View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017774 | CentOS-7 | samba | public | 2020-10-02 14:55 | 2020-10-02 14:55 |
| Reporter | janzhanal | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 7.8-2003 | ||||
| Summary | 0017774: Samba AD join wrong keytab | ||||
| Description | After joining server to domain kerberos auth is not working due to wrongly generated keytab that does not contain right FQDN (FQDN is resolvable on DNS with correct reverse entry) [root@it-czbrn-pre003 ~]# hostname it-czbrn-pre003.base.domain.org [root@it-czbrn-pre003 ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG 2 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG 3 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG 4 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG 5 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG 6 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG 7 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG 8 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG 9 2 restrictedkrbhost/it-czbrn-pre003.domain.org@DOMAIN.ORG 10 2 restrictedkrbhost/IT-CZBRN-PRE003@DOMAIN.ORG 11 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG 12 2 host/IT-CZBRN-PRE003@DOMAIN.ORG 13 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG 14 2 host/IT-CZBRN-PRE003@DOMAIN.ORG 15 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG 16 2 host/IT-CZBRN-PRE003@DOMAIN.ORG 17 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG 18 2 host/IT-CZBRN-PRE003@DOMAIN.ORG 19 2 host/it-czbrn-pre003.domain.org@DOMAIN.ORG 20 2 host/IT-CZBRN-PRE003@DOMAIN.ORG 21 2 IT-CZBRN-PRE003$@DOMAIN.ORG 22 2 IT-CZBRN-PRE003$@DOMAIN.ORG 23 2 IT-CZBRN-PRE003$@DOMAIN.ORG 24 2 IT-CZBRN-PRE003$@DOMAIN.ORG 25 2 IT-CZBRN-PRE003$@DOMAIN.ORG ktutil: q | ||||
| Steps To Reproduce | usr/bin/net ads join -k createupn='host/it-czbrn-pre003.base.DOMAIN.ORG@DOMAIN.ORG' osName='Linux' osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux' -d1 -Ujoin | ||||
| Additional Information | /usr/bin/net ads join -k createupn='host/it-czbrn-pre003.base.domain.org@DOMAIN.ORG' osName='Linux' osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux' -d1 -Ujoin Enter join's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'IT-CZBRN-PRE003' domain_name : * domain_name : 'DOMAIN.ORG' domain_name_type : JoinDomNameTypeDNS (1) account_ou : 'Auth/Machines/Servers/Linux' admin_account : 'join' admin_domain : NULL machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : 'CentOS 7' os_name : 'Linux' os_servicepack : NULL create_upn : 0x01 (1) upn : 'host/it-czbrn-pre003.base.domain.org@DOMAIN.ORG' modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) libnet_join_precreate_machine_acct: Machine account successfully created join: struct secrets_domain_infoB version : SECRETS_DOMAIN_INFO_VERSION_1 (1) reserved : 0x00000000 (0) info : union secrets_domain_infoU(case 1) info1 : * info1: struct secrets_domain_info1 reserved_flags : 0x0000000000000000 (0) join_time : Fri Oct 2 04:38:44 PM 2020 CEST computer_name : 'IT-CZBRN-PRE003' account_name : 'IT-CZBRN-PRE003$' secure_channel_type : SEC_CHAN_WKSTA (2) domain_info: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'DOMAIN' dns_domain: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'domain.org' dns_forest: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'domain.org' domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce sid : * sid : S-1-5-21-3784930729-2365486616-1008349783 trust_flags : 0x0000001a (26) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000040 (64) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION reserved_routing : NULL supported_enc_types : 0x0000001f (31) 1: KERB_ENCTYPE_DES_CBC_CRC 1: KERB_ENCTYPE_DES_CBC_MD5 1: KERB_ENCTYPE_RC4_HMAC_MD5 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0: KERB_ENCTYPE_FAST_SUPPORTED 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED 0: KERB_ENCTYPE_CLAIMS_SUPPORTED 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED salt_principal : * salt_principal : 'host/it-czbrn-pre003.domain.org@DOMAIN.ORG' password_last_change : Fri Oct 2 04:38:44 PM 2020 CEST password_changes : 0x0000000000000001 (1) next_change : NULL password : * password: struct secrets_domain_info1_password change_time : Fri Oct 2 04:38:44 PM 2020 CEST change_server : 'it-czbrn-pdc102.domain.org' cleartext_blob : DATA_BLOB length=448 nt_hash: struct samr_Password hash: ARRAY(16): <REDACTED SECRET VALUES> salt_data : * salt_data : 'DOMAIN.ORGhostit-czbrn-pre003.domain.org' default_iteration_count : 0x00001000 (4096) num_keys : 0x0004 (4) keys: ARRAY(4) keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000012 (18) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=32 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000011 (17) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000017 (23) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000003 (3) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=8 old_password : * old_password: struct secrets_domain_info1_password change_time : Tue Sep 29 10:46:45 AM 2020 CEST change_server : 'it-czbrn-pdc102.domain.org' cleartext_blob : DATA_BLOB length=440 nt_hash: struct samr_Password hash: ARRAY(16): <REDACTED SECRET VALUES> salt_data : * salt_data : 'DOMAIN.ORGhostit-czbrn-pre003.domain.org' default_iteration_count : 0x00001000 (4096) num_keys : 0x0004 (4) keys: ARRAY(4) keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000012 (18) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=32 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000011 (17) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000017 (23) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000003 (3) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=8 older_password : NULL Kinit for IT-CZBRN-PRE003$@DOMAIN.ORG to access it-czbrn-pdc102.domain.org failed: Preauthentication failed libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : 'IT-CZBRN-PRE003$' netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.org' forest_name : 'domain.org' dn : 'CN=IT-CZBRN-PRE003,OU=Linux,OU=Servers,OU=Machines,OU=Auth,DC=domain,DC=org' domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce domain_sid : * domain_sid : S-1-5-21-3784930729-2365486616-1008349783 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) set_encryption_types : 0x0000001f (31) krb5_salt : 'host/it-czbrn-pre003.domain.org@DOMAIN.ORG' result : WERR_OK Using short domain name -- DOMAIN Joined 'IT-CZBRN-PRE003' to dns domain 'domain.org' kerberos_kinit_password IT-CZBRN-PRE003$@DOMAIN.ORG failed: Preauthentication failed DNS update failed: kinit failed: Preauthentication failed [root@it-czbrn-pre003 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.ORG dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true proxiable = true rdns = true default_ccache_name = KEYRING:persistent:%{uid} [realms] [domain_realm] .domain.org = DOMAIN.ORG domain.org = DOMAIN.ORG [root@it-czbrn-pre003 ~]# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.ORG security = ads kerberos method = secrets and keytab client ipc signing = mandatory client ldap sasl wrapping = seal client signing = mandatory client use spnego = yes server min protocol = SMB2_10 client min protocol = SMB2 client max protocol = SMB3 | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-10-02 14:55 | janzhanal | New Issue |
