Bug 8980 - User authentication via keytab fails when joined to a 2008R2 server
User authentication via keytab fails when joined to a 2008R2 server
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All Windows 2008 R2
: P5 normal
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-05 16:20 UTC by Brendan Powers
Modified: 2012-12-31 08:58 UTC (History)
0 users

See Also:


Attachments
I've tried various versions of realm/kdc being true/false. (92 bytes, application/octet-stream)
2012-06-05 16:20 UTC, Brendan Powers
no flags Details
This is the file I used to add the dns-ubuntu entry to the secretds.ldb file (323 bytes, text/plain)
2012-06-05 16:21 UTC, Brendan Powers
no flags Details
smb.conf file for the test provision. I didn't make any manual edits to this file. (568 bytes, text/plain)
2012-06-05 16:21 UTC, Brendan Powers
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brendan Powers 2012-06-05 16:20:08 UTC
Created attachment 7630 [details]
I've tried various versions of realm/kdc being true/false.

I have been having issues getting kerberos tickets for users stored in
a keytab file. This issue only occurs when Samba4 is joined to a
Windows Server 2008 R2 domain. If the server is provisioned normally,
or joined to a Windows 2003 R2 domain, this problem does not occur.
I've also tried a normal provision, and then raised the domain and
forest to a 2008R2 level, and that does not cause the issue either.
Below is a list of information and steps I used to reproduce the Issue

Linux Server OS: Ubuntu 12.04
Samba Versions: Alpha 17, Alpha 21, and GIT
01106230ddc8da90e2ff2667dd3702e3c110f720 from Monday, June 4, 2012.
Windows Version: Windows Server 2008 R2
Domain and Forest Level: 2008R2

Domain Name: testdom.lan
Short Name: testdom
Windows Server: 10.0.5.1 winsvr
Linux Server: 10.0.5.2 ubuntu

Steps to reproduce:
1) Install Windows Server 2008R2, and provision a new domain with a
2008R2 forest and domain level
2) Install Samba4 on a linux server, using one of the versions listed above
3) Set up /etc/resolve.conf to point to the windows server. Configure
hosts so the ubuntu server has a properly configured FQDN
4) Configure the /etc/krb5.conf according to
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
5) Join samba to the windows domain using: bin/samba-tool domain join
testdom.lan DC -Uadministrator --realm=testdom.lan
6) Run KCC on the windows server: bin/samba-tool drs kcc -UAdministrator winsvr
7) Check replication with: bin/samba-tool drs showrepl
8) Create a user to authenticate. I'm going to use the dns update user
in this example: bin/samba-tool user create dns-ubuntu Dnspw123
9) Create secrets ldiff file (see below), and import it with:
bin/ldbadd -H private/secrets.ldb /tmp/secret.ldiff
10) Run kinit dns-ubuntu to make sure the user was created and can be
authenticated
11) Try getting a kerberos ticket using the keytab created by adding
an entry to the secrets.ldb file: kinit -k -t private/dns.keytab
dns-ubuntu

At this point, kinit gives the error "kinit: Preauthentication failed
while getting initial credentials". If I had used a windows 2008
server for this process, this command succeeds. If I were to export
the domain keytab with samba-tool domain exportkeytab, I can
authenticate the dns-ubuntu user. This seems to be a pretty consistent
and repeatable behavior. I've tried it with many small configurations
tweaks, multiple window servers, etc... Below are some of the files I
used. This seems to be the only issue, replication is working,
computers can join to the domain, users can authenticate, DNS updates
work, etc...
Comment 1 Brendan Powers 2012-06-05 16:21:16 UTC
Created attachment 7631 [details]
This is the file I used to add the dns-ubuntu entry to the secretds.ldb file
Comment 2 Brendan Powers 2012-06-05 16:21:51 UTC
Created attachment 7632 [details]
smb.conf file for the test provision. I didn't make any manual edits to this file.