samba - Jan 2022 - nsupdate failed: GSSAPI error: A token had an invalid message integrity check

On Fri, 2022-01-28 at 15:03 -0600, Michael Jones via samba
wrote:
> Thank you for the response.
> 
> On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
> 
> > On AD-DC or Member ?
> > 
> 
> AD-DC, phrased as "> As the root user on my domain
controller." in my
> original email, though I know it was a big wall of text, so I
> probably
> would have missed that detail myself.
> 
I waded through all of that info and one thing popped out:
(-system-heimdal) -system-mitkrb5

So which was your DC built with, 'Heimdal' or 'MIT' ?

Also your smb.conf files are borked, you do not use a user.map on a DC
and I would expect each DC smb.conf to look similar to this:

[global]
    server role = active directory domain controller
    allow dns updates = nonsecure
    dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4
    idmap_ldb:use rfc2307 = yes
    workgroup = NETWORK-1
    realm = NETWORK-1.NET
    log level = 2 dns:2 auth:2 vfs:2
    ntlm auth = yes
    template shell = /bin/bash
    template homedir = /home/%U

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

[netlogon]
    path = /var/lib/samba/sysvol/network-1.net/scripts
    read only = no

On Fri, Jan 28, 2022 at 3:29 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 2022-01-28 at 15:03 -0600, Michael Jones via samba wrote:
> > Thank you for the response.
> >
> > On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On AD-DC or Member ?
> > >
> >
> > AD-DC, phrased as "> As the root user on my domain
controller." in my
> > original email, though I know it was a big wall of text, so I
> > probably
> > would have missed that detail myself.
> >
>
> I waded through all of that info and one thing popped out:
> (-system-heimdal) -system-mitkrb5
>
> So which was your DC built with, 'Heimdal' or 'MIT' ?
>
Those flags are specifically about overriding the krb5 library that the
samba package carries, to force it to use whatever the system happens to
have.

In this case, I specified neither, so it's using whatever 4.15.3 comes
with. Note that I did not package samba myself, I'm just using the Gentoo
package for it. So if I'm understanding something about how Samba is
distributed and Samba doesn't come with a pre-specified krb5
implementation, then I'm getting whatever the Gentoo packagers use. Given
the release notes say MIT Krb5 is experimental, I assume it's the Heimdal
implementation.

https://www.samba.org/samba/history/samba-4.15.0.html
New minimum version for the experimental MIT KDC
===============================================The build of the AD DC using the
system MIT Kerberos, an
experimental feature, now requires MIT Kerberos 1.19.  An up-to-date
Fedora 34 has this version and has backported fixes for the KDC crash
bugs CVE-2021-37750 and CVE-2021-36222

smbd is linking to

dc1 ~ # ldd /usr/sbin/smbd  | grep krb
libkrb5samba-samba4.so => /usr/lib64/samba/libkrb5samba-samba4.so
(0x00007f3f8bcd0000)
libauthkrb5-samba4.so => /usr/lib64/samba/libauthkrb5-samba4.so
(0x00007f3f8b3c5000)
libkrb5-samba4.so.26 => /usr/lib64/samba/libkrb5-samba4.so.26
(0x00007f3f8ad72000)

I have two packages that depend on the system kerberos implementation,
bind-utils, where nsupdate comes from, and freeradius, and they are
currently using the MIT Krb5, instead of Heimdal.

Now that you've pointed out this discrepancy, I'll adjust the settings
to
see if that does any good.

However, I've been having this problem for several months, and only updated
to 4.15 last night, whereupon the automatic dependency solver decided to
replace the system heimdal with mit-krb5, now that samba is using it's
built in krb5 implementation. (The depsolver solves deps and the depsolver
wills, i suppose).

The TSIG warning line happened before that, when I knew I was using
heimdal. So I'm skeptical that I'll see a behavior difference. But I do
agree that having only one krb implementation is much less likely to have
other problems.


> Also your smb.conf files are borked, you do not use a user.map on a DC
> and I would expect each DC smb.conf to look similar to this:
>
Thank you for the advice.

Originally, I had a single shared smb.conf across all of my samba machines,
with appropriate include = /etc/samba/smb-%L.conf configs for each machine.

This worked great at first, but has subsequently broken more and more as
I've upgraded samba. The config in the email is the result of removing
quite a lot of configuration lines that have solved some problem or another
over the years to try to figure out where things are breaking on my DC.

I've been subscribed to this mailing list for at least 5 years, and quite a
lot of the traffic on it ultimately culminates in someone telling the
person asking for help that their configuration is wrong in some way.

Perhaps samba needs a config checker that has all these rules built in,
instead of wasting time on the mailing list? Or even have samba reject
configuration lines that don't apply to a domain controller, if it's so
sensitive to these settings?