Notes

  • Backup config
  • Reinstall
  • Rinstall modules
  • Restore config

Issue with keytab and samba/DNS starting via web interface

2018/11/19 00:51:06 ERROR> GlobalImpl.pm:652 EBox::GlobalImpl::saveAllModules – Failed to save changes in module dns: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-patrician failed.
2018/11/19 00:51:06 INFO> Base.pm:231 EBox::Module::Base::save – Restarting service for module: ntp
2018/11/19 00:51:15 INFO> Base.pm:231 EBox::Module::Base::save – Restarting service for module: samba
2018/11/19 00:51:17 WARN> Ldap.pm:215 EBox::Ldap::safeConnect – Could not connect to Samba LDB: connect: Connection refused, retrying. (1 attempts)
2018/11/19 00:51:17 INFO> Ldap.pm:208 EBox::Ldap::safeConnect – Connection to Samba LDB successful after 6 tries.
2018/11/19 00:51:18 INFO> Samba.pm:752 EBox::Samba::_postServiceHook – Writing DNS update list…
2018/11/19 00:51:18 ERROR> AuthKrbHelper.pm:172 EBox::Samba::AuthKrbHelper::_getTicketUsingKeytab – Could not get ticket: could not acquire credentials using an initial credentials context: Clients credentials have been revoked
at Could not get ticket: could not acquire credentials using an initial credentials context: Clients credentials have been revoked

Confirm the user is valid

id dns-patrician
uid=3000060(DISCWORLD\dns-patrician) gid=2513(DISCWORLD\domain users) groups=2513(DISCWORLD\domain users),3000060(DISCWORLD\dns-patrician),3000051(DISCWORLD\dnsadmins),3000009(BUILTIN\users)

Rerun the failed command

root@patrician:/var/log/zentyal# kinit -k -t /var/lib/samba/private/dns.keytab dns-patrician
Password has expired
dns-patrician@DISCWORLD.QSPLACE.CO.UK’s Password:

So it would appear that the password has expired, luckily I have a system with RSAT installed so it was a simple right click of the user and reset the password…

Failing that, change the password with INSERT COMMAND LINE COMMAND HERE

Now we know the password:

root@patrician:/var/log/zentyal# kinit dns-patrician
dns-patrician@DISCWORLD.QSPLACE.CO.UK’s Password:
root@patrician:/var/log/zentyal#

root@patrician:/var/log/zentyal# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: dns-patrician@DISCWORLD.QSPLACE.CO.UK

Issued Expires Principal
Nov 19 12:40:34 2018 Nov 19 22:40:34 2018 krbtgt/DISCWORLD.QSPLACE.CO.UK@DISCWORLD.QSPLACE.CO.UK

We now are able to initialise kerberous tickets, now we need to update the /var/lib/samba/private/dns.keytab keytab

root@patrician:/var/log/zentyal# ktutil -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno Type Principal Aliases
1 des-cbc-crc DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-crc dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-md5 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-md5 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 arcfour-hmac-md5 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 arcfour-hmac-md5 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 aes128-cts-hmac-sha1-96 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 aes128-cts-hmac-sha1-96 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 aes256-cts-hmac-sha1-96 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 aes256-cts-hmac-sha1-96 dns-patrician@DISCWORLD.QSPLACE.CO.UK

Move the original keytab the keytab

mv /var/lib/samba/private/dns.keytab{,.orig}

Regenerate the keytab and tap the password in a few times

root@patrician:~# IFS=$’\n’; for i in $(ktutil -k /var/lib/samba/private/dns.keytab.orig list | tail -n +4); do echo $i | awk -F’ ‘ ‘{ v=$1 ; e=$2 ; p=$3 ; print “ktutil -k /var/lib/samba/private/dns.keytab add -p “p” -e “e” -V “v}’| sh; done;
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:
Password:
Verify password – Password:

Check the new keytab

root@patrician:~# ktutil -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno Type Principal Aliases
1 des-cbc-crc DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-crc dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-md5 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 des-cbc-md5 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 arcfour-hmac-md5 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 arcfour-hmac-md5 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 aes128-cts-hmac-sha1-96 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 aes128-cts-hmac-sha1-96 dns-patrician@DISCWORLD.QSPLACE.CO.UK
1 aes256-cts-hmac-sha1-96 DNS/patrician.discworld.qsplace.co.uk@DISCWORLD.QSPLACE.CO.UK
1 aes256-cts-hmac-sha1-96 dns-patrician@DISCWORLD.QSPLACE.CO.UK

Run the command again

kinit -k -t /var/lib/samba/private/dns.keytab dns-patrician

No errors are seen so we can retest.

