KDC Database and Samba4: Mismatch in either the encryption key or key version number

yvde · September 29, 2022, 5:24pm

Hi There,

referring to this great article http://www.grolmsnet.de/kerbtut/index.html, I’ve checked whether for Kerberized services, e.g. dns/domainserver.mydomain.com@MYDOMAIN.COM, I’m able to read the ticket contents sent by clients for authentication (OK) AND whether both the encryption key and the key version number as stored in the service’s keytab match the encryption key and key version number that is stored in the Kerberos database (Not OK) even if the client is the UCS domainserver itself.

In the /var/lib/samba/private/secrets.ldb as well in the krb5.service.keytab, the KVNO matches AND the keytab lists all enc-types (as defined in service’s krb5.keytab) for the service. Nevertheless, it’s NOT possible for me to request to request a certain enc-type (using the e-option) for the service ticket by ‘kgetcred -e aes256-cts-hmac-sha1-96 dns/domainserver.mydomain.com’ nor (w/o e-option) the serviceticket got by the KDC shows matching encryption key and key version number (shown by klist -v). When running kgetcred with the debug option (–debug), I receive some error messages like:

2022-09-29T19:16:14 krb5_get_creds: requesting a ticket for dns/domainserver.mydomain.com@MYDOMAIN.COM
2022-09-29T19:16:14 error message: Did not find a plugin for send_to_kdc: 2
2022-09-29T19:16:14 Trying to find service kdc for realm MYDOMAIN.COM flags 2
2022-09-29T19:16:14 error message: Did not find a plugin for service_locator: 2
2022-09-29T19:16:14 configuration file for realm MYDOMAIN.COM found
2022-09-29T19:16:14 submissing new requests to new host
2022-09-29T19:16:14 error message: Did not find a plugin for send_to_kdc: 2
2022-09-29T19:16:14 connecting to host: tcp 127.0.0.1:kerberos (127.0.0.1) tid: 00000001
2022-09-29T19:16:14 connecting to 3: tcp 127.0.0.1:kerberos (127.0.0.1) tid: 00000001
2022-09-29T19:16:14 writing packet: tcp 127.0.0.1:kerberos (127.0.0.1) tid: 00000001
2022-09-29T19:16:14 reading packet: tcp 127.0.0.1:kerberos (127.0.0.1) tid: 00000001
2022-09-29T19:16:14 host completed: tcp 127.0.0.1:kerberos (127.0.0.1) tid: 00000001
2022-09-29T19:16:14 unknown-function MYDOMAIN.COM done: 0 hosts: 1 packets: 1 wc: 0.034848 nr: 0.000019 kh: 0.000094 tid: 00000001
2022-09-29T19:16:14 krb5_get_creds: got a ticket for dns/domainserver.mydomain.com@MYDOMAIN.COM

What’s going wrong there? And how to enforce the KDC database to sync with Samba4/LDB after having edited it with ldbmodify?

Any ideas? Many thx with best regards.