View Issue Details

IDProjectCategoryView StatusLast Update
0017774CentOS-7sambapublic2020-10-02 14:55
Reporterjanzhanal 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017774: Samba AD join wrong keytab
DescriptionAfter joining server to domain kerberos auth is not working due to wrongly generated keytab that does not contain right FQDN
(FQDN is resolvable on DNS with correct reverse entry)

[root@it-czbrn-pre003 ~]# hostname
it-czbrn-pre003.base.domain.org

[root@it-czbrn-pre003 ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG
   2 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG
   3 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG
   4 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG
   5 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG
   6 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG
   7 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG
   8 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG
   9 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG
  10 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG
  11 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG
  12 2 host/IT-CZBRN-PRE003@DOMAIN.ORG
  13 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG
  14 2 host/IT-CZBRN-PRE003@DOMAIN.ORG
  15 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG
  16 2 host/IT-CZBRN-PRE003@DOMAIN.ORG
  17 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG
  18 2 host/IT-CZBRN-PRE003@DOMAIN.ORG
  19 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG
  20 2 host/IT-CZBRN-PRE003@DOMAIN.ORG
  21 2 IT-CZBRN-PRE003$@DOMAIN.ORG
  22 2 IT-CZBRN-PRE003$@DOMAIN.ORG
  23 2 IT-CZBRN-PRE003$@DOMAIN.ORG
  24 2 IT-CZBRN-PRE003$@DOMAIN.ORG
  25 2 IT-CZBRN-PRE003$@DOMAIN.ORG
ktutil: q
Steps To Reproduceusr/bin/net ads join -k createupn='host/it-czbrn-pre003.base.DOMAIN.ORG@DOMAIN.ORG' osName='Linux' osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux' -d1 -Ujoin
Additional Information/usr/bin/net ads join -k createupn='host/it-czbrn-pre003.base.domain.org@DOMAIN.ORG' osName='Linux' osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux' -d1 -Ujoin
Enter join's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name : NULL
            machine_name : 'IT-CZBRN-PRE003'
            domain_name : *
                domain_name : 'DOMAIN.ORG'
            domain_name_type : JoinDomNameTypeDNS (1)
            account_ou : 'Auth/Machines/Servers/Linux'
            admin_account : 'join'
            admin_domain : NULL
            machine_password : NULL
            join_flags : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version : 'CentOS 7'
            os_name : 'Linux'
            os_servicepack : NULL
            create_upn : 0x01 (1)
            upn : 'host/it-czbrn-pre003.base.domain.org@DOMAIN.ORG'
            modify_config : 0x00 (0)
            ads : NULL
            debug : 0x01 (1)
            use_kerberos : 0x01 (1)
            secure_channel_type : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
libnet_join_precreate_machine_acct: Machine account successfully created
     join: struct secrets_domain_infoB
        version : SECRETS_DOMAIN_INFO_VERSION_1 (1)
        reserved : 0x00000000 (0)
        info : union secrets_domain_infoU(case 1)
        info1 : *
            info1: struct secrets_domain_info1
                reserved_flags : 0x0000000000000000 (0)
                join_time : Fri Oct 2 04:38:44 PM 2020 CEST
                computer_name : 'IT-CZBRN-PRE003'
                account_name : 'IT-CZBRN-PRE003$'
                secure_channel_type : SEC_CHAN_WKSTA (2)
                domain_info: struct lsa_DnsDomainInfo
                    name: struct lsa_StringLarge
                        length : 0x0000 (0)
                        size : 0x0000 (0)
                        string : *
                            string : 'DOMAIN'
                    dns_domain: struct lsa_StringLarge
                        length : 0x0000 (0)
                        size : 0x0000 (0)
                        string : *
                            string : 'domain.org'
                    dns_forest: struct lsa_StringLarge
                        length : 0x0000 (0)
                        size : 0x0000 (0)
                        string : *
                            string : 'domain.org'
                    domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce
                    sid : *
                        sid : S-1-5-21-3784930729-2365486616-1008349783
                trust_flags : 0x0000001a (26)
                       0: NETR_TRUST_FLAG_IN_FOREST
                       1: NETR_TRUST_FLAG_OUTBOUND
                       0: NETR_TRUST_FLAG_TREEROOT
                       1: NETR_TRUST_FLAG_PRIMARY
                       1: NETR_TRUST_FLAG_NATIVE
                       0: NETR_TRUST_FLAG_INBOUND
                       0: NETR_TRUST_FLAG_MIT_KRB5
                       0: NETR_TRUST_FLAG_AES
                trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
                trust_attributes : 0x00000040 (64)
                       0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
                       0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
                       0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
                       0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
                       1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
                       0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
                reserved_routing : NULL
                supported_enc_types : 0x0000001f (31)
                       1: KERB_ENCTYPE_DES_CBC_CRC
                       1: KERB_ENCTYPE_DES_CBC_MD5
                       1: KERB_ENCTYPE_RC4_HMAC_MD5
                       1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
                       1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
                       0: KERB_ENCTYPE_FAST_SUPPORTED
                       0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
                       0: KERB_ENCTYPE_CLAIMS_SUPPORTED
                       0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
                salt_principal : *
                    salt_principal : 'host/it-czbrn-pre003.domain.org@DOMAIN.ORG'
                password_last_change : Fri Oct 2 04:38:44 PM 2020 CEST
                password_changes : 0x0000000000000001 (1)
                next_change : NULL
                password : *
                    password: struct secrets_domain_info1_password
                        change_time : Fri Oct 2 04:38:44 PM 2020 CEST
                        change_server : 'it-czbrn-pdc102.domain.org'
                        cleartext_blob : DATA_BLOB length=448
                        nt_hash: struct samr_Password
                            hash: ARRAY(16): <REDACTED SECRET VALUES>
                        salt_data : *
                            salt_data : 'DOMAIN.ORGhostit-czbrn-pre003.domain.org'
                        default_iteration_count : 0x00001000 (4096)
                        num_keys : 0x0004 (4)
                        keys: ARRAY(4)
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000012 (18)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=32
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000011 (17)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000017 (23)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000003 (3)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=8
                old_password : *
                    old_password: struct secrets_domain_info1_password
                        change_time : Tue Sep 29 10:46:45 AM 2020 CEST
                        change_server : 'it-czbrn-pdc102.domain.org'
                        cleartext_blob : DATA_BLOB length=440
                        nt_hash: struct samr_Password
                            hash: ARRAY(16): <REDACTED SECRET VALUES>
                        salt_data : *
                            salt_data : 'DOMAIN.ORGhostit-czbrn-pre003.domain.org'
                        default_iteration_count : 0x00001000 (4096)
                        num_keys : 0x0004 (4)
                        keys: ARRAY(4)
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000012 (18)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=32
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000011 (17)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000017 (23)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype : 0x00000003 (3)
                                iteration_count : 0x00001000 (4096)
                                value : DATA_BLOB length=8
                older_password : NULL
Kinit for IT-CZBRN-PRE003$@DOMAIN.ORG to access it-czbrn-pdc102.domain.org failed: Preauthentication failed
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name : 'IT-CZBRN-PRE003$'
            netbios_domain_name : 'DOMAIN'
            dns_domain_name : 'domain.org'
            forest_name : 'domain.org'
            dn : 'CN=IT-CZBRN-PRE003,OU=Linux,OU=Servers,OU=Machines,OU=Auth,DC=domain,DC=org'
            domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce
            domain_sid : *
                domain_sid : S-1-5-21-3784930729-2365486616-1008349783
            modified_config : 0x00 (0)
            error_string : NULL
            domain_is_ad : 0x01 (1)
            set_encryption_types : 0x0000001f (31)
            krb5_salt : 'host/it-czbrn-pre003.domain.org@DOMAIN.ORG'
            result : WERR_OK
Using short domain name -- DOMAIN
Joined 'IT-CZBRN-PRE003' to dns domain 'domain.org'
kerberos_kinit_password IT-CZBRN-PRE003$@DOMAIN.ORG failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed


[root@it-czbrn-pre003 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 proxiable = true
 rdns = true
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]

[domain_realm]
 .domain.org = DOMAIN.ORG
 domain.org = DOMAIN.ORG
[root@it-czbrn-pre003 ~]# cat /etc/samba/smb.conf

[global]
    workgroup = DOMAIN
    realm = DOMAIN.ORG

    security = ads
    kerberos method = secrets and keytab

    client ipc signing = mandatory
    client ldap sasl wrapping = seal
    client signing = mandatory
    client use spnego = yes
    server min protocol = SMB2_10
    client min protocol = SMB2
    client max protocol = SMB3
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-10-02 14:55 janzhanal New Issue