HP CIFS Server and Kerberos

Transcription

1 HP CIFS Server and Kerberos Version 1.05 November, 2008 Version 1.02 August 2005: Added Microsoft Kerberos realm name identification in Chapter 4. Added clockskew in Common Problems section, Chapter 8. Version 1.03 November 2005: Added Kerbtray tool in Chapter 8. Version 1.05 November 2008: Added Klist tool in Chapter 8. Added HA Chapter 9. Updated component versions throughout document. Updated support matrix in Chapter 6. VSSN Advanced Technology Center E0300 Printed in: U.S.A. Copyright 2005 Hewlett-Packard Company

2 Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office. Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR for other agencies. Hewlett-Packard Company Homestead Road Cupertino, California U.S.A. Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited. Copyright Notices copyright Hewlett-Packard Company, all rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. copyright 1979, 1980, 1983, , 2000 Regents of the University of California. This software is based in part on the Fourth Berkeley Software Distribution under license from the regents of the University of California. copyright Microsoft, Inc. 2

3 Contents Legal Notices...2 Chapter 1 Introduction...5 Chapter 2 Kerberos, CIFS, and Samba Overview Kerberos Primer...6 Chapter 3 Solution Components...8 Chapter 4 Solution Configuration(s) HP CIFS Server Microsoft Active Directory Domain Joining the Windows Domain Kerberos CIFS Server Client Authentication Example Chapter 5 HP-UX Application Co-Existence Configuring for krb5.keytab Kerberos modifications for INET Services krb5.keytab Configuration Script The kbr5.keytab File Chapter 6 Support Matrices Chapter 7 Traces and Logs Windows 2000 KDC HP-UX Kerberos 1.0, MD Windows 2000 KDC HP-UX Kerberos 1.0, CRC Windows 2000 KDC HP-UX Kerberos 1.0, RC Windows 2000 KDC HP-UX Kerberos 1.3.5, MD Windows 2000 KDC HP-UX Kerberos 1.3.5, CRC Windows 2000 KDC HP-UX Kerberos 1.3.5, RC Windows 2003 KDC HP-UX Kerberos 1.0, MD Windows 2003 KDC HP-UX Kerberos 1.0, CRC Windows 2003 KDC HP-UX Kerberos 1.0, RC Windows 2003 KDC HP-UX Kerberos 1.3.5, MD Windows 2003 KDC HP-UX Kerberos 1.3.5, CRC Windows 2003 KDC HP-UX Kerberos 1.3.5, RC Chapter 8 Support Tools and Common Problems Support Tools kinit klist (HP-UX) net ads status ldapsearch Samba Logging Windows Event Logger Wireshark Kerbtray Klist (Windows client) Common Problems Wrong Kerberos Libraries Invalid /etc/krb5.conf File Joining a Domain Chapter 9 Kerberos High Availability Integration CIFS HA Kerberos Configuration Testing the Merged Keytab Files Examining the Merged krb5.keytab File

4 4

5 Chapter 1 Introduction HP CIFS Server 3.0 incorporates the Opensource Samba 3.0 enhancements that include Kerberos authentication and related encryption types. These enhancements are introduced in the HP CIFS Server version A.02.01, which was officially released on December 15 th, The implementation details of Kerberos and Samba must be clearly identified so that users and support personnel can accurately design, implement, and support enterprise installations of HP CIFS Server that utilize the protocol. Please use this paper as a reference tool when designing, implementing, and supporting HP CIFS Server with Kerberos authentication. Below is an outline of topics that will help streamline lookups of relevant material. Introduction Overview o Protocol description - RFC o Encryption types o Windows implementation o Scope of Samba interoperability Solution Components Solution Configurations HP-UX Kerberos-Enabled Application Co-existence Support Matrices o Windows o Encryption Types o HP-UX components Traces and Logs o What to expect Support Tools and Common Problems HA Integration 5

6 Chapter 2 Kerberos, CIFS, and Samba Overview The Kerberos protocol is regulated by the IETF RFC Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000, and 2008 domains (including the Windows 2000, XP, and Vista clients that inhabit those domains). Microsoft has modified the Kerberos protocol for better synergy with the Windows domain concept, and thus proclaims that their implementation is Based upon an industry standard. This divergence from the IETF spec allows for some additional domain features, including: Re-Use of credentials. A client must be authenticated to use a service, and then can disconnect from the service and re-connect without re-authenticating. Kerberos allows the re-use of existing credentials The client *AND* the server are authenticated, providing a more secure connection. Authentication proxy, allowing applications to impersonate clients and actually have the application authenticate Transitive trusts sound like an ADS feature, but really are enabled by the usage of Kerberos Encryption: the Kerberos encryption methods are more secure and flexible than older Windows authentication encryption. For Samba 3.0 and HP CIFS Server A and later (currently A ), Kerberos authentication is limited exclusively to server membership in a Windows 2000 or 2003 domain, and only when the CIFS/Samba server is configured with security = ads. Note: HP CIFS Server does not support joining Windows 2008 domains as of version A Work is progressing on a new version that will support Windows This particular limitation of Samba 3.0 is especially confusing because while it can function as a standalone domain controller with an LDAP interface to a user data store (similarly to ADS), Samba itself cannot interface with a non-windows MIT or Heimdal Kerberos Distribution Center (KDC) to authenticate users in this configuration (as of A ). NOTE: LDAP servers are capable of performing user authentication of resident LDAP database users, and can be configured to authenticate using a MIT or Heimdal Kerberos Distribution Center (KDC). However, this is purely a function of the LDAP server, and not associated with Samba in any way. 2.1 Kerberos Primer Here is a very quick primer and Kerberos protocol review. For a comprehensive Microsoft Kerberos implementation whitepaper, see: Kerberos is an authentication protocol that utilizes shared secrets and encryption to decode keys between an authenticator, authenticatee, and some resource that the authenticatee requires access to. In the particular case of CIFS/Samba, the following applies: Windows KDC: Authenticator 6

7 Windows Client: Authenticatee HP CIFS Server: Resource The protocol exchanges do not include actual passwords passed over the wire, therefore a password cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed over the wire, and the 3 principals (KDC, Client, Server) each use pre-arranged secrets to decode the keys and allow access. The secrets are not transferred. The critical components of the exchanges are: Windows KDC: Key Distribution Center (central Kerberos Authority for a domain) Long-Term Key: Persistent key derived from a client s password Session Key: Short-term key that is used for authentication before it expires Ticket-Granting Ticket: Allows a client access to the KDC to get a TGS (see next) Ticket-Granting Service: Exchange that provides client access to a service (CIFS Server) Authentication Service: Exchange that actually allows client access to the KDC In Chapter 6 traces and diagrams will show exactly how these components interact. A unique aspect of CIFS is that the Kerberos protocol (as observed in a network trace) does not provide the method for the client to send its service ticket to the CIFS Server. Instead, the ticket is sent through the native service protocol, which in this case is SMB (or CIFS). This also will be illustrated in Chapter 6. 7

8 Chapter 3 Solution Components Here is a review of the various components that are necessary to configure HP CIFS Server for Kerberos authentication. HP CIFS Server: Version A and later (Based upon Samba and later) o HP-UX 11i v1, HP-UX 11i v2, or HP-UX 11i v3 HP-UX Kerberos Client o o HP-UX 11iv1 Version (required for keytab feature, described later) Patches required for for 11i base install PHCO_ libc cumulative header file patch PHCO_ libc cumulative patch PHNE_ libnss_dns DNS backend patch PHSS_ GSS-API Version 1.0 Cumulative patch PHSS_31163 KRB5-Client Version 1.0 cumulative patch o HP-UX 11iv2 Version D o HP-UX 11iv3 Version E HP-UX LDAP-UX Integration Client o Windows Server domain o 2000 o 2003 Windows Client o 2000 Pro o XP Pro o Vista Pro The A and later versions of HP CIFS Server have dependencies upon HP-UX Kerberos and LDAP for integration with Windows ADS when security = ads is configured. These dependencies appear during installation, as well as the patches. Windows servers and clients require no hotfixes or patches for HP CIFS Server integration, although the latest Service Packs should be installed. 8

9 Chapter 4 Solution Configuration(s) Configuring Kerberos for HP CIFS Server requires synchronizing system configuration files for interoperability between the solution components, as well as the Windows domain and the HP-UX server. 4.1 HP CIFS Server The two primary configuration files are smb.conf and krb5.conf. /etc/opt/samba/smb.conf [global] workgroup = HPATC2003 realm = HPATC2003.HP.COM netbios name = atcux5 server string = Samba Server interfaces = bind interfaces only = Yes security = ADS password server = hpatcwin2k4.hpatc2003.hp.com /etc/krb5.conf [libdefaults] default_realm = HPATC2003.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 [realms] HPATC2003.HP.COM = { kdc = HPATCWIN2K4.HPATC2003.HP.COM:88 admin_server = HPATCWIN2K4.HPATC2003.HP.COM } [domain_realm].hp.com = HPATC2003.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log The parameters in the files above are from an actual operating system, and they match the values that are displayed in the traces and logs that are used in most of the (many) subsequent examples that are shown later. The smb.conf realm = value and the krb5.conf default_realm = are synonymous with the Active Directory DNS domain name. Microsoft states in the Q article ( Note: All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name. An easy source for the domain-realm name is the KDC or domain controller My Computer properties tab: 9

10 A simple precaution is to check with the Windows domain administrator to verify the Kerberos realm name. 4.2 Microsoft Active Directory Domain No special config for Kerberos (KDC service must be started) HP CIFS Server domain prerquisites: NetBIOS enabled Both native and mixed Pre-Windows 2000 compatible 4.3 Joining the Windows Domain The first step when joining the HP CIFS Server to the domain is to KINIT from the HP-UX command line. Krb5.conf has configured the Windows KDC as the source for the credentials, so the KINIT requests the krbtgt from the Windows domain KDC. The KDC is configured to require preauthentication data (timestamp), and the HP-UX Kerberos client is configured to not send preauthentication data initially, so the first Authentication Service Request is rejected. On the next Request the pre-authentication data is supplied, and the KINIT succeeds. 10

11 Note: For new Windows 2000 or 2003 domains, the Administrator password must be changed after the initial domain controller installation because the default password encryption is not compatible with Kerberos. If the password has not been changed after the initial domain installation, the HP CIFS Server configuration cannot be added to the domain. The kinit will fail with the message: KDC has no support for encryption type while getting initial credentials The next step is to join the server to the domain. This is also done from the command line with a net ads join U administrator. This step also requires authentication and authorization from the KDC. See below 11

12 The HP CIFS Server is now a member of the Windows 2003 domain, in this case HPATC2003. The diagram above illustrates that the local Kerberos secret key is stored in the Samba file secrets.tdb, and not krb5.keytab. This will be explained in a later chapter. 12

13 The net ads join has added 5 new Kerberos Principals to the Active Directory for the HP CIFS Server. The net ads status command displays the new Principals: # net ads status -U administrator grep Princ administrator's password: userprincipalname: HOST/atcux5@HPATC2003.HP.COM serviceprincipalname: CIFS/atcux5.hpatc2003.hp.com serviceprincipalname: CIFS/atcux5 serviceprincipalname: HOST/atcux5.hpatc2003.hp.com serviceprincipalname: HOST/atcux5 4.4 Kerberos CIFS Server Client Authentication Example After starting the CIFS Server (/opt/samba/bin/startsmb), test the Kerberos authentication by mounting a share from the HP CIFS Server. Here is a quick review of a typical Kerberos logon and share service exchange. 1. User Netlogon, is authenticated into domain. In this case, the KDC and DC are the same 2. User maps share to CIFS/Samba server, gets encrypted ticket for CIFS server service from KDC 2a. Client presents ticket to CIFS/Samba server, which decrypts ticket and authorizes access 13

14 Here is the netlogon sequence as the user gets authenticated from the client into the domain. The krb5-as-req is the user authentication and request. The krb5-as-rep reply from the KDC sends credentials to the client, including a client session key and TGT that allows the client to access the KDC. The client then uses the session key and TGT for krbtgt to request a service ticket krb5-tgsreq. This particular request is not for the CIFS server, because we have not mapped the share yet. At the end of this exchange, the client is authenticated into the domain and has access to the KDC to request domain services. Below is the Wireshark trace that illustrates the sequence from the above diagram. The KRB_AS_REP shows that the client user buffy is authenticated and the KDC has sent a krbtgt for the HPATC2003 domain. 14

15 At the completion of the client netlogon sequence, the client is ready to request domain services, which for this session will be an HP CIFS Server share. Many of the examples of the Kerberos exchanges in this paper will start from this point. In all cases, once this state has been achieved for this particular client and this particular session, the client will have a valid session key, until the 15

16 Maximum Lifetime for the User Ticket (set on the KDC) expires. This allows the client to request services from the domain without re-authenticating. In this example we have ignored the Kerberos encryption types, but these encryption types will be the focus of the majority of the subsequent data and discussion. After the user has been successfully authenticated into the domain, it now maps a share to a CIFS server: \\atcux5\buffy. The XP client initially requests a TGS from the KDC for the atcux5 cifs service in the machine name of the client: HPATCCLI2$. The KDC grants the TGS ticket request, but the HP CIFS Server rejects it because the machine name of the client is not valid (see below). The HP CIFS Server recognizes domain users not domain machines and thus the session_setup results in a STATUS_LOGON_FAILURE. 16

17 Here is the HP CIFS Server log entry for the associated user logon failure for HPATCCLI2$: So the client reques ts anoth er TGS ticket for the user name buffy, and then presents this ticket to the HP CIFS Server. Buffy is a valid user on the CIFS Server, so the request is granted and the session setup continues. See the trace below. [2005/01/12 10:30:05, 5] lib/username.c:get_pwnam_internals(256) Get_Pwnam_internals didn't find user [HPATCCLI2$]! [2005/01/12 10:30:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) Username HPATC2003.HP.COM\HPATCCLI2$ is invalid on this system [2005/01/12 10:30:05, 3] smbd/error.c:error_packet(105) error string = Invalid argument [2005/01/12 10:30:05, 3] smbd/error.c:error_packet(125) error packet at smbd/sesssetup.c(255) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE 17

18 After the client goes back to the KDC to get a service ticket for the user name, it presents the valid ticket to the HP CIFS Server, and the user is authorized. The user logon (authorization) to the HP CIFS Server in the Active Directory domain is complete. The HP CIFS Server client log entry (level 10) appears as: 18

19 [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] decrypted message! CIFS/Samba uses the principal, and tries to decrypt the ticket with a set of Kerberos encryption types. The valid enc type is [3] (MD5 configured in krb5.conf), as shown in the log entry. You can observe the other attempted decrypt types in the failed log entries, and equate them to the list of enc types show below: encryption type reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial etype Reference and/or Comment [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 19

20 Chapter 5 HP-UX Application Co-Existence The typical HP-UX server is a multi-user and multi-application system. If Kerberos is the preferred authentication protocol for a customer, then it will probably be preferred for Windows domain users as well as HP-UX users and applications. However, Samba and HP CIFS Server, by default, create a CIFS specific Kerberos configuration that can only be used by CIFS/Samba users. After a net ads join, the system Kerberos configuration is not valid for other users and applications on the HP-UX system. If the access is restored to these users, then the CIFS/Samba users will be denied domain access. When a service (such as a server) is joined to a Kerberos realm (like a domain, for Windows they usually coincide domain=realm), it stores a copy of its secret key locally on the server. This secret key is used to encrypt and decrypt all Kerberos messages that are exchanged with the KDC and other domain realm entities. UNIX convention is to store the secret in a file called /etc/krb5.keytab. Thus, HP-UX Kerberos applications look to /etc/krb5.keytab to find the secret key. Samba 3.0 was developed to store the secret key in the /var/opt/samba/private/secrets.tdb file the traditional Samba place for domain passwords. When a CIFS/Samba server is added to the Windows domain, a new shared secret key is created. The KDC has a copy, and the CIFS/Samba server has a copy in the secrets.tdb file. When other HP-UX applications use the /etc/krb5.keytab file to decrypt messages, it is now out of sync with the KDC s secret key, and therefore invalid. If a new /etc/krb5.keytab file is generated from the KDC, then the secrets.tdb file is out of sync. NOTE: An HP-UX server using Kerberos and a Windows KDC would normally utilize a krb5.keytab file that was generated on the Windows KDC using the ktpass.exe tool. With HP CIFS Server A and above, an /etc/krb5.keytab file can be generated from Samba, and CIFS/Samba can be configured to access its secret key from the keytab file instead of the secrets.tdb file. In addition, HP-UX Kerberos applications can use the CIFS/Samba-generated krb5.keytab file also. This feature provides Kerberos interoperability between HP CIFS Server users and HP-UX Internet Services (telnet, ftp, etc) and pam-kerberos users (for local HP-UX logins). WARNING: All subsequent krb5.keytab discussions assume that the krb5.keytab file is created with HP CIFS Server and either the net ads keytab command or the net ads join command. Using the Windows ktpass.exe utility for keytab file generation will cause confusion do not use it. 5.1 Configuring for krb5.keytab Here are the required components to configure HP-UX Kerberos co-existence: HP-UX Kerberos version or newer /etc/krb5.conf file /etc/opt/samba/smb.conf file /etc/krb5.keytab file Samba net ads keytab create command The first task is to configure CIFS/Samba for Kerberos authentication and join it to a Windows domain. We know that this configuration will disable HP-UX INET Services access to the HP-UX 20

21 system. The following steps will show how to generate a valid keytab file, configure CIFS/Samba to access the keytab file, and configure Kerberos for HP-UX INET Services access. 1. Edit /etc/krb5.conf file to add the WRFILE attribute to the default_keytab_name parameter * HP-UX Kerberos version or later is REQUIRED for WRFILE. /etc/krb5.conf for HP CIFS Server Keytab creation # Kerberos configuration [libdefaults] default_realm = HPATC2003.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 default_keytab_name = "WRFILE:/etc/krb5.keytab" [realms] HPATC2003.HP.COM = { kdc = HPATCWIN2K4.HPATC2003.HP.COM:88 admin_server = HPATCWIN2K4.HPATC2003.HP.COM } [domain_realm].hp.com = HPATC2003.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 2. Execute net ads keytab create U administrator to generate an /etc/krb5.keytab file * Observe the keys by executing klist k e (see tools section for klist) * The listing of keys will appear to be excessively long. This is due to the inclusion of every possible combination of service principal name and key enctype. 3. Edit /etc/opt/samba/smb.conf to enable CIFS/Samba to read /etc/krb5.keytab [global] workgroup = HPATC2003 realm = HPATC2003.HP.COM netbios name = atcux5 server string = Samba Server interfaces = bind interfaces only = Yes security = ADS password server = HPATCWIN2K4.HPATC2003.HP.COM use kerberos keytab = yes 4. Start CIFS/Samba, logon to domain with a client, mount a CIFS/Samba share. The protocol exchange will be the same as illustrated in Chapter 4.4. The difference is that the CIFS server will now go to krb5.keytab for the secret key, instead of secrets.tdb. The logfile (level 10) entries will also be different: [2005/01/19 13:32:02, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for ATCUX5 -> atcux5. [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) krb5_rd_req(atcux5$@hpatc2003.hp.com) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) 21

22 failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) failed: Wrong principal in request [2005/01/19 13:32:02, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(115) krb5_rd_req succeeded for principal In this example, the HP CIFS Server can authorize the Windows client to access the server share, using Kerberos in the Windows domain and the keytab file on the HP CIFS Server. However, an HPUX Internet Services user cannot gain system access using Kerberos with the system in this state Kerberos modifications for INET Services HP-UX Internet Services users cannot use system Kerberos libraries to access system resources because of a mis-match in Kerberos libraries on the system. Although the system Kerberos libraries were updated to version for this configuration, the Internet Services suite utilizes its own Kerberos library set that is delivered with the product. This library set is obsolete, and does not recognize the WRFILE attribute in the /etc/krb5.conf file as a valid attribute. Therefore, the default_keytab_name parameter is invalid, and the INET Services application cannot find the Kerberos keytab file to access the secret key for decrypting. To modify this configuration for HP-UX Internet Services interoperation, the /etc/krb5.conf file must be edited to remove the WRFILE attribute. This does not affect HP CIFS Server authentication, because the krb5.conf default_keytab_name parameter is only used by HP CIFS Server for the creation of the /etc/krb5.keytab file. /etc/krb5.conf for HP-UX Internet Services and HP CIFS Server [libdefaults] default_realm = HPATC2003.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 default_keytab_name = "WRFILE:/etc/krb5.keytab" (DELETE or COMMENT OUT this line) [realms] HPATC2003.HP.COM = { kdc = HPATCWIN2K4.HPATC2003.HP.COM:88 admin_server = HPATCWIN2K4.HPATC2003.HP.COM } [domain_realm].hp.com = HPATC2003.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log 22

23 default = FILE:/var/log/krb5lib.log If the /etc/keytab.krb5 file needs to be regenerated (by a net ads create keytab ) then the /etc/krb5.conf file must be edited to include the WRFILE attribute to the default_keytab_name parameter. After the krb5.keytab is created, the krb5.conf file should be re-edited to remove WRFILE for INET Services interoperation. 5.2 krb5.keytab Configuration Script # swlist -l product grep -i krb KRB-Support B KRB5-Client B KRBS-Support B PHSS_ patch krb5client B Kerberos Support for HP-UX and DCE Kerberos V5 Client Version 1.0 Kerberos Support v1.11 KRB5-Client Version 1.0 cumulative Kerberos V5 Client Version # net ads status serviceprincipalname: CIFS/atcux5.hpatc2000.hp.com serviceprincipalname: CIFS/atcux5 serviceprincipalname: HOST/atcux5.hpatc2000.hp.com serviceprincipalname: HOST/atcux5 useraccountcontrol: userprincipalname: HOST/atcux5@HPATC2000.HP.COM # more /etc/hosts localhost atcux1.rose.hp.com atcux2.rose.hp.com atcux3.rose.hp.com atcux4.rose.hp.com atcux5.hpatc2000.hp.com atcux6.rose.hp.com atcux7.rose.hp.com atcux8.rose.hp.com atcux9.rose.hp.com loopback atcux1 atcux2 atcux3 atcux3.atc atcux4 atcux5 atcux6 atcux7 atcux8 atcux9 # more /etc/nsswitch.conf passwd: files ldap group: files ldap hosts: files dns services: files networks: files protocols: files rpc: files publickey: files netgroup: files automount: files aliases: files # more /etc/opt/samba/smb.conf [global] workgroup = HPATC2000 realm = HPATC2000.HP.COM 23

24 netbios name = atcux5 server string = Samba Server interfaces = bind interfaces only = Yes security = ADS password server = HPATCWIN2K5.HPATC2000.HP.COM use kerberos keytab = yes # more /etc/krb5.conf [libdefaults] default_realm = HPATC2000.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 default_keytab_name = "WRFILE:/etc/krb5.keytab" # net ads keytab create U administrator administrator's password: # more /etc/krb5.conf [libdefaults] default_realm = HPATC2000.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 # default_keytab_name = "WRFILE:/etc/krb5.keytab" # login buffy... $ kinit Password for buffy@hpatc2000.hp.com: $ klist Ticket cache: FILE:/tmp/krb5cc_112 Default principal: buffy@hpatc2000.hp.com Valid starting Expires Service principal 02/09/05 14:51:00 02/10/05 00:49:37 krbtgt/hpatc2000.hp.com@hpatc2000.hp.com renew until 02/10/05 00:51:00 $ telnet atcux The kbr5.keytab File The krb5.keytab file is a binary file, so it must be managed using specific tools. The klist tool is useful for displaying the keys that are resident in the keytab file (the klist tool is described in the Support Tools chapter). klist k e will display every key in the keytab file and its associated encryption 24

25 format. When CIFS/Samba creates a keytab file, it adds keys for every likely combination of service principals and encryption formats. There are 7 encryption formats. Keytabs are created for casespecific HOST/host and CIFS/cifs service principals, as well as SYSTEM/system service principals. For this test system, there were 6 service principals in the Computer object of the Active Directory. This results in a keytab file that has 182 service principals. Do not be alarmed when examining a krb5.keytab file and observing many records. This is normal for a CIFS/Samba system. 25

26 Chapter 6 Support Matrices Here is a matrix that summarizes the Kerberos components and how they interact for HP CIFS Server. The encryption types are defined in HP-UX /etc/krb5.conf. Windows 2000 Adv Server Windows 2003 Adv Server Windows 2003R2 Adv Server (no hotfixes) (no hotfixes) (no hotfixes) HP-UX Kerberos 1.0 DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : unsupported enc type Keytab : unsupported DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : unsupported enc type Keytab : unsupported Not Available HP-UX Kerberos DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works Default on 11iv1 and 11iv2 Available on HP-UX Kerberos (D or E) Default on 11iv3 Available on Not Available Caveats: 1. All Works indicated enc types work for kinit and net ads join 2. Regardless of the /etc/krb5.conf enc type, the HP CIFS Server service ticket is encrypted in MD5. 3. HP-UX Kerberos will be available for 11i v2 in February RC4-HMAC is not officially endorsed for HP CIFS Server, but testing proves that it works. NOTE: HP CIFS Server does not support Windows Server 2008 at this time (November 2008 Update) 26

27 Chapter 7 Traces and Logs This section provides Wireshark network traces and Samba log entries of the important Kerberos operations for HP CIFS Server. These are provided as a guide to what should be the expected behavior for the various component combinations, and data to support the expected behavior. The following matrices show exactly what operations are traced and in what order they are listed in this section. W2000 KDC KRB5 1.0 MD5 W2000 KDC KRB5 1.0 CRC W2000 KDC KRB5 1.0 RC4 W2000 KDC KRB MD5 W2000 KDC KRB CRC W2000 KDC KRB RC4 kinit kinit kinit kinit kinit kinit Net ads join Net ads join Net ads join Net ads join Net ads join XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket W2003 KDC KRB5 1.0 MD5 W2003 KDC KRB5 1.0 CRC W2003 KDC KRB5 1.0 RC4 W2003 KDC KRB MD5 W2003 KDC KRB CRC W2003 KDC KRB RC4 kinit kinit kinit kinit kinit kinit Net ads join Net ads join Net ads join Net ads join Net ads join XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client gets CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket XP client presents CIFS ticket 27

28 7.1 Windows 2000 KDC HP-UX Kerberos 1.0, MD5 Session KINIT DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/hpatc2000.hp.com is encrypted with MD5. This is what we expect. 28

29 Windows 2000 domain JOIN Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket is DES-CBC-CRC. This is somewhat unusual note that the other MD5 scenarios do not use CRC. Command line output: # net ads join -U administrator%samba [2005/02/01 15:10:19, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2000' for realm 'HPATC2000.HP.COM' Using short domain name -- HPATC2000 [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) 29

30 verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for ATCUX5 -> atcux5. [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/02/01 15:10:20, 2] utils/net.c:main(792) return code = 0 # It is interesting to note that the log output does not show a valid ticket decryption, but the join is successful anyway. Subsequent client logon traces show a functioning Kerberos authentication exchange. Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. 30

31 The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption which is unusual for W2000 and not expected. Note that this is opposite from the previous operations, where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-MD5 encryption, but the ticket itself was encrypted with DES-CBC-CRC. Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 4709) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server only logs the MD5 decryption event in this case. This is different observed behavior from the same test when conducted with the newer HP-UX Kerberos Client MD5 Summary: HP-UX 11i 31

32 HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using MD5 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. 32

33 7.2 Windows 2000 KDC HP-UX Kerberos 1.0, CRC Session KINIT DES-CBC-CRC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with DES-CBC-CRC. 33

34 Windows 2003 domain JOIN Command : net ads join U administrator%password The ATCUX5$ principal is authenticated with DES-CBC-CRC encryption. The ticket for host atcux5 is also DES-CBC-CRC. Command line output: # net ads join -U administrator d 10 [2005/02/02 13:57:42, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2000' for realm 'HPATC2000.HP.COM' Using short domain name -- HPATC2000 [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:42, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) 34

35 verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for ATCUX5 -> atcux5. [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/02/02 13:57:43, 2] utils/net.c:main(792) return code = 0 # The log data shows that CIFS/Samba is decrypting multiple messages some with CRC and some with MD5. reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 35

36 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. Note that this is opposite from the previous operations, where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-CRC encryption, and the ticket itself was encrypted with DES-CBC-CRC. 36

37 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1497) is encrypted with DES-CBC-MD5. MD5 is the encryption type that Samba uses, and cannot be affected by the HP-UX krb5.conf enctype configuration. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server only logs the MD5 decryption event in this case. This is different observed behavior from the same test when conducted with the newer HP-UX Kerberos Client CRC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain 37

38 HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. 38

39 7.3 Windows 2000 KDC HP-UX Kerberos 1.0, RC4 Session KINIT RC4-HMAC Command : kinit administrator # kinit administrator kinit: No supported encryption types (config file error?) while getting initial credentials The HP-UX Kerberos libraries version 1.0 the default Kerberos libraries on HP-UX 11i v1 and 11i v2 do not support the RC4-HMAC encryption type. Therefore, no additional data can be collected. 39

40 7.4 Windows 2000 KDC HP-UX Kerberos 1.3.5, MD5 Session KINIT DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/hpatc2000.hp.com is encrypted with MD5. 40

41 Windows 2000 domain JOIN Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k5$ is MD5. Command line output: [2005/01/24 12:55:06, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for atcux5$@hpatc2000.hp.com enctype 1 failed: No credent ials found with supported encryption types [2005/01/24 12:55:06, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/01/24 12:55:06, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/01/24 12:55:06, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for atcux5$@hpatc2000.hp.com enctype 2 failed: No credent ials found with supported encryption types [2005/01/24 12:55:06, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types. Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/01/24 12:55:07, 2] utils/net.c:main(792) return code = 0 41

42 The encryption type for the ATCUX5 service ticket logon is MD5 (0x3). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. 42

43 The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. This is the expected behavior. Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 3855) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [3] decrypted message! 43

44 Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. MD5 Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using MD5 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2000 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 44

45 7.5 Windows 2000 KDC HP-UX Kerberos 1.3.5, CRC Session KINIT DES-CBC-CRC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/hpatc2000.hp.com is encrypted with CRC. 45

46 W2000 Domain JOIN Command : net ads join U administrator%password d 10 The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k5$ is MD5! Command line output: [2005/01/31 15:49:01, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/01/31 15:49:01, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/01/31 15:49:01, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for host/atcux5@hpatc2000.hp.com enctype 3 failed: No cre dentials found with supported encryption types [2005/01/31 15:49:01, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/01/31 15:49:02, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for host/atcux5@hpatc2000.hp.com enctype 2 failed: No cre dentials found with supported encryption types [2005/01/31 15:49:02, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/01/31 15:49:02, 2] utils/net.c:main(792) return code = 0 46

47 Notice that the successful decrypt log entry is embedded with a multitude of failure entries. It is hard to find in the log, so use diligence when analyzing the output. The encryption type for the ATCUX5 service ticket logon is CRC (0x1). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. 47

48 The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. This is especially confusing, because our krb5.conf configuration specifies DES-CBC-CRC, the kinit used only CRC, but the net ads join used a combination of CRC and MD5. Now, the Windows client is authenticated to the KDC using RC4, and the actual cifs atcux5 ticket is MD5. So this particular configuration uses all of the common encryption types, in multiple combinations. Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1423) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: enc enc enc enc enc enc type type type type type type [18] failed to decrypt with error Bad encryption type [17] failed to decrypt with error Bad encryption type [16] failed to decrypt with error Bad encryption type [23] failed to decrypt with error Bad encryption type [1] failed to decrypt with error Bad encryption type [3] decrypted message! 48

49 Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. CRC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using CRC, and a combination of CRC and MD5 (for the net ads join ) encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2000 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 49

50 7.6 Windows 2000 KDC HP-UX Kerberos 1.3.5, RC4 Session KINIT RC4-HMAC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. This is nice: an expected result for the configuration. 50

51 Windows 2003 domain JOIN Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption due to the krb5.conf configuration. The ticket for hpatcwin2k5$ is DES-CBC-MD5. This is somewhat expected, given that we know Samba requires service tickets in MD5, and Windows likes to encrypt its own services in RC4. What is unexpected for this configuration (RC4-HMAC) is that the command line output indicates that the KDC has no support for the RC4-HMAC enctype which we know is untrue because the KINIT was successful. Despite the log errors, the CIFS server is joined to the Kerberos realm. Command line output: [2005/02/01 13:35:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553)verify_ service_password: get_service_ticket failed: KDC has no support for encryption type [2005/02/01 13:35:47, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2000.HP.COM@HPATC2000.HP.COM failed: KDC has no support for encryption type [2005/02/01 13:35:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/02/01 13:35:47, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2000.HP.COM@HPATC2000.HP.COM failed: KDC has no support for encryption type [2005/02/01 13:35:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: KDC has no support for encryption type 51

52 Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/02/01 13:35:47, 2] utils/net.c:main(792) return code = 0 # Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. This matches all other test cases. 52

53 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1944) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: ads_secrets_verify_ticket: enc enc enc enc enc enc type type type type type type [18] failed to decrypt with error Bad encryption type [17] failed to decrypt with error Bad encryption type [16] failed to decrypt with error Bad encryption type [23] failed to decrypt with error Bad encryption type [1] failed to decrypt with error Bad encryption type [3] decrypted message! Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. RC4 Summary: HP-UX 11i 53

54 HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using RC4 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2000 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 54

55 7.7 Windows 2003 KDC HP-UX Kerberos 1.0, MD5 Session KINIT DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. 55

56 Windows 2003 domain JOIN Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba Using short domain name -- HPATC2003 [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:52, 10] lib/util.c:name_to_fqdn(2442) 56

57 name_to_fqdn: lookup for ATCUX5 -> atcux5.hpatc2003.hp.com. [2005/02/05 12:15:53, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:15:53, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' Notice the significantly different log entries compared with W2003 and Kerberos Although the logging is much different, the result is the same successfully joined to the domain. 57

58 The Windows event for the domain join is: The encryption type for the ATCUX5 service ticket logon is MD5 (0x3). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 58

59 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption, which is the Windows 2003 default. Note that this is opposite from the previous operations (kinit and join), where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-MD5 encryption, but the ticket itself was encrypted with RC4HMAC. 59

60 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1975) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server only logs the MD5 decryption event in this case. This is different observed behavior from the same test when conducted with the newer HP-UX Kerberos Client MD5 Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using MD5 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2003 KDC event 60

61 *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 61

62 7.8 Windows 2003 KDC HP-UX Kerberos 1.0, CRC Session KINIT using DES-CBC-CRC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. 62

63 Windows 2003 domain Join: Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. The net ads join succeeds using CRC: Command line output: # net ads join -U administrator%samba [2005/02/05 12:41:08, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2003' for realm 'HPATC2003.HP.COM' Using short domain name -- HPATC2003 [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 63

64 003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:09, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for ATCUX5 -> atcux5.hpatc2003.hp.com. [2005/02/05 12:41:09, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! [2005/02/05 12:41:09, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2 003.HP.COM! Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' 64

65 The Windows Event View event for the join is: The Windows Event logging appears to be in error because the encryption type shows 0x3 which is MD5, when we know that the actual type is CRC, and is expected to appear as 0x1. reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 65

66 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption, which is the Windows 2003 default. Note that this is opposite from the previous operations (kinit and join), where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-CRC encryption, but the ticket itself was encrypted with RC4HMAC. Of special importance is that the HP-UX /etc/krb5.conf enctype configuration of DES-CBC-CRC for this test case has no relevance for the client user service ticket. CRC is not used at all for this operation, even though it was used for the previous command line operations. 66

67 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 2835) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [3] decrypted message! 67

68 Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3). 68

69 CRC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2003 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 69

70 7.9 Windows 2003 KDC HP-UX Kerberos 1.0, RC4 Session KINIT using RC4-HMAC: Command : kinit administrator # kinit administrator kinit: No supported encryption types (config file error?) while getting initial credentials The HP-UX Kerberos Client version 1.0 has no support for the RC4-HMAC encryption type at all. RC4-HMAC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are invalid with the RC4-HMAC enctype. 70

71 7.10 Windows 2003 KDC HP-UX Kerberos 1.3.5, MD5 Session KINIT DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. Notice that this is different from W2000 with and MD5 where both the Administrator and the ticket were MD5. W2003 defaults the user to RC4-HMAC. 71

72 Windows 2003 domain JOIN Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba [2005/02/05 10:20:23, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for cifs/atcux5.hpatc2003.hp.com@hpatc2003.hp.com enctype 1 failed: No credentials found with supported encryption types [2005/02/05 10:20:23, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/02/05 10:20:23, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@hpatc2003.hp.com! [2005/02/05 10:20:23, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for cifs/atcux5.hpatc2003.hp.com@hpatc2003.hp.com enctype 2 failed: No credentials found with supported encryption types [2005/02/05 10:20:23, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/02/05 10:20:23, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' Note: The trace and log system names do not match for this example, but the data is correct. 72

73 The Windows event for the domain join is: The encryption type for the ATCUX5 service ticket logon is MD5 (0x3). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 73

74 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption, which is the Windows 2003 default. Note that this is opposite from the previous operations (kinit and join), where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-MD5 encryption, but the ticket itself was encrypted with RC4HMAC. 74

75 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 760) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows even log values are in hex. 75

76 Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3). MD5 Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using MD5 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2003 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 76

77 7.11 Windows 2003 KDC HP-UX Kerberos 1.3.5, CRC Session KINIT using DES-CBC-CRC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. 77

78 Windows 2003 domain Join: Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. The net ads join succeeds using CRC: Command line output: # net ads join -U administrator%samba Using short domain name -- HPATC2003 Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' With debug level 10 on the net ads join there is no log entry that indicates a successful decrypt with enctype 1 (CRC). The join succeeds, and the trace shows the correct CRC enctype on the ticket. Investigation is under way to determine if this is simply a logging error in Samba. 78

79 The Windows Event View event for the join is: The Windows Event logging appears to be in error because the encryption type shows 0x3 which is MD5, when we know that the actual type is CRC, and is expected to appear as 0x1. reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 79

80 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption, which is the Windows 2003 default. Note that this is opposite from the previous operations (kinit and join), where the administrator user that was specified on the HP-UX command line was authenticated with DES-CBC-CRC encryption, but the ticket itself was encrypted with RC4HMAC. Of special importance is that the HP-UX /etc/krb5.conf enctype configuration of DES-CBC-CRC for this test case has no relevance for the client user service ticket. CRC is not used at all for this operation, even though it was used for the previous command line operations. 80

81 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 2597) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows even log values are in hex. 81

82 Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3). 82

83 CRC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2003 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 83

84 7.12 Windows 2003 KDC HP-UX Kerberos 1.3.5, RC4 Session KINIT using RC4-HMAC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for krbtgt/hpatc2003.hp.com is encrypted with RC4-HMAC. 84

85 Windows 2003 domain join: Command : net ads join U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba [2005/02/05 11:50:39, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2003.HP.COM@HPATC2003.HP.COM has no support for encryption type [2005/02/05 11:50:39, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/02/05 11:50:39, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2003.HP.COM@HPATC2003.HP.COM has no support for encryption type [2005/02/05 11:50:39, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/02/05 11:50:39, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2003.HP.COM@HPATC2003.HP.COM has no support for encryption type [2005/02/05 11:50:39, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/02/05 11:50:39, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2003.HP.COM@HPATC2003.HP.COM has no support for encryption type [2005/02/05 11:50:39, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) failed: KDC failed: KDC failed: KDC failed: KDC 85

86 verify_service_password: get_service_ticket failed: KDC has no support for encryption type Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' Like the net ads join operation for DES-CBC-CRC, the logging data does not show a successful service ticket decryption. Also significant is that for RC4, the logging does not show the attempted enctypes. The join succeeds, so this indicates an even more likely case of logging errors. 86

87 Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5 EVEN THOUGH /ETC/KRB5.CONF ENCTYPE=RC4-HMAC. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption, which is the Windows 2003 default. Note that this is opposite from the previous operations (kinit and join), where the administrator user that was specified on the HP-UX command line and the ticket itself were encrypted with RC4-HMAC. Of special importance is that the HP-UX /etc/krb5.conf enctype configuration of RC4-HMAC for this test case has no relevance for the client user service ticket. RC4-HMAC is not used for the service ticket the Samba default of MD5 is. The Windows user encryption is RC4-HMAC, but this is the Windows default, and is not affected by the HP-UX /etc//krb5.conf enctype. 87

88 Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1606) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.netbiosname): ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [3] decrypted message! Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: 88

89 The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsawithsha1-cmsoid md5withrsaencryption-cmsoid sha1withrsaencryption-cmsoid rc2cbc-envoid rsaencryption-envoid rsaes-oaep-env-oid des-ede3-cbc-env-oid des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] [RFC-ietf-krb-wg-crypto-07.txt] (pkinit) (pkinit) (pkinit) (pkinit) (pkinit from PKCS#1 v1.5) (pkinit from PKCS#1 v2.0) (pkinit) [RFC-ietf-krb-wg-crypto-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] [RFC-raeburn-krb-rijndael-krb-07.txt] (Microsoft) (Microsoft) (opaque; PacketCable) 89

90 RC4-HMAC Summary: HP-UX 11i HP CIFS Server A (Samba with backports) HP-UX Kerberos Client version Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using RC4 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5. The Windows 2003 KDC event *ALWAYS* shows MD5 for the HP CIFS Server share in these test cases regardless of the HP-UX enctype configuration. 90

91 Chapter 8 Support Tools and Common Problems Kerberos authentication is difficult to troubleshoot. The default data list for troubleshooting Kerberos authentication problems is: 8.1 kinit results smb.conf krb5.conf uname -a swlist l product grep i krb swlist l product grep i ldap smbd V Samba log level 10 for client session o log level = 10 o log file = /var/opt/samba/log.%m net ads join U username d 10 join log level 10 (if possible) o Mainly the last 2 pages with the ticket decryption net ads status U username output (mainly the service principals) Windows Server version (2000 or 2003) Windows client version and Service Pack level Wireshark trace o This is often the most useful tool Support Tools Most of the useful support tools have been demonstrated throughout this paper. Here is a summary kinit The first step in working with CIFS/Samba and Kerberos is to verify that Kerberos itself is working correctly. An HP-UX kinit must work properly before beginning with CIFS/Samba. # kinit administrator Password for administrator@hpatc2000.hp.com: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@hpatc2000.hp.com Valid starting Expires Service principal 03/29/05 10:28:48 03/29/05 20:26:45 krbtgt/hpatc2000.hp.com@hpatc2000.hp.com renew until 03/29/05 20:28:48 # A klist will verify that the credentials were loaded into the cache for the KDC service. 91

92 8.1.2 klist (HP-UX) klist at the HP-UX prompt displays the current ticket cache for the session. This is helpful to observe the ticket that is issued from the KDC in the kinit command. See the kinit example above for klist output. klist is also useful for verifying that a particular user on HP-UX is accessible from the KDC. If a user buffy is attempting a Windows login to the HP CIFS Server, then the user must be able to authenticate. A simple kinit and klist at the HP-UX prompt will verify that Kerberos is working correctly on HP-UX for the user buffy. Note that the klist tool for a Windows client is a separate tool, and is described later in the tools chapter net ads status net ads status is a Samba 3.0 command line tool. It displays a variety of CIFS Server data as it is configured on the computer object in the Windows Active Directory. The information that we are interested in is: distinguishedname: CN=atcux5,CN=Computers,DC=hpatc2000,DC=hp,DC=com objectcategory: CN=Computer,CN=Schema,CN=Configuration,DC=hpatc2000,DC=hp,DC=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: user objectclass: computer objectguid: a25630f8-482e-42b7-9a02-0fc0cc21a61f objectsid: S operatingsystem: Samba operatingsystemversion: based HP CIFS Server A primarygroupid: 515 pwdlastset: name: atcux5 samaccountname: atcux5$ samaccounttype: serviceprincipalname: CIFS/atcux5.hpatc2000.hp.com serviceprincipalname: CIFS/atcux5 serviceprincipalname: HOST/atcux5.hpatc2000.hp.com serviceprincipalname: HOST/atcux5 useraccountcontrol: userprincipalname: HOST/atcux5@HPATC2000.HP.COM Of particular interest is the useraccountcontrol (discussed later in the Joining the Domain topic) and the serviceprincipalname. These are the default service principals added by Samba during the domain join. If the service principals are different, the next step is to find out how and why they were added by the ADS administrator. 92

93 8.1.4 ldapsearch The net ads status command will display the CIFS Server computer object in the Active Directory, assuming that the computer object is in the default location. Many customers design their own directory layout (schema), and so net ads status may not know where to look for the computer object. In that case, you can use the HP-UX ldapsearch tool to find it. ldapsearch is installed with the LDAP-UX Client product, which is a perquisite for HP CIFS Server. It is located in /opt/ldapux/bin. Here is an example of an ldapsearch command using the default ADS schema and searching for the atcux4 computer object: ldapsearch -h hpatcwin2k1.hpatcdom.hp.com -D "cn=administrator,cn=users,dc=hpatcdom,dc=hp,dc=com" -w samba -b dc=hpatcdom,dc=hp,dc=com "cn=atcux4" Look for the same data as net ads status provided: the useraccountcontrol (discussed later in the Joining the Domain topic) and the serviceprincipalname Samba Logging Samba logging is enabled by the smb.conf log level = or debug level = variable (they do the same thing). To view the Kerberos log events, the log level must be set to 10. It is best to configure the logging function to generate a new file for every client connection by log file = /var/opt/samba/log.%m Default Kerberos Config Logging For the default Kerberos configuration that uses secrets.tdb for the secret key store, a user logon log file displays a sequence of failed ticket verifications using a non-matching encryption type. It s easiest to grep the logfile for crypt. # grep crypt goodsecretslog ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_secrets_verify_ticket: enc type [23] decrypted message! If a decrypted message line is not present, then it is likely that the client password dialog box has popped up requesting a username/password Kerberos Keytab Config Logging For a Kerberos keytab file configuration that uses krb5.keytab for the secret key(s) store, a user logon log file also displays a sequence of failed ticket verifications for non-matching enctypes, but these originate with the keytab verify code. It is easiest to just grep the logfile for principal. # grep principal goodkeytablog ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request 93

94 ads_keytab_verify_ticket: failed: Wrong principal in request ads_keytab_verify_ticket: failed: Wrong principal in request ads_keytab_verify_ticket: failed: Wrong principal in request ads_keytab_verify_ticket: failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal If you do not see the keytab succeeded log event, then it is likely that the service principal for the user logon was not found in the keytab file. When CIFS/Samba is configured for keytab, a failed keytab file search will be followed by a search in secrets.tdb for the valid service principal. The log entry will display the keytab search followed by the secrets.tdb search. If the secrets.tdb search is successful, then the log entries look like this: [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@snslatc.hp.com) failed: Wrong principal in request [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(111) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/emonster.rose.hp.com@snslatc.hp.com) failed: Decrypt integrity check failed [2008/10/28 10:33:17, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(147) ads_keytab_verify_ticket: krb5_rd_req failed for all 8 matched keytab principals [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(247) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(247) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(247) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2008/10/28 10:33:17, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(239) ads_secrets_verify_ticket: enc type [23] decrypted message! 94

95 8.1.6 Windows Event Logger The Windows KDC event logger can be useful just to validate that the client is requesting tickets for the HP CIFS Server service. To enable Security event logging on a KDC, read the instructions at: The ticket encryption type will usually be 0x3 MD5, assuming that the krb5.conf file is confgired for MD5.. If the enctype is not 0x3, then there may be a problem with the useraccountcontrol attribute on the CIFS Server Computer container. See the Joining Domain topic Wireshark Wireshark is probably the most powerful tool for troubleshooting Kerberos, which should be apparent from the numerous traces shown in the body of this paper. Wireshark is especially useful to display exactly what the Kerberos data is that is passed between the HP CIFS Server, client, and KDC. Of course, the encrypted keys themselves are not displayed. 95

