Michael Jones
2022-Jan-28 21:57 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Fri, Jan 28, 2022 at 3:29 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 2022-01-28 at 15:03 -0600, Michael Jones via samba wrote: > > Thank you for the response. > > > > On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba < > > samba at lists.samba.org> wrote: > > > > > On AD-DC or Member ? > > > > > > > AD-DC, phrased as "> As the root user on my domain controller." in my > > original email, though I know it was a big wall of text, so I > > probably > > would have missed that detail myself. > > > > I waded through all of that info and one thing popped out: > (-system-heimdal) -system-mitkrb5 > > So which was your DC built with, 'Heimdal' or 'MIT' ? >Those flags are specifically about overriding the krb5 library that the samba package carries, to force it to use whatever the system happens to have. In this case, I specified neither, so it's using whatever 4.15.3 comes with. Note that I did not package samba myself, I'm just using the Gentoo package for it. So if I'm understanding something about how Samba is distributed and Samba doesn't come with a pre-specified krb5 implementation, then I'm getting whatever the Gentoo packagers use. Given the release notes say MIT Krb5 is experimental, I assume it's the Heimdal implementation. https://www.samba.org/samba/history/samba-4.15.0.html New minimum version for the experimental MIT KDC ===============================================The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222 smbd is linking to dc1 ~ # ldd /usr/sbin/smbd | grep krb libkrb5samba-samba4.so => /usr/lib64/samba/libkrb5samba-samba4.so (0x00007f3f8bcd0000) libauthkrb5-samba4.so => /usr/lib64/samba/libauthkrb5-samba4.so (0x00007f3f8b3c5000) libkrb5-samba4.so.26 => /usr/lib64/samba/libkrb5-samba4.so.26 (0x00007f3f8ad72000) I have two packages that depend on the system kerberos implementation, bind-utils, where nsupdate comes from, and freeradius, and they are currently using the MIT Krb5, instead of Heimdal. Now that you've pointed out this discrepancy, I'll adjust the settings to see if that does any good. However, I've been having this problem for several months, and only updated to 4.15 last night, whereupon the automatic dependency solver decided to replace the system heimdal with mit-krb5, now that samba is using it's built in krb5 implementation. (The depsolver solves deps and the depsolver wills, i suppose). The TSIG warning line happened before that, when I knew I was using heimdal. So I'm skeptical that I'll see a behavior difference. But I do agree that having only one krb implementation is much less likely to have other problems.> Also your smb.conf files are borked, you do not use a user.map on a DC > and I would expect each DC smb.conf to look similar to this: >Thank you for the advice. Originally, I had a single shared smb.conf across all of my samba machines, with appropriate include = /etc/samba/smb-%L.conf configs for each machine. This worked great at first, but has subsequently broken more and more as I've upgraded samba. The config in the email is the result of removing quite a lot of configuration lines that have solved some problem or another over the years to try to figure out where things are breaking on my DC. I've been subscribed to this mailing list for at least 5 years, and quite a lot of the traffic on it ultimately culminates in someone telling the person asking for help that their configuration is wrong in some way. Perhaps samba needs a config checker that has all these rules built in, instead of wasting time on the mailing list? Or even have samba reject configuration lines that don't apply to a domain controller, if it's so sensitive to these settings?
Rowland Penny
2022-Jan-28 22:20 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote:> > > > > > > So which was your DC built with, 'Heimdal' or 'MIT' ? > > > Those flags are specifically about overriding the krb5 library that > the samba package carries, to force it to use whatever the system > happens to have. > > In this case, I specified neither, so it's using whatever 4.15.3 > comes with. Note that I did not package samba myself, I'm just using > the Gentoo package for it. So if I'm understanding something about > how Samba is distributed and Samba doesn't come with a pre-specified > krb5 implementation, then I'm getting whatever the Gentoo packagers > use. Given the release notes say MIT Krb5 is experimental, I assume > it's the Heimdal implementation.You need to find out which you are using, Heimdal or MIT.> > > > Now that you've pointed out this discrepancy, I'll adjust the > settings to see if that does any good. > > However, I've been having this problem for several months, and only > updated to 4.15 last night, whereupon the automatic dependency solver > decided to replace the system heimdal with mit-krb5, now that samba > is using it's built in krb5 implementation. (The depsolver solves > deps and the depsolver wills, i suppose).Samba has been using the builtin Heimdal since Samba 4 was released, though there is also an experimental version that uses MIT (this version should not be used in production).>The TSIG warning line happened before that, when I knew I was using> heimdal. So I'm skeptical that I'll see a behavior difference. But I > do agree that having only one krb implementation is much less likely > to have other problems.> >Originally, I had a single shared smb.conf across all of my samba > machines, with appropriate include = /etc/samba/smb-%L.conf configs > for each machine.> >This worked great at first, but has subsequently broken more and > more > as I've upgraded samba. The config in the email is the result of > removing quite a lot of configuration lines that have solved some > problem or another over the years to try to figure out where things > are breaking on my DC.> > I've been subscribed to this mailing list for at least 5 years, and > quite a lot of the traffic on it ultimately culminates in someone > telling the person asking for help that their configuration is wrong > in some way.We do not write your smb.conf, all we can do is to point out any errors.> > Perhaps samba needs a config checker that has all these rules built > in, instead of wasting time on the mailing list? Or even have samba > reject configuration lines that don't apply to a domain controller, > if it's so sensitive to these settings?The problem with that idea, is what may be wrong in one smb.conf, is perfectly valid in another. To get something to parse the smb.conf based on what the server role is, would probably have to be extremely large and entail some form of AI and mind reading capabilities :-) Rowland