Problem
On Windows systems a system event log has shown that Kerberos clients get an failure from the Server. This an event on a server indicating that a client has given the server a ticket for access to a resource that the server can’t decrypt.
In english:
The Kerberos client has received a KRB_AP_ERR_MODIFIED error from server ‘client-win$’. The target name used was cifs/client-win. This indicates that the target server was unable to decrypt the token provided by the client. This can occur if the target server principal name (SPN) is not registered with the account used by the target service. Ensure that the target SPN is only registered with the account used by the server. This error can also occur if the password for the target service account does not match the password configured in the Kerberos KDC (Key Distribution Centre) for the target service. Ensure that the service on the server and in the KDC are both configured to use the same password. If the server name is not fully qualified and the target domain (uni-vention.DE) is different from the client domain (uni-vention.DE), check whether there are server accounts with the same name in these two domains or use the fully qualified name to identify the server.
Auf deutsch:
Der Kerberos-Client hat einen KRB_AP_ERR_MODIFIED-Fehler von Server “client-win$” empfangen. Der verwendete Zielname war cifs/client-win. Dies deutet darauf hin, dass der Zielserver das vom Client bereitgestellte Token nicht entschlüsseln konnte. Dies kann auftreten, wenn der Ziel-Serverprinzipalname (SPN) nicht bei dem Konto registriert ist, das der Zieldienst verwendet. Stellen Sie sicher, dass der Ziel-SPN nur bei dem Konto registriert ist, das vom Server verwendet wird. Dieser Fehler kann auch auftreten, wenn das Kennwort für das Zieldienstkonto nicht mit dem Kennwort übereinstimmt, das im Kerberos-KDC (Key Distribution Center) für den Zieldienst konfiguriert ist. Stellen Sie sicher, dass der Dienst auf dem Server und im KDC beide für die Verwendung des gleichen Kennworts konfiguriert sind. Wenn der Servername nicht vollqualifiziert ist und sich die Zieldomäne (uni-vention.DE) von der Clientdomäne (uni-vention.DE) unterscheidet, prüfen Sie, ob sich in diesen beiden Domänen Serverkonten mit gleichem Namen befinden, oder verwenden Sie den vollqualifizierten Namen, um den Server zu identifizieren.
Solution
To resolve this issue, the service principal name have to be added to the correct object in Samba/AD.
Check the SPN settings for the client on the server:
root@ucs-client:~# samba-tool spn list client-win$
client-win$
User CN=client-win,CN=computers,OU=uni_,DC=uni-vention,DC=de has the following servicePrincipalName:
HOST/client-win.uni-vention.de
HOST/client-WIN
RestrictedKrbHost/client-win.uni-vention.de
RestrictedKrbHost/client-WIN
TERMSRV/client-win.uni-vention.de
TERMSRV/client-WIN
WSMAN/client-win.uni-vention.de
WSMAN/client-win
Add the missing SPN:
samba-tool spn add cifs/client-win client-win$
Re-Check the SPN settings:
root@ucs-client:~# samba-tool spn list client-win$
client-win$
User CN=client-win,CN=computers,OU=uni_vention,DC=uni-vention,DC=de has the following servicePrincipalName:
HOST/client-win.uni-vention.de
HOST/client-WIN
RestrictedKrbHost/client-win.uni-vention.de
RestrictedKrbHost/client-WIN
TERMSRV/client-win.uni-vention.de
TERMSRV/client-WIN
WSMAN/client-win.uni-vention.de
WSMAN/client-win
cifs/client-win
The latest entry is the cifs/client-win so the add was successfully.
Investigation
Kerberos service tickets are obtained by a client and passed to a server to gain access to resources on that server. They’re signed using a secret which only that server that has the resource being requested can decrypt. When the SPN is on the wrong account or not setted in Samba/AD, the secret that is used is the one of the accounts the SPN is on instead of the one of the servers.
As a result, the server can’t decrypt the ticket and gives back an error to the client.
See also: