Web lists-archives.com

[Samba] smbclient kerberos auth fails




Hi,

I rarely deal with kerberos but everytime I do it's painful...

I have a Windows Server 2016 VM at foo-ad.foo.com. It has the AD role
and it owns the FOO.COM domain. I added a *AD* account FOO\aaptel%aaptel.

    PS C:\share> get-aduser aaptel
    
    
    DistinguishedName : CN=aaptel,CN=Users,DC=foo,DC=com
    Enabled           : True
    GivenName         :
    Name              : aaptel
    ObjectClass       : user
    ObjectGUID        : 97c32e32-593c-4d88-a183-268798016eeb
    SamAccountName    : aaptel
    SID               : S-1-5-21-1780990686-3015222812-3597832517-1105
    Surname           :
    UserPrincipalName : aaptel@xxxxxxx

I can login with AD accounts from a linux machine using ntlmssp with
-U FOO\aaptel%aaptel
-U FOO.COM\aaptel%aaptel
-U aaptel%aaptel (weirdly this works)

they all work fine.

Now to use kerberos on the same linux machine I've done:

* make sure time is ntp sync'd on the client
* add the AD ip address in resolv.conf (i can resolve foo.com and
  foo-ad.foo.com fine)
* set /etc/krb5.conf to:

    [libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = FOO.COM
    
    [logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = FILE:/var/log/krb5/def.log

* run kinit aaptel@xxxxxxx, type pw, ok
* klist output:

    Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs
    Default principal: aaptel@xxxxxxx
    
    Valid starting       Expires              Service principal
    04/14/2018 13:49:22  04/14/2018 23:49:22  krbtgt/FOO.COM@xxxxxxx
            renew until 04/15/2018 13:49:21


At this point I think it should work, but I get:

    $ smbclient //foo.com/share -k
    SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/foo.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
    SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
    session setup failed: NT_STATUS_INVALID_PARAMETER

I've attached a network trace with SMB, DNS and kerberos traffic.

Adding KRB5_TRACE=/dev/stderr to the env I get:

KRB5_TRACE=/dev/stderr smbclient //foo.com/share -k
[14620] 1523708816.549070: Getting credentials aaptel@xxxxxxx -> cifs/foo.com@xxxxxxx using ccache DIR::/run/user/1000/krb5cc/tkt
[14620] 1523708816.549204: Retrieving aaptel@xxxxxxx -> cifs/foo.com@xxxxxxx from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential not found
[14620] 1523708816.549239: Retrieving aaptel@xxxxxxx -> krbtgt/FOO.COM@xxxxxxx from DIR::/run/user/1000/krb5cc/tkt with result: 0/Success
[14620] 1523708816.549244: Starting with TGT for client realm: aaptel@xxxxxxx -> krbtgt/FOO.COM@xxxxxxx
[14620] 1523708816.549249: Requesting tickets for cifs/foo.com@xxxxxxx, referrals on
[14620] 1523708816.549289: Generated subkey for TGS request: aes256-cts/8C96
[14620] 1523708816.549350: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.549445: Encoding request body and padata into FAST request
[14620] 1523708816.549489: Sending request (1552 bytes) to FOO.COM
[14620] 1523708816.601328: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.601424: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.601458: Initiating TCP connection to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.625955: Sending TCP request to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.661357: Received answer (295 bytes) from stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.694851: Response was not from master KDC
[14620] 1523708816.694885: Decoding FAST response
[14620] 1523708816.694959: TGS request result: -1765328377/Server not found in Kerberos database
[14620] 1523708816.694966: Requesting tickets for cifs/foo.com@xxxxxxx, referrals off
[14620] 1523708816.694991: Generated subkey for TGS request: aes256-cts/73FA
[14620] 1523708816.695028: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.695096: Encoding request body and padata into FAST request
[14620] 1523708816.695160: Sending request (1552 bytes) to FOO.COM
[14620] 1523708816.745857: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.745934: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.745989: Initiating TCP connection to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.770008: Sending TCP request to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.805500: Received answer (295 bytes) from stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.840186: Response was not from master KDC
[14620] 1523708816.840218: Decoding FAST response
[14620] 1523708816.840268: TGS request result: -1765328377/Server not found in Kerberos database
[14620] 1523708816.840651: Getting credentials aaptel@xxxxxxx -> cifs/foo.com@COM using ccache DIR::/run/user/1000/krb5cc/tkt
[14620] 1523708816.840710: Retrieving aaptel@xxxxxxx -> cifs/foo.com@COM from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential not found
[14620] 1523708816.840758: Retrieving aaptel@xxxxxxx -> krbtgt/COM@COM from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential not found
[14620] 1523708816.840796: Retrieving aaptel@xxxxxxx -> krbtgt/FOO.COM@xxxxxxx from DIR::/run/user/1000/krb5cc/tkt with result: 0/Success
[14620] 1523708816.840803: Starting with TGT for client realm: aaptel@xxxxxxx -> krbtgt/FOO.COM@xxxxxxx
[14620] 1523708816.840841: Retrieving aaptel@xxxxxxx -> krbtgt/COM@COM from DIR::/run/user/1000/krb5cc/tkt with result: -1765328243/Matching credential not found
[14620] 1523708816.840849: Requesting TGT krbtgt/COM@xxxxxxx using TGT krbtgt/FOO.COM@xxxxxxx
[14620] 1523708816.840867: Generated subkey for TGS request: aes256-cts/0E2E
[14620] 1523708816.840899: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[14620] 1523708816.840949: Encoding request body and padata into FAST request
[14620] 1523708816.840999: Sending request (1548 bytes) to FOO.COM
[14620] 1523708816.893032: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.893107: Resolving hostname foo-ad.foo.com.
[14620] 1523708816.893161: Initiating TCP connection to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.919222: Sending TCP request to stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.946685: Received answer (290 bytes) from stream 2620:113:80c0:8080:9c9a:3fbc:4160:b896:88
[14620] 1523708816.976231: Response was not from master KDC
[14620] 1523708816.976265: Decoding FAST response
[14620] 1523708816.976299: TGS request result: -1765328377/Server not found in Kerberos database
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/foo.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


Any help welcome.

Cheers,

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba