#4404 Enctypes broken in samba.keytab
Closed: Fixed None Opened 7 years ago by tbabej.

Apparently, after the patches for #3859 were pushed, the smb.service will not start anymore:

This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/20]: stopping smbd
  ...
  [18/20]: setting SELinux booleans
  [19/20]: starting CIFS services
ipa         : CRITICAL CIFS services failed to start
  [20/20]: adding SIDs to existing users and groups
Done configuring CIFS.

From the journal and strace investigation we can conclude that smbd process does read the /etc/samba/samba.keytab file, but reports finding no suitable keys for cifs principal:

smbd[10279]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM

Looking at the contents of the samba.keytab, it seems that the keys are there, but enctypes are broken. Compare the following (you need to compare enctypes, so scroll to the right):

Samba keytab with #3859 patches applied:

[root@vm-136 slapd-DOM136-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM]# klist -e  -t -k /etc/samba/samba.keytab 
Keytab name: FILE:/etc/samba/samba.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 274) 
   1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 273) 
   1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 272) 
   1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 279)

This is how a regular samba.keytab looks like before #3859:

[tbabej@vm-139 ~]$ sudo klist -e  -t -k /etc/samba/samba.keytab
Keytab name: FILE:/etc/samba/samba.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (des3-cbc-sha1) 
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (arcfour-hmac) 
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (camellia128-cts-cmac) 
   1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (camellia256-cts-cmac)

This blocks 4.0 release.

master:

  • d9d5967 Fix getkeytab code to always use implicit tagging.

Metadata Update from @tbabej:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.

Metadata