cifs/ principal missing from keytab after machine password change (UCS 5.2-5, Samba 4.21.1)

UCS - Univention Corporate Server
, , ,
1

Hi all,

I have a member server (file server role) where the cifs/ principal disappears from /etc/krb5.keytab after every machine password change. Only host/ entries remain. KVNO increments correctly, but cifs/ is gone — clients can’t access shares until I restore the keytab manually.

Looks related to this thread, but in my case LDAP bind still works — only the Samba/Kerberos side breaks.

System:

  • Primary DC and member server: UCS 5.2-5 errata 479
  • Samba: 2:4.21.1-1A~5.2.0.202605191553
  • univention-samba 16.4.0

Keytab after password change (only host/):

sudo ktutil --keytab=/etc/krb5.keytab list
Vno  Type                     Principal
 18  aes256-cts-hmac-sha1-96  host/NAS.example.com@EXAMPLE.COM
 18  aes128-cts-hmac-sha1-96  host/NAS.example.com@EXAMPLE.COM
 18  arcfour-hmac-md5         host/NAS.example.com@EXAMPLE.COM

SPNs are correctly set in Samba/AD:

sudo univention-s4search '(servicePrincipalName=cifs/*)' servicePrincipalName dn
dn: CN=NAS,CN=memberserver,CN=Computers,DC=example,DC=com
servicePrincipalName: HOST/NAS
servicePrincipalName: HOST/nas.example.com
servicePrincipalName: cifs/NAS
servicePrincipalName: cifs/nas.example.com

But OpenLDAP only has host/:

sudo univention-ldapsearch '(cn=NAS)' krb5PrincipalName
krb5PrincipalName: host/NAS.example.com@EXAMPLE.COM

S4-connector resync (resync_object_from_s4.py) does not add the cifs/ entries.

Background: Samba 4.21 changed the keytab regeneration mechanism. By default (kerberos method = secrets only, empty sync machine password to keytab) only host/ is written after a machine password change. Setting sync machine password to keytab via UCR (samba/global/options/...) is accepted by testparm, but wbinfo --change-secret and net ads keytab create still produce a keytab with only host/. Related upstream bugs: 15689, 15759, 15867 (open).

Side observation: when setting spn_prefixes=host,cifs via UCR, the template samba.local.config.py replaces commas with spaces in the value, making the option syntactically invalid.

Workaround: Manual samba-tool domain exportkeytab --principal=cifs/... on the DC, scp to the member server. Holds until next password change.

Question: Is there an official path on UCS 5.2 with Samba 4.21 to ensure cifs/ is present in the member server keytab after the periodic machine password change? Is an update to Samba 4.21.4+ planned?

Thanks!

2

Hi, thanks for the detailed information, that should help. I consider this a bug and I want to create one for this issue in our Bugzilla bugtracker. To answer your last question: We are currently in the preparation phase for the release of UCS 5.2-6 and that will ship Samba 4.24.2 (plus security patches, making it equivalent to 4.24.3). – That said I guess this issue here will be addressed by a subsequent errata update. But certainly helps that you already identified the relevant smb.conf parameters. Thanks!