Web lists-archives.com

[Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions




I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.)


I am trying to join a Solaris 11 machine to the domain for both Samba and other services. For "unix" logins and ssh, Solaris 11 is configured to use LDAP for user and group lookup and kerberos for authentication.


The "kclient -T ms_ad" command joins the Solaris machine to the AD domain. It even creates the /etc/krb5/krb5.keytab file with several service principal entries. (I pasted this at the bottom of this e-mail.) This allows me to ssh in to the machine using my kerberos password.


When I run "net ads join -S domaincontroller -U Administration" , the samba join appears to work. However, I can no longer ssh in .

The log files shows

sshd[12225]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key version number for principal in key table is incorrect


I ran kvno prior to "net join" to see if I could find any changes on any of the principals. I did not find any. However the "pwdLastSet" attribute was updated (which means, not surprisingly, that the samba "net ads join" changed machine's password when joining. I also notice that the "msDS-SupportedEncryptionTypes" attribute is reset to 31 (i.e all encryption types.) I had change it to 28 (to exclude DES)


I tried setting "kerberos method = secrets and keytab" in smb.conf, but did not help. I would think solution might be to create a new krb5.keytab file on the AD server that has a single principal that can provide authentication for both unix logins and samba. The kutil command in Windows makes it pretty much impossible to create a krb5.keytab file with multiple service principals.


What service principal is Samba using ? Assuming my machine is "client1" in the realm "MYREALM" I would expect the principal to be "CLIENT1$@MYREALM."


If I set  "kerberos method = keytab" while samba try to create a keytab ?


I appreciate any advice


Thanks














           root@client1:/etc/krb5# klist -ke

           Keytab name: FILE:/etc/krb5/krb5.keytab

           KVNO Principal

           ----
           --------------------------------------------------------------------------

           2 host/client1.mydomain.com@xxxxxxxxxxx (AES-256 CTS mode
           with 96-bit SHA-1 HMAC)

           2 host/client1.mydomain.com@xxxxxxxxxxx (AES-128 CTS mode
           with 96-bit SHA-1 HMAC)

           2 host/client1.mydomain.com@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 host/client1.mydomain.com@xxxxxxxxxxx (DES cbc mode with
           RSA-MD5)

           2 nfs/client1.mydomain.com@xxxxxxxxxxx (AES-256 CTS mode
           with 96-bit SHA-1 HMAC)

           2 nfs/client1.mydomain.com@xxxxxxxxxxx (AES-128 CTS mode
           with 96-bit SHA-1 HMAC)

           2 nfs/client1.mydomain.com@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 nfs/client1.mydomain.com@xxxxxxxxxxx (DES cbc mode with
           RSA-MD5)

           2 HTTP/client1.mydomain.com@xxxxxxxxxxx (AES-256 CTS mode
           with 96-bit SHA-1 HMAC)

           2 HTTP/client1.mydomain.com@xxxxxxxxxxx (AES-128 CTS mode
           with 96-bit SHA-1 HMAC)

           2 HTTP/client1.mydomain.com@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 HTTP/client1.mydomain.com@xxxxxxxxxxx (DES cbc mode with
           RSA-MD5)

           2 root/client1.mydomain.com@xxxxxxxxxxx (AES-256 CTS mode
           with 96-bit SHA-1 HMAC)

           2 root/client1.mydomain.com@xxxxxxxxxxx (AES-128 CTS mode
           with 96-bit SHA-1 HMAC)

           2 root/client1.mydomain.com@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 root/client1.mydomain.com@xxxxxxxxxxx (DES cbc mode with
           RSA-MD5)

           2 cifs/client1.mydomain.com@xxxxxxxxxxx (AES-256 CTS mode
           with 96-bit SHA-1 HMAC)

           2 cifs/client1.mydomain.com@xxxxxxxxxxx (AES-128 CTS mode
           with 96-bit SHA-1 HMAC)

           2 cifs/client1.mydomain.com@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 cifs/client1.mydomain.com@xxxxxxxxxxx (DES cbc mode with
           RSA-MD5)

           2 CLIENT1$@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1
           HMAC)

           2 CLIENT1$@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1
           HMAC)

           2 CLIENT1$@MYREALM.COM (ArcFour with HMAC/md5)

           2 CLIENT1$@MYREALM.COM (DES cbc mode with RSA-MD5)

           2 host/CLIENT1@xxxxxxxxxxx (AES-256 CTS mode with 96-bit
           SHA-1 HMAC)

           2 host/CLIENT1@xxxxxxxxxxx (AES-128 CTS mode with 96-bit
           SHA-1 HMAC)

           2 host/CLIENT1@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 host/CLIENT1@xxxxxxxxxxx (DES cbc mode with RSA-MD5)

           2 cifs/CLIENT1@xxxxxxxxxxx (AES-256 CTS mode with 96-bit
           SHA-1 HMAC)

           2 cifs/CLIENT1@xxxxxxxxxxx (AES-128 CTS mode with 96-bit
           SHA-1 HMAC)

           2 cifs/CLIENT1@xxxxxxxxxxx (ArcFour with HMAC/md5)

           2 cifs/CLIENT1@xxxxxxxxxxx (DES cbc mode with RSA-MD5)

           root@client1:/etc/krb5#





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba