Web lists-archives.com

[Samba] samba creating keytabs... ( possible bug, can someone confirm this )




Hai, 

 

I noticed something strange in the keytab file on my member server. 

This is a followup of : [Samba] winbind question. (challenge/response password authentication)

Samba 4.5.3 on Debian Jessie.

 

Leave the domain. 

net ads leave -k

Deleted account for 'PROXY2' in realm 'REALM'

 

I checked in windows, and the computer is gone in the “Computer” ou. 

 

Removed the keytab file. 

rm krb5.keytab 

 

net ads join –k 

Using short domain name -- NTDOM

Joined 'PROXY2' to dns domain 'internal.domain.tld'

 

check the new keytab ( created at join )

klist -ket

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:01:34 host/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:01:34 host/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 host/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 host/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:01:34 host/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-crc)

   2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-md5)

   2 02/01/2017 14:01:34 PROXY2$@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 PROXY2$@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:01:34 PROXY2$@REALM (arcfour-hmac)

 

so far good. 

 

I logged in on the DC with fsmo roles

Created the needed nfs entries.: 

samba-tool spn add nfs/proxy2 proxy2$

samba-tool spn add nfs/proxy2.internal.domain.tld proxy2$

 

back to the member. 

backuped the original keytab file. 

 

mv krb5.keytab krb5.keytab-1

create new keytab file:

net ads keytab create -k

 

klist -ket

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:06:56 host/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:06:56 host/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:06:56 host/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 host/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 host/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 host/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:06:57 host/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:06:57 nfs/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:06:57 nfs/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 nfs/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 nfs/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 nfs/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:06:57 nfs/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-crc)

   2 02/01/2017 14:06:57 PROXY2$@REALM (des-cbc-md5)

   2 02/01/2017 14:06:57 PROXY2$@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 PROXY2$@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:06:57 PROXY2$@REALM (arcfour-hmac)

 

all looks ok... 

 

now the (not) funny part.

 

( on the DC )

samba-tool spn add HTTP/proxy2 proxy2$

samba-tool spn add HTTP/proxy2.internal.domain.tld proxy2$

 

backuped the keytab file again

( on the member )

mv krb5.keytab krb5.keytab-2

 

net ads keytab create -k

klist -ket

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:09:27 host/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:09:27 host/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 host/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 host/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 host/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:09:27 host/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:09:27 nfs/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:09:27 nfs/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 nfs/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 nfs/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:27 nfs/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:09:27 nfs/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   2 02/01/2017 14:09:28 http/PROXY2@REALM (des-cbc-crc)

   2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 02/01/2017 14:09:28 http/PROXY2@REALM (des-cbc-md5)

   2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 http/PROXY2@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 http/PROXY2@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 http/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 02/01/2017 14:09:28 http/PROXY2@REALM (arcfour-hmac)

   2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-crc)

   2 02/01/2017 14:09:28 PROXY2$@REALM (des-cbc-md5)

   2 02/01/2017 14:09:28 PROXY2$@REALM (aes128-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 PROXY2$@REALM (aes256-cts-hmac-sha1-96)

   2 02/01/2017 14:09:28 PROXY2$@REALM (arcfour-hmac)

 

Now why is the HTTP now http. some spn's need CAPS, some not. 

squid needs HTTP/ not http..  :-( 

 

when i now check in windows, user manager, goto the computer and 

(OU=Computers) on the Attribute Editor tab, in the Attributes list, 

select servicePrincipalName, and then click Edit.

 

i seeing here: 

 

HOST/PROXY2

HOST/proxy2.internal.domain.tld

http/proxy2

HTTP/PROXY2

http/proxy2.internal.domain.tld

HTTP/proxy2.internal.domain.tld

nfs/proxy2

nfs/proxy2.internal.domain.tld

 

now why is there a http and HTTP while this didnt happen with the nfs spn?

and why is HOST in caps in the servicePrincipalName in windows but in keytab not. 

 

Can someone confirm this, this make it all very unpredictable. 

 

Im running samba 4.5.3

 

now, i remove the failty keytab again. 

removed the failty entries http/.. so only HTTP/ is in windows under servicePrincipalName

created the keytab file 

 

and same result, only lower cased http/ :-( 

exporting on the DC.

samba-tool domain exportkeytab --principal=HTTP/proxy2.internal.domain.tld /root/keytabs/proxy2.keytab-new

klist -ke /root/keytabs/proxy2.keytab-new

Keytab name: FILE:/root/keytabs/proxy2.keytab-new

KVNO Principal

---- --------------------------------------------------------------------------

   2 HTTP/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   2 HTTP/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   2 HTTP/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   2 HTTP/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   2 HTTP/proxy2.internal.domain.tld@REALM (des-cbc-crc)

 

which looks correct to me. 

 

Did we find a real bug here? 

 

 

 

Greetz, 

 

Louis

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba