Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




2017-06-20 11:37 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:
> On Tue, 20 Jun 2017 11:13:25 +0200
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>
> If you check what the OP posted from:
>
> klist -e -k /var/lib/samba/private/secrets.keytab
>
> There is this in reference to his DC:
>
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
>    1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
>
> Amongst his previous output was this:
>
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
> Failed to find FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab
> FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
>
> I can see FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in the output above,
> but I do not see 'arcfour-hmac-md5'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


I have regenerated one keytab for "FICHDC$" and "HOST/fichdc"
principals and copied the keytab file in both "/etc/krb5.keytab" and
"/var/lib/samba/private/secrets.keytab" by security (I have made
backup of old keytab files). But authentication with machine account
still not works :

----------------------------
~# samba-tool domain exportkeytab /tmp/krb5.keytab --principal="FICHDC$"
~# samba-tool domain exportkeytab /tmp/krb5.keytab --principal="HOST/fichdc"
~# klist -e -k /tmp/krb5.keytab
Keytab name: FILE:/tmp/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
   2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
   2 HOST/fichdc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (arcfour-hmac)
   2 HOST/fichdc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (des-cbc-md5)
   2 HOST/fichdc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (des-cbc-crc)

~# cp /tmp/krb5.keytab /etc/krb5.keytab
~# cp /tmp/krb5.keytab /var/lib/samba/private/secrets.keytab
~# systemctl restart samba-ad-dc
~# samba-tool time -P
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")
----------------------------

The possible problem is that "KVNO" is still at "2" and there is no
"aes128-cts-hmac-sha1-96" and "aes256-cts-hmac-sha1-96" encryption.
But I don't how to generate there encryptions with samba tool. What
account need to be put in "net ads enctypes set <ACCOUNTNAME>" ?

Thank you very much for your help !!!

Baptiste.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba