From samba-technical Tue Jun 05 15:27:52 2012 From: brendan powers Date: Tue, 05 Jun 2012 15:27:52 +0000 To: samba-technical Subject: Kerberos ticket issues with Samba4 and Window 2k8R2 Message-Id: X-MARC-Message: https://marc.info/?l=samba-technical&m=133891026224926 Hello, I have been having issues getting kerberos tickets for users stored in a keytab file. This issue only occurs when Samba4 is joined to a Windows Server 2008 R2 domain. If the server is provisioned normally, or joined to a Windows 2003 R2 domain, this problem does not occur. I've also tried a normal provision, and then raised the domain and forest to a 2008R2 level, and that does not cause the issue either. Below is a list of information and steps I used to reproduce the Issue Linux Server OS: Ubuntu 12.04 Samba Versions: Alpha 17, Alpha 21, and GIT 01106230ddc8da90e2ff2667dd3702e3c110f720 from yesterday. Windows Version: Windows Server 2008 R2 Domain and Forest Level: 2008R2 Domain Name: testdom.lan Short Name: testdom Windows Server: 10.0.5.1 winsvr Linux Server: 10.0.5.2 ubuntu Steps to reproduce: 1) Install Windows Server 2008R2, and provision a new domain with a 2008R2 forest and domain level 2) Install Samba4 on a linux server, using one of the versions listed above 3) Set up /etc/resolve.conf to point to the windows server. Configure hosts so the ubuntu server has a properly configured FQDN 4) Configure the /etc/krb5.conf according to https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC 5) Join samba to the windows domain using: bin/samba-tool domain join testdom.lan DC -Uadministrator --realm=testdom.lan 6) Run KCC on the windows server: bin/samba-tool drs kcc -UAdministrator winsvr 7) Check replication with: bin/samba-tool drs showrepl 8) Create a user to authenticate. I'm going to use the dns update user in this example: bin/samba-tool user create dns-ubuntu Dnspw123 9) Create secrets ldiff file (see below), and import it with: bin/ldbadd -H private/secrets.ldb /tmp/secret.ldiff 10) Run kinit dns-ubuntu to make sure the user was created and can be authenticated 11) Try getting a kerberos ticket using the keytab created by adding an entry to the secrets.ldb file: kinit -k -t private/dns.keytab dns-ubuntu At this point, kinit gives the error "kinit: Preauthentication failed while getting initial credentials". If I had used a windows 2008 server for this process, this command succeeds. If I were to export the domain keytab with samba-tool domain exportkeytab, I can authenticate the dns-ubuntu user. This seems to be a pretty consistent and repeatable behavior. I've tried it with many small configurations tweaks, multiple window servers, etc... Below are some of the files I used. This seems to be the only issue, replication is working, computers can join to the domain, users can authenticate, DNS updates work, etc... /etc/krb5.conf =========== [libdefaults] default_realm = TESTDOM.LAN dns_lookup_realm = false dns_lookup_kdc = true I've tried various versions of realm/kdc being true/false. Secrets LDIFF file - This is the file I used to add the dns-ubuntu entry to the secretds.ldb file =========== dn: samAccountName=dns-ubuntu,CN=Principals msDS-KeyVersionNumber: 1 objectClass: top objectClass: secret objectClass: kerberosSecret privateKeytab: dns.keytab realm: TESTDOM.LAN sAMAccountName: dns-ubuntu secret: Dnspw123 servicePrincipalName: DNS/testdom.lan servicePrincipalName: DNS/ubuntu.testdom.lan name: dns-ubuntu smb.conf ========== # Global parameters [global] server role = domain controller workgroup = TESTDOM realm = testdom.lan netbios name = UBUNTU passdb backend = samba4 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, s3fs [netlogon] path = /usr/local/samba/var/locks/sysvol/testdom.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No