Nikita Druba
2021-Nov-17 07:36 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
16.11.2021 18:36, Andrew Bartlett ?????:> On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote: >> Hi! >> >> I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many >> years, >> but after update to version 4.13.14, I have some troubles with >> issuing >> kerberos tickets for ldap service at my DC. When I downgrades samba >> back, all work fine again. >> >> Some strings from log.samba: >> >> Kerberos: samba_kdc_fetch: message2entry failed >> [2021/11/16 09:22:47.367864, 3] >> Kerberos: Server not found in database: >> LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found >> in hdb >> >> When I check SPNs for my DC: >> >> # samba-tool spn list dc$ >> dc$ >> User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the >> following >> servicePrincipalName: >> HOST/DC >> HOST/dc.samdom.local >> GC/dc.samdom.local/samdom.local >> E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- >> 6e838dc29369/samdom.local >> HOST/dc.samdom.local/SAMDOM >> ldap/dc.samdom.local/SAMDOM >> ldap/dc.samdom.local >> HOST/dc.samdom.local/samdom.local >> ldap/dc.samdom.local/samdom.local >> ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local >> ldap/DC >> RestrictedKrbHost/DC >> RestrictedKrbHost/dc.samdom.local >> ldap/dc.samdom.local/DomainDnsZones.samdom.local >> ldap/dc.samdom.local/ForestDnsZones.samdom.local >> >> What is wrong in my case? > Thanks for your mail and I'm sorry for this regression. I should have > called out this behaviour change more strongly in our release notes, or > at least put a better DEBUG message on it. > > In this commit: > > commit 4888e198110a811a1815e2fdffc7562fe979f477 > Author: Andrew Bartlett <abartlet at samba.org> > Date: Mon Oct 4 15:18:34 2021 +1300 > > CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN > (ending in our domain/realm) unless a DC > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 > > Signed-off-by: Andrew Bartlett <abartlet at samba.org> > Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> > > We restricted 3-part SPNs to DCs. This is what the rule was always > meant to be, but there are codepaths were this wasn't enforced. For > various reasons it was simplest to enforce the rule at read time on the > KDC. > > Can you check: > - the userAccountControl on your DC > - your compiler. I'm wondering if this is some FreeBSD-only thing > given that the tests passed on linux, perhaps around that boolean logic > or 'bool' variable type? > > If you do a full developer build, does make test > TESTS="samba.tests.krb5.spn_tests" fail? > > Thanks, > > Andrew Bartlett >Ok. I checked ldap base and for my DC$ account userAccountControl=69632 After update I dont seen any changes here. I use samba, builded from sources at my server and use the last versions of any other software from FreeBSD ports tree. I see, that for samba 4.13.14 I have builded spn_tests.py file. How I should to run this script? I don not tried decision from other reply about "min domain uid" this time, but I can do it at the next. Also I have full building log and some working logs of samba 4.13.14. Thanks, Nikita Druba
Andrew Bartlett
2021-Nov-17 09:27 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote:> 16.11.2021 18:36, Andrew Bartlett ?????: > > On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote: > > > Hi! > > > > > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many > > > years, > > > but after update to version 4.13.14, I have some troubles with > > > issuing > > > kerberos tickets for ldap service at my DC. When I downgrades > > > samba > > > back, all work fine again. > > > > > > Some strings from log.samba: > > > > > > Kerberos: samba_kdc_fetch: message2entry failed > > > [2021/11/16 09:22:47.367864, 3] > > > Kerberos: Server not found in database: > > > LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry > > > found > > > in hdb > > > > > > When I check SPNs for my DC: > > > > > > # samba-tool spn list dc$ > > > dc$ > > > User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the > > > following > > > servicePrincipalName: > > > HOST/DC > > > HOST/dc.samdom.local > > > GC/dc.samdom.local/samdom.local > > > E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- > > > 6e838dc29369/samdom.local > > > HOST/dc.samdom.local/SAMDOM > > > ldap/dc.samdom.local/SAMDOM > > > ldap/dc.samdom.local > > > HOST/dc.samdom.local/samdom.local > > > ldap/dc.samdom.local/samdom.local > > > ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local > > > ldap/DC > > > RestrictedKrbHost/DC > > > RestrictedKrbHost/dc.samdom.local > > > ldap/dc.samdom.local/DomainDnsZones.samdom.local > > > ldap/dc.samdom.local/ForestDnsZones.samdom.local > > > > > > What is wrong in my case? > > Thanks for your mail and I'm sorry for this regression. I should > > have > > called out this behaviour change more strongly in our release > > notes, or > > at least put a better DEBUG message on it. > > > > In this commit: > > > > commit 4888e198110a811a1815e2fdffc7562fe979f477 > > Author: Andrew Bartlett <abartlet at samba.org> > > Date: Mon Oct 4 15:18:34 2021 +1300 > > > > CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN > > (ending in our domain/realm) unless a DC > > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 > > > > Signed-off-by: Andrew Bartlett <abartlet at samba.org> > > Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> > > > > We restricted 3-part SPNs to DCs. This is what the rule was always > > meant to be, but there are codepaths were this wasn't > > enforced. For > > various reasons it was simplest to enforce the rule at read time on > > the > > KDC. > > > > Can you check: > > - the userAccountControl on your DC > > - your compiler. I'm wondering if this is some FreeBSD-only > > thing > > given that the tests passed on linux, perhaps around that boolean > > logic > > or 'bool' variable type? > > > > If you do a full developer build, does make test > > TESTS="samba.tests.krb5.spn_tests" fail? > > > > Thanks, > > > > Andrew Bartlett > > > Ok. > > I checked ldap base and for my DC$ account > > userAccountControl=69632This is your issue. Have you perhaps joined a FreeNAS server to your DC at some point? It had a very confusing GUI that encouraged you to wipe out the DC account. This userAccountControl is UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore not a real Domain Controller.> After update I dont seen any changes here. > > I use samba, builded from sources at my server and use the last > versions > of any other software from FreeBSD ports tree. > I see, that for samba 4.13.14 I have builded spn_tests.py file. How > I > should to run this script?./configure.developer make -j make test TESTS="samba.tests.krb5.spn_tests"> I don not tried decision from other reply about "min domain uid" > this > time, but I can do it at the next.This isn't relevant. This is a totally different part of the codebase. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions