Open cskumar6381 opened 7 months ago
vruello
commented
7 months ago Hi,
According to gmsad logs, there is likely something wrong with python-gssapi. It looks like an "old" issue: https://github.com/pythongssapi/python-gssapi/issues/216.
What is the version of python-gssapi installed on your system? Could you share the output of apt list --installed | grep krb?
cskumar6381
commented
7 months ago Hi,
root@lowlatency08:/var/log# apt list --installed | grep krb
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
krb5-admin-server/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed] krb5-config/jammy,now 2.6+nmu1ubuntu1 all [installed,automatic] krb5-kdc/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed,automatic] krb5-user/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed] libgssapi-krb5-2/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed] libkrb5-26-heimdal/jammy,now 7.7.0+dfsg-3ubuntu1 amd64 [installed,automatic] libkrb5-3/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed,automatic] libkrb5support0/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed,automatic] sssd-krb5-common/jammy-updates,now 2.6.3-1ubuntu3.2 amd64 [installed,automatic] sssd-krb5/jammy-updates,now 2.6.3-1ubuntu3.2 amd64 [installed,automatic]
vruello
commented
7 months ago What about the version of python-gssapi?
You can get it by running: python3 -c "import pkg_resources; print(pkg_resources.get_distribution('gssapi').version)"
cskumar6381
commented
7 months ago "python3 -c "import pkg_resources; print(pkg_resources.get_distribution('gssapi').version)"" 1.8.3 root@lowlatency08:~#
vruello
commented
7 months ago It seems that you are missing the Credential Store Extension (https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions), but I have no idea why :disappointed:
Could you try to run the following command and paste the output?
$ python3 -c 'import ldap3; ldap3.Connection("dc1-v.dev.local", user="toto", authentication=ldap3.SASL, sasl_mechanism=ldap3.KERBEROS, auto_bind=True,cred_store={"client_keytab": "/etc/webapp01.keytab"})'I've run it on a fresh ubuntu container and I've got the following output (which was expected, but at least we see that the cred store extension is there).
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/root/.local/lib/python3.10/site-packages/ldap3/core/connection.py", line 363, in __init__
self._do_auto_bind()
File "/root/.local/lib/python3.10/site-packages/ldap3/core/connection.py", line 389, in _do_auto_bind
self.bind(read_server_info=True)
File "/root/.local/lib/python3.10/site-packages/ldap3/core/connection.py", line 615, in bind
response = self.do_sasl_bind(controls)
File "/root/.local/lib/python3.10/site-packages/ldap3/core/connection.py", line 1343, in do_sasl_bind
result = sasl_gssapi(self, controls)
File "/root/.local/lib/python3.10/site-packages/ldap3/protocol/sasl/kerberos.py", line 109, in sasl_gssapi
return _posix_sasl_gssapi(connection, controls)
File "/root/.local/lib/python3.10/site-packages/ldap3/protocol/sasl/kerberos.py", line 225, in _posix_sasl_gssapi
authz_id, creds = _common_determine_authz_id_and_creds(connection)
File "/root/.local/lib/python3.10/site-packages/ldap3/protocol/sasl/kerberos.py", line 180, in _common_determine_authz_id_and_creds
creds = gssapi.Credentials(name=gssapi.Name(connection.user), usage='initiate', store=connection.cred_store) if connection.user else None
File "/usr/local/lib/python3.10/dist-packages/gssapi/creds.py", line 77, in __new__
res = cls.acquire(name, lifetime, mechs, usage,
File "/usr/local/lib/python3.10/dist-packages/gssapi/creds.py", line 173, in acquire
res = rcred_cred_store.acquire_cred_from(b_store, name,
File "gssapi/raw/ext_cred_store.pyx", line 161, in gssapi.raw.ext_cred_store.acquire_cred_from
gssapi.raw.exceptions.BadNameError: Major (131072): An invalid name was supplied, Minor (2529639136): Configuration file does not specify default realmHow to reproduce what I've done:
$ podman run --rm -it ubuntu:jammy
root@df462b32dad9:/# apt update
root@df462b32dad9:/# apt install python3 python3-pip libkrb5-dev
root@df462b32dad9:/# pip install ldap3 gssapi
root@df462b32dad9:/# python3 -c 'import ldap3; ldap3.Connection("dc.windomain.local", user="toto", authentication=ldap3.SASL, sasl_mechanism=ldap3.KERBEROS, auto_bind=True,cred_store={"client_keytab": "/etc/babar"})'"lowlatency08:~# apt install python3 python3-pip libkrb5-dev Reading package lists... Done Building dependency tree... Done Reading state information... Done python3 is already the newest version (3.10.6-1~22.04). python3 set to manually installed. python3-pip is already the newest version (22.0.2+dfsg-1ubuntu0.4). The following packages were automatically installed and are no longer required: heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libotp0-heimdal libroken18-heimdal libsl0-heimdal libwind0-heimdal Use 'apt autoremove' to remove them. The following additional packages will be installed: krb5-multidev Suggested packages: krb5-doc The following packages will be REMOVED: heimdal-dev The following NEW packages will be installed: krb5-multidev libkrb5-dev 0 upgraded, 2 newly installed, 1 to remove and 3 not upgraded. Need to get 137 kB of archives. After this operation, 390 kB disk space will be freed."
"root@lowlatency08:~# pip install ldap3 gssapi Requirement already satisfied: ldap3 in /usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg (2.9.1) Requirement already satisfied: gssapi in /usr/local/lib/python3.10/dist-packages/gssapi-1.8.3-py3.10-linux-x86_64.egg (1.8.3) Requirement already satisfied: pyasn1>=0.4.6 in /usr/lib/python3/dist-packages (from ldap3) (0.4.8) Requirement already satisfied: decorator in /usr/local/lib/python3.10/dist-packages/decorator-5.1.1-py3.10.egg (from gssapi) (5.1.1) WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv"
"lowlatency08:~# python3 -c 'import ldap3; ldap3.Connection("dc1-v.dev.local", user="toto", authentication=ldap3.SASL, sasl_mechanism=ldap3.KERBEROS, auto_bind=True,cred_store={"client_keytab": "/etc/webapp01.keytab"})'
Traceback (most recent call last):
File "
vruello
commented
7 months ago The previous test has demonstrated that the issue is not related to gmsad. I think there might be a conflict between the multiple krb5 libraries (Heimdal and MIT) that are installed on your system. I fear this goes beyond my knowledge.
Maybe you could try to remove all the Heimdal related packages?
For information, I have the following packages installed on my box:
root@df462b32dad9:/# apt list --installed | grep krb
krb5-multidev/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed,automatic]
libgssapi-krb5-2/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed]
libkrb5-3/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed]
libkrb5-dev/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed]
libkrb5support0/jammy-updates,jammy-security,now 1.19.2-2ubuntu0.3 amd64 [installed]
root@df462b32dad9:/# apt list --installed | grep heim
root@df462b32dad9:/# Removed all Heim packages. Seems missing modules.
Apr 17 13:53:09 lowlatency08 gmsad[15898]: INFO:root:Log level is set to DEBUG Apr 17 13:53:09 lowlatency08 gmsad[15898]: INFO:root:Keytab file is empty. Apr 17 13:53:09 lowlatency08 gmsad[15898]: DEBUG:root:0 keytab entries loaded from /etc/webapp01.keytab Apr 17 13:53:09 lowlatency08 gmsad[15898]: INFO:root:Retrieving secret of svc_gmsa$ Apr 17 13:53:09 lowlatency08 gmsad[15898]: DEBUG:root:LDAP Server host to contact is dc1-v.dev.local Apr 17 13:53:09 lowlatency08 gmsad[15898]: Traceback (most recent call last): Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/protocol/sasl/kerberos.py", line 47, in
Apr 17 13:53:09 lowlatency08 gmsad[15898]: import winkerberos Apr 17 13:53:09 lowlatency08 gmsad[15898]: ModuleNotFoundError: No module named 'winkerberos' Apr 17 13:53:09 lowlatency08 gmsad[15898]: During handling of the above exception, another exception occurred: Apr 17 13:53:09 lowlatency08 gmsad[15898]: Traceback (most recent call last): Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/bin/gmsad", line 33, in Apr 17 13:53:09 lowlatency08 gmsad[15898]: sys.exit(load_entry_point('gmsad==0.1.0', 'console_scripts', 'gmsad')()) Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/bin/gmsad.py", line 29, in main Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/init.py", line 12, in run Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/gmsa.py", line 122, in update Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/gmsa.py", line 153, in query_new_password Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/ldap.py", line 33, in init Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/core/connection.py", line 363, in init Apr 17 13:53:09 lowlatency08 gmsad[15898]: self._do_auto_bind() Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/core/connection.py", line 389, in _do_auto_bind Apr 17 13:53:09 lowlatency08 gmsad[15898]: self.bind(read_server_info=True) Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/core/connection.py", line 615, in bind Apr 17 13:53:09 lowlatency08 gmsad[15898]: response = self.do_sasl_bind(controls) Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/core/connection.py", line 1342, in do_sasl_bind Apr 17 13:53:09 lowlatency08 gmsad[15898]: from ..protocol.sasl.kerberos import sasl_gssapi # needs the gssapi package Apr 17 13:53:09 lowlatency08 gmsad[15898]: File "/usr/local/lib/python3.10/dist-packages/ldap3-2.9.1-py3.10.egg/ldap3/protocol/sasl/kerberos.py", line 50, in Apr 17 13:53:09 lowlatency08 gmsad[15898]: raise LDAPPackageUnavailableError('package gssapi (or winkerberos) missing') Apr 17 13:53:09 lowlatency08 gmsad[15898]: ldap3.core.exceptions.LDAPPackageUnavailableError: package gssapi (or winkerberos) missing Apr 17 13:53:09 lowlatency08 systemd[1]: gmsad.service: Main process exited, code=exited, status=1/FAILURE
root@lowlatency08:/var/log/sssd# pip3 install winkerberos Collecting winkerberos Downloading winkerberos-0.10.0.tar.gz (34 kB) Installing build dependencies ... done Getting requirements to build wheel ... done Installing backend dependencies ... done Preparing metadata (pyproject.toml) ... done WARNING: Generating metadata for package winkerberos produced metadata for project name unknown. Fix your #egg=winkerberos fragments. Discarding https://files.pythonhosted.org/packages/45/5e/90ba8d84ecc28586466bdd3fddfd5d05c04a5eddca5c9898adf65ccd07ec/winkerberos-0.10.0.tar.gz#sha256=cbc27fc0fd31a40c5222a8bbde28a92735bf8438c1ea5ae0a1f841ecc54737cb (from https://pypi.org/simple/winkerberos/) (requires-python:>=3.7): Requested unknown from https://files.pythonhosted.org/packages/45/5e/90ba8d84ecc28586466bdd3fddfd5d05c04a5eddca5c9898adf65ccd07ec/winkerberos-0.10.0.tar.gz#sha256=cbc27fc0fd31a40c5222a8bbde28a92735bf8438c1ea5ae0a1f841ecc54737cb has inconsistent name: filename has 'winkerberos', but metadata has 'unknown' Downloading winkerberos-0.9.1.zip (43 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 44.0/44.0 KB 605.7 kB/s eta 0:00:00 Preparing metadata (setup.py) ... done Building wheels for collected packages: winkerberos Building wheel for winkerberos (setup.py) ... error error: subprocess-exited-with-error
× python setup.py bdist_wheel did not run successfully.
│ exit code: 1
╰─> [14 lines of output]
running bdist_wheel
running build
running build_ext
building 'winkerberos' extension
creating build
creating build/temp.linux-x86_64-3.10
creating build/temp.linux-x86_64-3.10/src
x86_64-linux-gnu-gcc -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.10 -c src/kerberos_sspi.c -o build/temp.linux-x86_64-3.10/src/kerberos_sspi.o
In file included from src/kerberos_sspi.c:17:
src/kerberos_sspi.h:21:10: fatal error: Windows.h: No such file or directory
21 | #include ~~
compilation terminated.
error: command '/usr/bin/x86_64-linux-gnu-gcc' failed with exit code 1
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip. ERROR: Failed building wheel for winkerberos Running setup.py clean for winkerberos Failed to build winkerberos Installing collected packages: winkerberos Running setup.py install for winkerberos ... error error: subprocess-exited-with-error
× Running setup.py install for winkerberos did not run successfully.
│ exit code: 1
╰─> [16 lines of output]
running install
/usr/lib/python3/dist-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
warnings.warn(
running build
running build_ext
building 'winkerberos' extension
creating build
creating build/temp.linux-x86_64-3.10
creating build/temp.linux-x86_64-3.10/src
x86_64-linux-gnu-gcc -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.10 -c src/kerberos_sspi.c -o build/temp.linux-x86_64-3.10/src/kerberos_sspi.o
In file included from src/kerberos_sspi.c:17:
src/kerberos_sspi.h:21:10: fatal error: Windows.h: No such file or directory
21 | #include ~~
compilation terminated.
error: command '/usr/bin/x86_64-linux-gnu-gcc' failed with exit code 1
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip. error: legacy-install-failure
× Encountered error while trying to install package. ╰─> winkerberos
note: This is an issue with the package mentioned above, not pip. hint: See above for output from the failure.
vruello
commented
7 months ago You lost the gssapi module. You can get it back using pip install gssapi. winkerberos can only be used on Windows.
cskumar6381
commented
7 months ago root@lowlatency08:~# pip install gssapi Requirement already satisfied: gssapi in /usr/local/lib/python3.10/dist-packages/gssapi-1.8.3-py3.10-linux-x86_64.egg (1.8.3) Requirement already satisfied: decorator in /usr/local/lib/python3.10/dist-packages/decorator-5.1.1-py3.10.egg (from gssapi) (5.1.1) WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
Weird is its trying to import the module
gmsad[16091]: import winkerberos gmsad[16091]: ModuleNotFoundError: No module named 'winkerberos'
vruello
commented
7 months ago ldap3 tries to import winkerberos if it can not find gssapi:
posix_gssapi_unavailable = True
try:
# noinspection PyPackageRequirements,PyUnresolvedReferences
import gssapi
from gssapi.raw import ChannelBindings
posix_gssapi_unavailable = False
except ImportError:
pass
windows_gssapi_unavailable = True
# only attempt to import winkerberos if gssapi is unavailable
if posix_gssapi_unavailable:
try:
import winkerberos
windows_gssapi_unavailable = False
except ImportError:
raise LDAPPackageUnavailableError('package gssapi (or winkerberos) missing')(https://github.com/cannatag/ldap3/blob/dev/ldap3/protocol/sasl/kerberos.py)
Make sure that gssapi is available in the Python environment of the gmsad service. You should be able to run this without error:
import gssapi
from gssapi.raw import ChannelBindingsWhere do i need to add this code. Also do i need to re-install after adding this? Not so fluent on python.
vruello
commented
7 months ago You can start by running python3 -c 'import gssapi; from gssapi.raw import ChannelBindings'.
If you don't get an error, you can continue and run python3 -c 'import ldap3; ldap3.Connection("dc1-v.dev.local", user="toto", authentication=ldap3.SASL, sasl_mechanism=ldap3.KERBEROS, auto_bind=True,cred_store={"client_keytab": "/etc/webapp01.keytab"})'.
If you get an error which is not NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores", it should be good and you can try to restart gmsad and see what happens.
cskumar6381
commented
7 months ago python3 -c 'import gssapi; from gssapi.raw import ChannelBindings' Traceback (most recent call last): File "
", line 1, in File "/usr/local/lib/python3.10/dist-packages/gssapi-1.8.3-py3.10-linux-x86_64.egg/gssapi/init.py", line 31, in from gssapi.raw.types import NameType, RequirementFlag, AddressType # noqa File "/usr/local/lib/python3.10/dist-packages/gssapi-1.8.3-py3.10-linux-x86_64.egg/gssapi/raw/init.py", line 50, in from gssapi.raw.creds import * # noqa ImportError: libgssapi.so.3: cannot open shared object file: No such file or directory
cskumar6381
commented
7 months ago Cleaned up and created a new system and did the install was able to get past the gssapi missing error. Now see below while starting
Apr 18 06:24:18 lowlatency05 systemd[1]: Started Group Managed Service Account Management Service. Apr 18 06:24:18 lowlatency05 kernel: [ 3758.479327] audit: type=1400 audit(1713421458.508:240): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1618/cmdline" pid=771 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Apr 18 06:24:18 lowlatency05 gmsad[1618]: INFO:root:Log level is set to DEBUG Apr 18 06:24:18 lowlatency05 gmsad[1618]: INFO:root:Keytab file is empty. Apr 18 06:24:18 lowlatency05 gmsad[1618]: DEBUG:root:0 keytab entries loaded from /etc/svc_gmsa.keytab Apr 18 06:24:18 lowlatency05 gmsad[1618]: INFO:root:Retrieving secret of svc_gmsa$ Apr 18 06:24:18 lowlatency05 gmsad[1618]: DEBUG:root:LDAP Server host to contact is dc1-v.dev.local Apr 18 06:24:18 lowlatency05 gmsad[1618]: Traceback (most recent call last): Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/bin/gmsad", line 33, in
Apr 18 06:24:18 lowlatency05 gmsad[1618]: sys.exit(load_entry_point('gmsad==0.1.0', 'console_scripts', 'gmsad')()) Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/bin/gmsad.py", line 29, in main Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/init.py", line 12, in run Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/gmsa.py", line 122, in update Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/gmsa.py", line 153, in query_new_password Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/gmsad-0.1.0-py3.10.egg/gmsad/ldap.py", line 33, in init Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/ldap3/core/connection.py", line 363, in init Apr 18 06:24:18 lowlatency05 gmsad[1618]: self._do_auto_bind() Apr 18 06:24:18 lowlatency05 gmsad[1618]: File "/usr/local/lib/python3.10/dist-packages/ldap3/core/connection.py", line 412, in _do_auto_bind Apr 18 06:24:18 lowlatency05 gmsad[1618]: raise LDAPBindError(error) Apr 18 06:24:18 lowlatency05 gmsad[1618]: ldap3.core.exceptions.LDAPBindError: automatic bind not successful - strongerAuthRequired Apr 18 06:24:18 lowlatency05 systemd[1]: gmsad.service: Main process exited, code=exited, status=1/FAILURE
vruello
commented
7 months ago Nice :+1:
Now you are getting an authentication error. You can check that the credentials in your keytab with kinit:
$ KRB5_TRACE=/dev/stderr kinit -kt /etc/svc_gmsa.keytab <principal>To resolve this, check the output of krb5 lib on stderr and the authentication logs on your DC.
cskumar6381
commented
7 months ago To disable LDAP Signing: Modified GPO below
Domain controller: LDAP server signing requirements = None Network security: LDAP client signing requirements = Negotiate
KRB5_TRACE=/dev/stderr kinit -kt /etc/svc_gmsa.keytab LOWLATENCY05@DEV.LOCAL [13017] 1713428612.885119: Getting initial credentials for LOWLATENCY05@DEV.LOCAL [13017] 1713428612.885120: Couldn't lookup etypes in keytab: -1765328171/Unsupported key table format version number [13017] 1713428612.885122: Sending unauthenticated request [13017] 1713428612.885123: Sending request (186 bytes) to DEV.LOCAL [13017] 1713428612.885124: Initiating TCP connection to stream 10.4.66.13:88 [13017] 1713428612.885125: Sending TCP request to stream 10.4.66.13:88 [13017] 1713428612.885126: Received answer (197 bytes) from stream 10.4.66.13:88 [13017] 1713428612.885127: Terminating TCP connection to stream 10.4.66.13:88 [13017] 1713428612.885128: Response was from primary KDC [13017] 1713428612.885129: Received error from KDC: -1765328359/Additional pre-authentication required [13017] 1713428612.885132: Preauthenticating using KDC method data [13017] 1713428612.885133: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [13017] 1713428612.885134: Selected etype info: etype aes256-cts, salt "DEV.LOCALhostlowlatency05.dev.local", params "" [13017] 1713428612.885135: PKINIT client has no configured identity; giving up [13017] 1713428612.885136: PKINIT client has no configured identity; giving up [13017] 1713428612.885137: Preauth module pkinit (16) (real) returned: 22/Invalid argument [13017] 1713428612.885138: Retrieving LOWLATENCY05@DEV.LOCAL from FILE:/etc/svc_gmsa.keytab (vno 0, enctype aes256-cts) with result: -1765328171/Unsupported key table format version number [13017] 1713428612.885139: Preauth module encrypted_timestamp (2) (real) returned: -1765328171/Unsupported key table format version number kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Hi, Came across this project. Doing a POC on our Ubuntu 22.04 server to leverage this with out AD-Linux infra. Need your help in figuring out where we are missing in getting this up.
Attached the log date we get when trying to start the service. Apr 17 060852 lowlatency08 gmsad.txt
Config file attached [gmsad]-config.txt
For your perspective I am located in Singapore time zone.
Thank you Sharat