This time, we’ve seen a DNS error

2018/11/19 15:52:11 INFO> Base.pm:231 EBox::Module::Base::save – Restarting service for module: dns
2018/11/19 15:52:43 ERROR> Sudo.pm:240 EBox::Sudo::_rootError – root command nsupdate -g -t 10 /var/lib/zentyal/tmp/KHm8zmI6Jf failed.
Error output: dns_tkey_gssnegotiate: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/KHm8zmI6Jf failed.
Error output: dns_tkey_gssnegotiate: TKEY is unacceptable

So we need to update the DNS authentication

root@patrician:~# samba_upgradedns –dns-backend=BIND9_DLZ
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Reading domain information
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
DNS accounts already exist
No zone file /var/lib/samba/private/dns/DISCWORLD.QSPLACE.CO.UK.zone
DNS records will be automatically created
DNS partitions already exist
dns-patrician account already exists
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Rerunning the failed command

root@patrician:~# nsupdate -g -t 10 /var/lib/zentyal/tmp/KHm8zmI6Jf

No errors are seen so we can retest again.

Restart the DNS and samba service via the Zentyal web insterface

2018/11/19 16:05:52 ERROR> GlobalImpl.pm:727 EBox::GlobalImpl::saveAllModules – The following modules failed while saving their changes, their state is unknown: samba at The following modules failed while saving their changes, their state is unknown: samba at /usr/share/perl5/EBox/GlobalImpl.pm line 727

Yet another error…

After looking at the smbd server, it appeared to be dead

root@patrician:~# systemctl status smbd
● smbd.service – Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)

Nov 18 22:36:29 patrician systemd[1]: Starting Samba SMB Daemon…
Nov 18 22:36:29 patrician systemd[1]: Started Samba SMB Daemon.
Nov 18 22:39:24 patrician systemd[1]: Stopping Samba SMB Daemon…
Nov 18 22:39:24 patrician systemd[1]: Stopped Samba SMB Daemon.

However the system still have smbd processes running

root@patrician:~# ps fax | grep smbd
17853 pts/1 S+ 0:00 | \_ grep –color=auto smbd
17582 ? Ss 0:00 | \_ /usr/sbin/smbd -D –option=server role check:inhibit=yes –foreground
17599 ? S 0:00 | \_ /usr/sbin/smbd -D –option=server role check:inhibit=yes –foreground
17600 ? S 0:00 | \_ /usr/sbin/smbd -D –option=server role check:inhibit=yes –foreground
17601 ? S 0:00 | \_ /usr/sbin/smbd -D –option=server role check:inhibit=yes –foreground
17837 ? S 0:00 | \_ /usr/sbin/smbd -D –option=server role check:inhibit=yes –foreground

Quick manual “killall”

root@patrician:~# killall smbd
root@patrician:~# killall smbd
smbd: no process found

Start smbd service

root@patrician:~# systemctl start smbd
root@patrician:~# systemctl status smbd
● smbd.service – Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2018-11-19 16:09:20 GMT; 3s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 17880 (smbd)
Status: “smbd: ready to serve connections…”
Tasks: 4 (limit: 4915)
CGroup: /system.slice/smbd.service
├─17880 /usr/sbin/smbd –foreground –no-process-group
├─17882 /usr/sbin/smbd –foreground –no-process-group
├─17883 /usr/sbin/smbd –foreground –no-process-group
└─17884 /usr/sbin/smbd –foreground –no-process-group

Nov 19 16:09:20 patrician systemd[1]: Starting Samba SMB Daemon…
Nov 19 16:09:20 patrician smbd[17880]: [2018/11/19 16:09:20.757950, 0] ../lib/util/become_daemon.c:124(daemon_ready
Nov 19 16:09:20 patrician systemd[1]: Started Samba SMB Daemon.
Nov 19 16:09:20 patrician smbd[17880]: STATUS=daemon ‘smbd’ finished starting up and ready to serve connections

Retest and everything seems to be happy again!

January 29, 2022
0

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.