96 The only significant drawback to Wireshark usage is ensuring that it is resident on the customer system. Wireshark binaries can be downloaded from: The HP-UX Porting and Archive Center o Includes 11iv1, 11iv2, 11iv3 Internet Express o (11iv2) o (11iv3) o 11iv1 is only available from HP on the 0803 AR media The Internet Express package is especially handy because it installs as a.depot file with swinstall. The Wireshark User s Guide is available at: For basic CIFS-Kerberos tracing, a simple trace and subsequent display filter will display the packet exchanges that are interesting. Most cases will require tracing between the client and the CIFS server. The numerous trace examples in Chapter 7 are simple IP address filters. Protocol filters are also useful (simply kerberos, smb, or maybe kerberos smb ). Because there are many trace screens already included in this paper, refer to those for filter examples Kerbtray Kerbtray is a Microsoft Windows application that runs on the client, and displays the client ticket cache along with details about the tickets that it holds. This data can be very useful for determining that the client is receiving the correct ticket information from the KDC. Observe the examples below: 96

97 The client buffy received the krbtgt (Kerberos ticket-granting-ticket service) from the KDC. You can see that the client holds a ticket for the machine name, too (remember that the client tries to open the CIFS Server share as a machine name principal first, gets rejected, and tries again as the user). 97

98 The kerbtray tool shows that the enctype is RC4 for both the ticket that we received and the key. We already know that this is the default for Windows 2003 domains (part of the security lockdown). Next, the CIFS Server share is mounted. 98

99 The kerbtray tool shows the new ticket of cifs/atcux5. This is the ticket for the HP CIFS Server. 99

100 As we know from our other data collection, the HP CIFS Server enctype is MD5. Here, kerbtray shows the enctype for the ticket and the key to be MD5. Kerbtray is easy to download from Microsoft and install. The Microsoft website is: This data will be especially useful in troubleshooting cases where the ADS schema is customized, and where principals are manually added (not necessarily from Samba net tool) Klist (Windows client) Klist.exe is a Microsoft Windows tool that runs on the client and allows the user to purge (or delete) their tickets. It also displays the ticket cache but kerbtray is a much better utility for doing that task. Purging the ticket cache is useful when troubleshooting. A client Kerberos ticket has a lifetime associated with it, and in a duplication effort, the client may not be requesting a new ticket on subsequent transactions if the lifetime has not expired (the default lifetime is 10 hours). To purge the ticket cache and force the client to request a new ticket, run klist.exe. Here is a typical dialogue, where the klist options are <tgt tickets purge> The TGT option displays the cached ticket-granting-ticket for the session. 100

101 The TICKETS option displays the currently cached tickets for the session. The PURGE option prompts the user to purge the cached tickets for the session. When duplicating client logins for a CIFS Server and observing the TGS (ticket granting service) for the client, you will need to purge the TGS from the client unless the lifetime has already expired. For more data about klist.exe, go to the Microsoft website: 101

102 8.2 Common Problems HP CIFS Server A.02.01, based upon Samba 3.0 with Kerberos authentication, has been available since December 15th, Most of the common problems that are identified below have been observed in testing done by various internal HP organizations. Some have originated at customer sites. This is not an exhaustive list. Always ensure that an HP-UX kinit is successful before addressing Samba configurations. The underlying HP-UX Kerberos authentication must be working correctly, or Samba will not work with it. Many of the common problems will exhibit the exact same symptom the bad-password popup: The expected behavior is that when the user maps a share, the operation completes normally and the file explorer for that share is displayed. Using Kerberos, the user does not have to enter a password because the client obtains a ticket for the CIFS service from the KDC, and presents it to the CIFS Server, and the authentication is completed. When the authentication fails, the user-password dialog box is displayed for the user to try again. This failure can occur from a multitude of problems, but the symptom is the same. For simplicity, this symptom will be referred to as the bad-password pop-up. 102

103 8.2.1 Wrong Kerberos Libraries Symptom If the HP-UX Kerberos version is not supported for a particular operation (keytab support) or encryption type (RC4-HMAC) then the symptom could be the bad-password pop-up. Other symptoms would be a bad kinit result. Problem The Kerberos library version could be out of date for the attempted operation. The following table summarizes the libraries version and functionality: Windows 2000 Adv Server Windows 2003 Adv Server Windows 2003R2 Adv Server (no hotfixes) (no hotfixes) (no hotfixes) HP-UX Kerberos 1.0 DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : unsupported enc type Keytab : unsupported DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : unsupported enc type Keytab : unsupported Not Available HP-UX Kerberos DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works DES-CBC-CRC: Works DES-CBC-MD5 : Works RC4-HMAC : Works Keytab : Works Default on 11iv1 and 11iv2 Available on HP-UX Kerberos (D or E) Not Available Default on 11iv3 Available on To display the Kerberos library version: swlist l product grep krb Resolution Update the Kerberos libraries. Current versions are available from and are installable with swinstall. 103

104 8.2.2 Invalid /etc/krb5.conf File Symptom Kinit failure. Often, kinit(v5): No supported encryption types (config file error?) while getting initial credentials Or net ads join failure (failed to join domain). Or bad-password pop-up. Problem Many problems can occur in krb5.conf: Bad enctypes, bad syntax, bad realms. Resolution The obvious tactic is to compare the existing krb5.conf with a known good file. A basic krb5.conf file is /etc/opt/samba/smb.conf [global] workgroup = HPATC2003 realm = HPATC2003.HP.COM netbios name = atcux5 server string = Samba Server interfaces = bind interfaces only = Yes security = ADS password server = hpatcwin2k4.hpatc2003.hp.com /etc/krb5.conf [libdefaults] default_realm = HPATC2003.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 [realms] HPATC2003.HP.COM = { kdc = HPATCWIN2K4.HPATC2003.HP.COM:88 admin_server = HPATCWIN2K4.HPATC2003.HP.COM } [domain_realm].hp.com = HPATC2003.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Common mistakes are missing the leading. in the domain_realm. Also, using lower case for the realms. The realm in smb.conf must match the realm in krb5.conf. 104

105 8.2.3 Joining a Domain Multiple errors may occur when joining a domain. Symptom-1 # net ads join -U eroseme eroseme's password: [2005/03/18 09:13:37, 0] libads/ldap.c:ads_add_machine_acct(1366) ads_add_machine_acct: Host account for atcux5 already exists - modifying old account [2005/03/18 09:13:37, 0] libads/ldap.c:ads_join_realm(1725) ads_join_realm: ads_add_machine_acct failed (atcux5): Insufficient access ads_join_realm: Insufficient access Problem-1 Username specified on the net ads join U username does not have required privileges to join the domain. Resolution-1 Use a user that has administrator privileges. Using Administrator is not required. Other users can be assigned Administrator rights is various ways. Symptom-2 # kinit administrator kinit(v5): No supported encryption types (config file error?) while getting initial credentials Problem-2 Probably the enctype is not supported by the HP-UX Kerberos libraries Resolution-2 Change the krb5.conf enctype to MD5 or CRC, or update the HP-UX Kerberos libraries Symptom-3 Bad-password pop-up happens continually and all known fixes have been applied Problem-3 The HP CIFS Server computer object may have been added to the ADS domain using the domain controller Users and Computers MMC prior to doing a net ads join. 105

106 Do not do this when smb.conf is security = ads. Samba requires a particular value in a directory computer attribute called UserAccountControl in order to correctly implement Kerberos for Samba. The net ads join command inserts the correct value into this attribute. The Windows MMC inserts an incorrect value into this attribute. All further Kerberos authentication attempts will fail, resulting in the bad-password pop-up. Resolution-3 Delete the computer object from the domain ( net ads leave ) and add the computer correctly using net ads join U username. Symptom-4 The net ads join U administrator fails with a log message: spnego_gen_negtokentarg failed: Clock skew too great failed kerberos session setup with Clock skew too great ads_krb5_mk_req: krb5_get_credentials failed for hpatcwin2k4$@hpatc2003.hp.com (Clock skew too great) OR During a client logon the bad-password popup appears, and the logfile shows the clock skew message from above. OR 106

107 The kinit administrator fails. Problem-4 The HP-UX server clock and the Windows KDC clock are not in sync. The Kerberos authentication protocol will use a timestamp as part of the encryption algorithm, and if the clocks are out of sync, then the authentication will fail. Resolution-4 Set the system clocks to be in sync. If this does not work, then use the clockskew parameter in the krb5.conf file to allow a larger window of clock error: [libdefaults] default_realm = SNSLATC.HP.COM #default_tkt_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5 #default_tgs_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5 default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 ccache_type = 2 clockskew =

108 Chapter 9 Kerberos High Availability Integration HP CIFS Server is commonly configured as a node in a highly available HP-UX ServiceGuard cluster. For deployments that are running with security = ads, that usually means that users are being authenticated using Kerberos to a Windows Key Distribution Center (KDC) domain controller. By default, the ServiceGuard configuration has no influence upon the Kerberos authentication mechanism. In fact, since the HP-UX host is not active in the accessing client TGS ticket acquisition, the Kerberos authentication mechanism is especially flexible for HA failover. However, for HP-UX application co-existence as described in Chapter 5 the use of the /etc/krb5.keytab file is required. Since this is a static file that holds Kerberos keys to be used by the local HP-UX and/or CIFS Server, these specific keys must be available all nodes in a failover environment. When the smb.conf file has use Kerberos keytab = yes, then the /etc/krb5.keytab file must be modified to allow the failover package to run on any adoptive node in the cluster. This holds true for HP-UX logins as well as HP CIFS Server client logins. The HP CIFS Server Administration Guide devotes an entire chapter to Configuring HA HP CIFS. The recommended configuration is to locate all of the HP CIFS Server configuration files on the shared logical volume. This presents a problem with HP-UX system configuration files that are system-global in usage, and for /etc/krb5.keytab in particular. For CIFS usage with Kerberos, each system that is joined to a domain as a member server has a Kerberos secret key that is resident on the KDC and on the HP-UX member server. By default the member server holds this key in the /var/opt/samba/private/secrets.tdb tiny database file. With use Kerberos keytab = yes in smb.conf, then the secret keys are not placed in secrets.tdb and instead are associated with service principal keys in /etc/krb5.keytab. This configuration migrates the authentication key from a CIFA/Samba-only repository to an HP-UX system repository. NOTE: Configuring HP CIFS Server for HA when security = ads and the default Kerberos configuration (utilizing secrets.tdb) requires no special HA configuration tasks. Simply follow the HP CIFS Server Admin Guide HA configuration instructions. For HP-UX system usage, the Kerberos secret keys are always kept in krb5.keytab. Therefore, moving an /etc/krb5.keytab file with the package on the shared volume is not possible, because there is one file for each system, or ServiceGuard node. The alternative is to merge the krb5.keytab files of all the systems (nodes) in the cluster together, and distribute them to all of the nodes. This way, the service principals for all system logons (cifs or host) are always available during failover. In addition, the CIFS Server requires the member server SID that resides in the secrets.tdb file for user authentication. Even though the smb.conf may be configured for use Kerberos keytab = yes, the secrets.tdb file must be located on the shared volume and migrated with the package for failover. This will not require any additional effort, because /var/opt/samba/private (the location of secrets.tdb) should always be migrated anyway. 108

109 WARNING: Whenever a net ads join command is executed on any CIFS server in the ServiceGuard cluster, it changes the secret key on the KDC. A new krb5.keytab must be generated on the CIFS server to match the service principal keys with the KDC. Using the merged-keytab file technique, then all of the krb5.keytab files in the cluster will be replaced with new versions that are merged with the newest-generated krb5.keytab file from the recently-joined CIFS server. 9.1 CIFS HA Kerberos Configuration Follow the directions in Chapter 5 for the configuration of CIFS and the Kerberos keytab file. A keytab file must be generated for each member server in the cluster. 1. Copy each member server krb5.keytab file to a single directory on an HP-UX work system. Append the server uname to each krb5.keytab file to make it unique: # ll /home/keytab_work total 64 -rw root sys -rw root sys # Oct 28 15:27 krb5.keytab.atcux Oct 28 15:27 krb5.keytab.emonster 2. Run ktutil and read in the member server krb5.keytab files, then write to a merged krb5.keytab file # ktutil ktutil: rkt krb5.keytab.atcux14 ktutil: rkt krb5.keytab.emonster ktutil: wkt krb5.keytab.merged ktutil: quit # # ll /home/keytab_work total 128 -rw root sys Oct 28 15:27 krb5.keytab.atcux14 -rw root sys Oct 28 15:27 krb5.keytab.emonster -rw root sys Oct 28 15:34 krb5.keytab.merged # 3. Copy krb5.keytab.merged to /etc/krb5.keytab on every system in the cluster. 109

110 9.2 Testing the Merged Keytab Files The following HP-UX and HP CIFS Server configuration was used for these tests: HP-UX 11iv3 o pam_kerberos o nsswitch ldap passwd/group o Kerberos Client E o LDAP-UX Client B HP CIFS Server A Windows 2003R2 Active Directory Unified Login Domain Model o SFU 3.5 o HP-UX users hosted on the AD with RFC 2307 UNIX attributes 1. Test local HP-UX logins with an AD-resident user. Test all nodes in the cluster. One way to verify that the Kerberos login worked correctly is to run a Wireshark trace on the KDC and locate the TGS Reply packet with the correct HP-UX server principal: Note the username Buffy and the host/emonster.rose.hp.com service principal. This proves that the host service principal key that is resident in the merged keytab file is valid. 110

111 2. Test CIFS Server logins with a Windows AD user. Use a Windows user from the domain to mount a share on the HP CIFS Server. To use Wireshark to verify the login, two traces must be taken: one between the client and the KDC to observe that the TGS is correctly issued; and another between the client and the HP CIFS Server to observe the client presenting the TGS to the server and that the ticket is validated and share access is allowed. Note that the Windows client has received a TGS that is very similar to the HP-UX user login, but the service principal for this login is cifs/emonster.rose.hp.com. This proves that the cifs service principal key that is resident in the merged keytab file is valid. 111

112 Next, the client must present the TGS to the CIFS Server: The CIFS Server accepts the TGS with the cifs/emonster.rose.hp.com service principal and the login proceeds. Another validation option is to observe the KDC security event for the TGS request for the CIFS service principal request: 112

113 This event shows that the client was issued a ticket for emonster. 3. Test with HP-UX Internet Services: ftp, telnet, rlogin, etc ftp has the best error reporting, so the following example uses ftp to illustrate the usage of the krb5.keytab file for the ftp login service principal: ftp> open emonster Connected to emonster.rose.hp.com. 220 emonster.rose.hp.com FTP server (Revision 4.0 Version wuftpd2.6.1 Wed Jun 18 07:11:14 GMT 2008) ready. Error initializing security using principal 'ftp@emonster.rose.hp.com': Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Security initialized using principal 'host@emonster.rose.hp.com' instead. Name (emonster:buffy): 232 User buffy logged in, authorized by security data exchange. 200 Commands and data are only sent in a non-secure manner. Remote system type is UNIX. Using binary mode to transfer files. ftp> Secure Internet Services ftp by default looks for the ftp/fqdn service principal in the krb5.keytab file. However, CIFS/Samba built the keytab file from the Computer object that was added to the AD, and 113

114 CIFS/Samba does not create an ftp principal, so it does not exist in the krb5.keytab file. When ftp searches for it, it is not found, but then ftp will re-try with the host/fqdn service principal. This is the same service principal that is used for HP-UX logins, so the re-try is successful. A Wireshark trace shows this behavior: Here is the ftp SP being rejected as PRINCIPAL UNKNOWN because it does not exist in the keytab file. Next. 114

115 ftp re-tries with the host principal and the authentication succeeds. 9.3 Examining the Merged krb5.keytab File CIFS/Samba builds a keytab file using 7 different encryption types for every service principal, and creates multiple entries for each service principal based upon case (see Chapter 5). This results in many keys residing in krb5.keytab. When merging krb5.keytab files from multiple systems in a ServiceGuard cluster, the file becomes even larger. For example, the merged keytab file for these 2 test servers has 364 keys. The ktutil tool (see Chapter 8) can be useful to delete unused keys from the krb5.keytab file. 115