Hi! I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many years, but after update to version 4.13.14, I have some troubles with issuing kerberos tickets for ldap service at my DC. When I downgrades samba back, all work fine again. Some strings from log.samba: [2021/11/16 09:22:47.366807,? 3] ./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) ? Kerberos: TGS-REQ SERVER$@SAMDOM.LOCAL from ipv4:10.110.2.4:55018 for LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL [renewable, forwardable] [2021/11/16 09:22:47.367805,? 3] ./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) ? Kerberos: samba_kdc_fetch: message2entry failed [2021/11/16 09:22:47.367864,? 3] ./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) ? Kerberos: Server not found in database: LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found in hdb [2021/11/16 09:22:47.367900,? 3] ./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) ? Kerberos: Failed building TGS-REP to ipv4:10.110.2.4:55018 [2021/11/16 09:22:47.368163,? 3] ./../source4/smbd/service_stream.c:67(stream_terminate_connection) ? stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' When I check SPNs for my DC: # samba-tool spn list dc$ dc$ User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the following servicePrincipalName: ???????? HOST/DC ???????? HOST/dc.samdom.local ???????? GC/dc.samdom.local/samdom.local E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f-6e838dc29369/samdom.local ???????? HOST/dc.samdom.local/SAMDOM ???????? ldap/dc.samdom.local/SAMDOM ???????? ldap/dc.samdom.local ???????? HOST/dc.samdom.local/samdom.local ???????? ldap/dc.samdom.local/samdom.local ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local ???????? ldap/DC ???????? RestrictedKrbHost/DC ???????? RestrictedKrbHost/dc.samdom.local ???????? ldap/dc.samdom.local/DomainDnsZones.samdom.local ???????? ldap/dc.samdom.local/ForestDnsZones.samdom.local What is wrong in my case? Tnax in advance.
On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:> Hi! > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many > years, > but after update to version 4.13.14, I have some troubles with > issuing > kerberos tickets for ldap service at my DC. When I downgrades samba > back, all work fine again.Can you try adding 'min domain uid = 0' to the smb.conf Rowland
Andrew Bartlett
2021-Nov-16 17:36 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:> Hi! > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many > years, > but after update to version 4.13.14, I have some troubles with > issuing > kerberos tickets for ldap service at my DC. When I downgrades samba > back, all work fine again. > > Some strings from log.samba: > > Kerberos: samba_kdc_fetch: message2entry failed > [2021/11/16 09:22:47.367864, 3] > Kerberos: Server not found in database: > LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found > in hdb > > When I check SPNs for my DC: > > # samba-tool spn list dc$ > dc$ > User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the > following > servicePrincipalName: > HOST/DC > HOST/dc.samdom.local > GC/dc.samdom.local/samdom.local > E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- > 6e838dc29369/samdom.local > HOST/dc.samdom.local/SAMDOM > ldap/dc.samdom.local/SAMDOM > ldap/dc.samdom.local > HOST/dc.samdom.local/samdom.local > ldap/dc.samdom.local/samdom.local > ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local > ldap/DC > RestrictedKrbHost/DC > RestrictedKrbHost/dc.samdom.local > ldap/dc.samdom.local/DomainDnsZones.samdom.local > ldap/dc.samdom.local/ForestDnsZones.samdom.local > > What is wrong in my case?Thanks for your mail and I'm sorry for this regression. I should have called out this behaviour change more strongly in our release notes, or at least put a better DEBUG message on it. In this commit: commit 4888e198110a811a1815e2fdffc7562fe979f477 Author: Andrew Bartlett <abartlet at samba.org> Date: Mon Oct 4 15:18:34 2021 +1300 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 Signed-off-by: Andrew Bartlett <abartlet at samba.org> Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> We restricted 3-part SPNs to DCs. This is what the rule was always meant to be, but there are codepaths were this wasn't enforced. For various reasons it was simplest to enforce the rule at read time on the KDC. Can you check: - the userAccountControl on your DC - your compiler. I'm wondering if this is some FreeBSD-only thing given that the tests passed on linux, perhaps around that boolean logic or 'bool' variable type? If you do a full developer build, does make test TESTS="samba.tests.krb5.spn_tests" fail? Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions