[Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Eduardo Sachs
edu.sachs at terra.com.br
Fri Mar 13 14:51:06 UTC 2009
Package: samba
Version: 2:3.2.5-4
Severity: serious
Hello. I have a 3.2.5 Samba-LDAP PDC which shares the database with heimdal (so samba passwords are also kerberos passwords). I am able to use kerberos credentials to connect to the PDC shares with "smbclient -k", both on the server and linux workstations.
The problem is that, as soon as I try to join the PDC to its own domain (with "net join"), in order to be able to use winbind on the PDC, then I cannot use kerberos tickets anymore to connect to the PDC's shares, nor from the PDC nor from the workstations.
But if I don't join the PDC to the domain, I can join workstations to the domain, and still use kerberos tickets with "smbclient -k" on them, either these shares are on the PDC or on the workstation itself.
The Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X.
This is the [global] section of my smb.conf on the SAMBA PDC:
workgroup = CFS
realm = CFS.ISST
netbios name = sanmiguel
server string = Servidor principal
use kerberos keytab = yes
use spnego = yes
client ntlmv2 auth = yes
username map = /etc/samba/usermap
debug level = 0
log file = /var/log/samba/%m.log
max log size = 5000
syslog = 0
log level = 0
utmp = Yes
guest account = nobody
map to guest = Never
admin users = root addmachine @"Domain Admins"
enable privileges = yes
security = user
encrypt passwords = yes
os level = 255
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
keepalive = 20
time server = yes
preserve case = yes
short preserve case = yes
case sensitive = no
null passwords = no
bind interfaces only = yes
interfaces = eth0, lo
hosts allow = 10. 127.
wins support = yes
dns proxy = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldapsam:trusted = yes
ldap admin dn = krb5PrincipalName=ldapmaster/admin at CFS.ISST,ou=KerberosPrincipals,dc=cfs,dc=isst
ldap suffix = dc=cfs,dc=isst
ldap group suffix = ou=Grupos
ldap user suffix = ou=KerberosPrincipals
ldap machine suffix = ou=Computadores
ldap idmap suffix = ou=Idmap
ldap ssl = On
ldap delete dn = Yes
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes
wins server = 10.1.1.100
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing*for*\nNew password*" %n\n "*Retype new password*" %n\n"
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = cp850
unix charset = UTF8
display charset = LOCALE
restrict anonymous = 0
This is the [global] section of my smb.conf on the CIFS MEMBER SAMBA PDC:
[global]
workgroup = CFS
realm = CFS.ISST
security = domain
wins server = IP SAMBA PDC
use kerberos keytab = yes
client use spnego = yes
client NTLMv2 auth = yes
debug level = 2
log file = /var/log/samba/%m.log
max log size = 50
log level = 1
syslog = 0
utmp = Yes
idmap uid = 10000-15000
idmap gid = 10000-15000
template shell = /bin/bash
template homedir = /home/users/%U
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
encrypt passwords = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
dns proxy = no
preserve case = yes
short preserve case = no
default case = lower
case sensitive = no
dos charset = cp850
unix charset = iso8859-1
display charset = LOCALE
restrict anonymous = 0
[publico]
path = /samba/publico
writable = yes
browseable = no
share modes = no
admin users = @"Domain Admins"
Here are the relevant logs for a succesful kerberos connect (i.e., without joining the domain) from the PDC itself:
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 528
[2008/10/04 12:44:33, 1]
libads/kerberos_verify.c:ads_secrets_verify_ticket(240)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/10/04 12:44:33, 3]
libads/kerberos_verify.c:ads_keytab_verify_ticket(143)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab
succeeded
for principal cifs/sanmiguel.cfs.isst at CFS.ISST
[2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_verify_ticket(500)
ads_verify_ticket: did not retrieve auth data. continuing without PAC
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(356)
Ticket name is [root at CFS.ISST]
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(430)
Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2008/10/04 12:44:33, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2008/10/04 12:44:33, 3] lib/smbldap.c:smbldap_connect_system(1007)
ldap_connect_system: successful connection to the LDAP server
And, for last, here is the log of a failed connect attempt (i.e., once the PDC has joined the domain):
[2008/10/04 12:45:43, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 527
[2008/10/04 12:45:43, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt
integrity check failed
[2008/10/04 12:45:43, 3]
libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
principals
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Conseguido)
[2008/10/04 12:45:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/10/04 12:45:43, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/10/04 12:45:43, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2008/10/04 12:45:43, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/10/04 12:45:43, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2008/10/04 12:45:43, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
Example of procedure:
1 - CIFS CLIENT Access CIFS MEMBER SAMBA PDC with auth Kerberos:
CIFS CLIENT# smbclient //CIFS MEMBER SAMBA PDC/publico -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
. D 0 Wed Mar 11 21:04:19 2009
.. D 0 Wed Mar 11 21:04:19 2009
48444 blocks of size 262144. 36638 blocks available
smb: \> quit
2 - CIFS MEMBER SAMBA PDC Join Domain Samba PDC:
CIFS MEMBER SAMBA PDC# net join -U root
Enter root's password:
Joined domain CFS.
3 - CIFS CLIENT Access CIFS MEMBER SAMBA PDC with auth Kerberos fail.
CIFS CLIENT# smbclient //CIFS MEMBER SAMBA PDC/publico -k
cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE
4 - In CIFS MEMBER SAMBA PDC, delete /var/lib/samba/secrets.tdb and restart
Samba Client,
CIFS MEMBER SAMBA PDC is out of Domain Samba PDC because delete secrets.tdb:
CIFS MEMBER SAMBA PDC# /var/lib/samba/secrets.tdb && /etc/init.d/samba
restart
5 - When delete secrets.tdb and restart Samba of CIFS MEMBER SAMBA PDC, CIFS
CLIENT to back access CIFS MEMBER SAMBA PDC with auth Kerberos:
CIFS CLIENT# smbclient //CIFS MEMBER SAMBA PDC/publico -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
. D 0 Wed Mar 11 21:04:19 2009
.. D 0 Wed Mar 11 21:04:19 2009
48444 blocks of size 262144. 36638 blocks available
smb: \> quit
Thank you very much.
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Version of Heimdal Kerberos:
ii heimdal-clients 1.2.dfsg.1-2.1 Heimdal Kerberos - clients
ii heimdal-clients-x 1.2.dfsg.1-2.1 Heimdal Kerberos - X11 client programs
ii heimdal-dev 1.2.dfsg.1-2.1 Heimdal Kerberos - development files
ii heimdal-docs 1.2.dfsg.1-2.1 Heimdal Kerberos - documentation
ii heimdal-kcm 1.2.dfsg.1-2.1 Heimdal Kerberos - KCM daemon
ii heimdal-kdc 1.2.dfsg.1-2.1 Heimdal Kerberos - key distribution center (KDC)
ii heimdal-servers 1.2.dfsg.1-2.1 Heimdal Kerberos - server programs
ii heimdal-servers-x 1.2.dfsg.1-2.1 Heimdal Kerberos - X11 server programs
ii krb5-config 1.22 Configuration files for Kerberos Version 5
ii libasn1-8-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - ASN.1 library
ii libgssapi2-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - GSSAPI support library
ii libhdb9-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - kadmin server library
ii libheimntlm0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - NTLM support library
ii libhx509-3-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - X509 support library
ii libkadm5clnt7-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - kadmin client library
ii libkadm5srv8-heimdal 1.2.dfsg.1-2.1 Libraries for Heimdal Kerberos
ii libkafs0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - KAFS support library
ii libkdc2-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - KDC support library
ii libkrb5-25-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - libraries
ii libotp0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - OTP support library
ii libroken18-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - roken support library
ii libsasl2-modules-gssapi-heimdal 2.1.22.dfsg1-23 Pluggable Authentication Modules for SASL (GSSAPI)
ii libsl0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - SL support library
ii libwind0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - NTLM support library
Versions of packages samba depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0 1.5.24 Debian configuration management sy
ii libacl1 2.2.47-2 Access control list shared library
ii libattr1 1:2.4.43-2 Extended attribute shared library
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libcups2 1.3.8-1lenny4.1 Common UNIX Printing System(tm) -
ii libgnutls26 2.4.2-6+lenny1 the GNU TLS library - runtime libr
ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libtalloc1 1.2.0~git20080616-1 hierarchical pool based memory all
ii libwbclient0 2:3.2.5-4 client library for interfacing wit
ii logrotate 3.7.1-5 Log rotation utility
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii procps 1:3.2.7-11 /proc file system utilities
ii samba-common 2:3.2.5-4 Samba common files used by both th
ii update-inetd 4.31 inetd configuration file updater
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
samba recommends no packages.
Versions of packages samba suggests:
pn ldb-tools <none> (no description available)
ii openbsd-inetd [inet-superse 0.20080125-2 The OpenBSD Internet Superserver
ii smbldap-tools 0.9.4-1 Scripts to manage Unix and Samba a
-- debconf information:
samba/run_mode: daemons
samba/generate_smbpasswd: true
More information about the Pkg-samba-maint
mailing list