.gggm.int
Discovered AD Global Catalog servers:
- pitaya.gggm.int
Discovered AD Domain Controller servers:
- pitaya.gggm.int
After that, getent passwd listed my domain users, but the rest of my Keytab is screwed up.
kinit -k still doesn't work because the host/pitaya.gggm.int@GGGM.INT is not in the Keytab, but kinit -k PITAYA$ works properly.
After that, smbclient -kL pitaya works.
I really need to have all the SPNs in my Keytab, but net ads keytab create doesn't generate a valid one.
How could I generate a valid Keytab?
I will keep trying to make it work and post my progress here... Any help would be appreciated.
samba active-directory kerberos
samba active-directory kerberos
asked Jan 7 at 17:59
ghigadghigad
62
asked Jan 7 at 17:59
ghigadghigad
62
edited Jan 18 at 2:12
ghigad
asked Jan 7 at 17:59
ghigadghigad
62
asked Jan 7 at 17:59
ghigadghigad
62
asked Jan 7 at 17:59
ghigadghigad
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
0
I finally managed to solve my problem...
Enabling the pac service in SSSD definitely helped.
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
Also, regenerating the secret keys of the machine finished solving the remaining problems. The challenge here is that the problematic machine is the AD DC for the domain. So I could not just rejoin the domain.
The following command regenerated the secret keys of the machine and generated a new Keytab.
adcli update --verbose --computer-password-lifetime=0 --domain=gggm.int
Then, checking the keytab:
root@pitaya ~ # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
You can see that my Keytab now contains KVNO 4 for all the SPNs of my machine. So, the following commands now work!
root@pitaya ~ # kinit -k
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: host/pitaya.gggm.int@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:18:54 25/01/19 07:18:54 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:18:54
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:19:00 25/01/19 07:19:00 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:19:00
root@pitaya ~ # smbclient -kL pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
home Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Now, authentication works (login ghigad works, dovecot authentication works, etc.) and I can login to the SSH service using GSSAPI.
answered Jan 25 at 2:27
ghigadghigad
62
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391576%2funable-to-authenticate-on-samba-ad-dc-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
I finally managed to solve my problem...
Enabling the pac service in SSSD definitely helped.
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
Also, regenerating the secret keys of the machine finished solving the remaining problems. The challenge here is that the problematic machine is the AD DC for the domain. So I could not just rejoin the domain.
The following command regenerated the secret keys of the machine and generated a new Keytab.
adcli update --verbose --computer-password-lifetime=0 --domain=gggm.int
Then, checking the keytab:
root@pitaya ~ # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
You can see that my Keytab now contains KVNO 4 for all the SPNs of my machine. So, the following commands now work!
root@pitaya ~ # kinit -k
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: host/pitaya.gggm.int@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:18:54 25/01/19 07:18:54 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:18:54
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:19:00 25/01/19 07:19:00 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:19:00
root@pitaya ~ # smbclient -kL pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
home Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Now, authentication works (login ghigad works, dovecot authentication works, etc.) and I can login to the SSH service using GSSAPI.
answered Jan 25 at 2:27
ghigadghigad
62
add a comment |
0
I finally managed to solve my problem...
Enabling the pac service in SSSD definitely helped.
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
Also, regenerating the secret keys of the machine finished solving the remaining problems. The challenge here is that the problematic machine is the AD DC for the domain. So I could not just rejoin the domain.
The following command regenerated the secret keys of the machine and generated a new Keytab.
adcli update --verbose --computer-password-lifetime=0 --domain=gggm.int
Then, checking the keytab:
root@pitaya ~ # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
You can see that my Keytab now contains KVNO 4 for all the SPNs of my machine. So, the following commands now work!
root@pitaya ~ # kinit -k
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: host/pitaya.gggm.int@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:18:54 25/01/19 07:18:54 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:18:54
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:19:00 25/01/19 07:19:00 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:19:00
root@pitaya ~ # smbclient -kL pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
home Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Now, authentication works (login ghigad works, dovecot authentication works, etc.) and I can login to the SSH service using GSSAPI.
answered Jan 25 at 2:27
ghigadghigad
62
add a comment |
0
0
0
I finally managed to solve my problem...
Enabling the pac service in SSSD definitely helped.
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
Also, regenerating the secret keys of the machine finished solving the remaining problems. The challenge here is that the problematic machine is the AD DC for the domain. So I could not just rejoin the domain.
The following command regenerated the secret keys of the machine and generated a new Keytab.
adcli update --verbose --computer-password-lifetime=0 --domain=gggm.int
Then, checking the keytab:
root@pitaya ~ # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
You can see that my Keytab now contains KVNO 4 for all the SPNs of my machine. So, the following commands now work!
root@pitaya ~ # kinit -k
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: host/pitaya.gggm.int@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:18:54 25/01/19 07:18:54 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:18:54
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:19:00 25/01/19 07:19:00 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:19:00
root@pitaya ~ # smbclient -kL pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
home Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Now, authentication works (login ghigad works, dovecot authentication works, etc.) and I can login to the SSH service using GSSAPI.
answered Jan 25 at 2:27
ghigadghigad
62
I finally managed to solve my problem...
Enabling the pac service in SSSD definitely helped.
sssd.conf
[sssd]
services = nss, pam, sudo, ssh, pac, ifp
Also, regenerating the secret keys of the machine finished solving the remaining problems. The challenge here is that the problematic machine is the AD DC for the domain. So I could not just rejoin the domain.
The following command regenerated the secret keys of the machine and generated a new Keytab.
adcli update --verbose --computer-password-lifetime=0 --domain=gggm.int
Then, checking the keytab:
root@pitaya ~ # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 PITAYA$@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/pitaya.gggm.int@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 host/PITAYA@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/pitaya.gggm.int@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 ldap/PITAYA@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/pitaya.gggm.int@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 gc/PITAYA@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/pitaya.gggm.int@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 RestrictedKrbHost/PITAYA@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/pitaya.gggm.int@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
4 krbtgt/PITAYA@GGGM.INT
You can see that my Keytab now contains KVNO 4 for all the SPNs of my machine. So, the following commands now work!
root@pitaya ~ # kinit -k
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: host/pitaya.gggm.int@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:18:54 25/01/19 07:18:54 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:18:54
root@pitaya ~ # kinit -k PITAYA$
root@pitaya ~ # klist
Ticket cache: FILE:/tmp/krb5cc_500_ChLPIV
Default principal: PITAYA$@GGGM.INT
Valid starting Expires Service principal
24/01/19 21:19:00 25/01/19 07:19:00 krbtgt/GGGM.INT@GGGM.INT
renew until 25/01/19 21:19:00
root@pitaya ~ # smbclient -kL pitaya
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
home Disk
IPC$ IPC IPC Service (Pitaya)
Domain=[GGGM] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Now, authentication works (login ghigad works, dovecot authentication works, etc.) and I can login to the SSH service using GSSAPI.
answered Jan 25 at 2:27
ghigadghigad
62
answered Jan 25 at 2:27
ghigadghigad
62
answered Jan 25 at 2:27
ghigadghigad
62
answered Jan 25 at 2:27
ghigadghigad
62
62
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1391576%2funable-to-authenticate-on-samba-ad-dc-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
