I have recently inherited the responsibilities of maintaining our Samba domain controller which is used primarily for managing logging into the domain as well as serving as a secure file share. The initial configuration of this system is not entirely known to me, as it was configured long before I joined the group, and due to some recent unexpected staff changes, I have been left with a system with broken services that has a configuration I knew nothing about. The server is running Ubuntu 16.04 and uses samba to emulate windows Active directory (I think I am using the correct terminology). I am happy to post config files or other relevant information if needed.
I found that I was unable to join new machines to the domain, and furthermore, logging into windows machines under that domain seemed to be be relying on caching credentials, with password changes not being reflected across different machines. I went to digging and my initial finding was that on boot of the server machine, one of the services showed a failure to start. Looking at logfiles the kerberos 5 key distribution service was failing.
The kerberos service had been broken, for many months it would seem. I followed a very helpful guide to configure a new kerberos domain, linked at the bottom of the message. I reinstalled the kerberos 5 server as per the guide, and now service now correctly starts on boot, and by following the trace of the logfiles the guide suggests, I can see it is communicating with other computers on the network, I can see various computers making login attempts, which fail due to not having the computer name under the prinicpals list. (This is another, lower priority problem, as the old principal file I think was overwritten when I reinstalled, not knowing this was a possibility. Figuring out what passwords these computers are sending in their automatic attempts to reconnect will allow me to add them to the principals with the correct password to fix this issue) When I make an attempt to login on the windows 7 login page of a machine joined to the domain when things were still working, I can see it on the server in real time on the trace terminal readout. However, not all is well.
When I try to log in to a terminal still joined to the domain, nucleus receives a login from username@MSAE, and fails to find a match, as the domain is named msae.wisc.edu, and thus doesn't find a matching username. This is a bit confusing to me, as in windows under domain it lists "msae.wisc.edu", yet on the login splash the domain reads "MSAE" The login attempt lacks the requisite ".wisc.edu" to exactly match what is found in the list of principals. I am not sure how to proceed. I have tried logging in with msae.wisc.edu/username to force the domain to read "msae.wisc.edu", which results in a "The security database on the server does not have a computer account for this workstation trust relationship" message on the windows machine when the correct password is sent, and on the server I see:
Jun 22 13:09:10 nucleus.msae.wisc.edu krb5kdc[1040](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 128.104.185.62: ISSUE: authtime 1498154950, etypes {rep=18 tkt=18 ses=18}, username@msae.wisc.edu for krbtgt/msae.wisc.edu@msae.wisc.edu
I have also tried adding a new entry in principals with only MSAE as the domain i.e. username@MSAE instead of all the others, which read username@msae.wisc.edu. When I log in, without specifying domain (i.e. using the default MSAE domain shown in windows) I get the following error:
REFERRAL: username@MSAE for krbtgt/MSAE@MSAE, Realm not local to KDC
As per something I found on the MIT Kerberos documentation (second link below), I also tried adding the following lines to krb5.conf in hopes of smoothing over this host name issue.
[libdefaults]
ignore_acceptor_hostname = true
This didn't work however.
I have one idea, of changing the default realm name to just "MSAE" to match the login attempt format that windows uses, but I am worried that might break other existing services. My only other idea is to somehow find a way to automatically replace "MSAE" with "msae.wisc.edu", which I thought I enabled by placing such a line (MSAE = msae.wisc.edu) of [domain_realm] section of krb5.conf, but to my knowledge this hasn't done anything.
To make matters worse, fixing the broken kerberos service enables the client machines to communicate with nucleus, but the usernames and passwords aren't accepted due to the aforementioned domain name issue. The take home here is that for months my Professor has been logging into his machine with cached credentials, as his computer was unable to contact Nucleus due to the broken kerberos service. Now that it's (sort of) fixed, he attempted to login with the credentials that were (formerly) cached on his terminal, but was rejected, as his login attempt was transmitted to Nucleus and denied. This had the effect of removing the cached positive credentials, killing the way he had been logging in for all these months.
Any council on this matter would be greatly appreciated.
My krb5.conf
[libdefaults]
default_realm = msae.wisc.edu
ignore_acceptor_hostname = true
# The following krb5.conf variables are only for MIT Kerberos.
#krb4_config = /etc/krb.conf
#krb4_realms = /etc/krb.realms
#kdc_timesync = 1
#ccache_type = 4
#forwardable = true
#proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
msae.wisc.edu = {
kdc = NUCLEUS
admin_server = NUCLEUS
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.msae.wisc.edu = msae.wisc.edu
MSAE = msae.wisc.edu
.MSAE = msae.wisc.edu
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
My kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
MSAE.WISC.EDU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Kerberos Guide http://techpubs.spinlocksolutions.com/dklar/kerberos.html#krb-adduser-ticket Principal Name and DNS documentation https://web.mit.edu/kerberos/krb5-1.11/doc/admin/princ_dns.html
