samba - Jun 2022 - winbind & kerberos question

Dear list,

I'm having trouble with refreshing kerberos tickets with winbind. Our 
clients are openSUSE Leap 15.4 clients with a separately build samba 
4.16.2 and they are domain members of an AD domain named 
ilrw.ing.dom.tu-dresden.de. This domain is a subdomain (two-way, 
transitive trusts) of ing.dom.tu-dresden.de, which again is a subdomain 
of dom.tu-dresden.de. User accounts are administered centrally in the 
root domain dom.tu-dresden.de. If I logon to a client with a useraccount 
I'm getting a tgt and service tickets and everything works fine, as seen 
in the klist output:

Ticketzwischenspeicher:FILE:/tmp/krb5cc_103321
Standard-Principal:account at DOM.TU-DRESDEN.DE

Valid starting       Expires              Service principal
23.06.2022 17:34:16  24.06.2022 03:34:16  krbtgt/DOM.TU-DRESDEN.DE at
DOM.TU-DRESDEN.DE
         erneuern bis 30.06.2022 17:34:16
23.06.2022 17:34:16  24.06.2022 03:34:16LFTWORKLI06$@ILRW.ING.DOM.TU-DRESDEN.DE
         erneuern bis 30.06.2022 17:34:16

But after a while or over night the ticket cache is deleted by winbind. 
The logs say that winbind was trying to refresh the ticket. But winbind 
tries to refresh krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE 
which is not in the cache since 
krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE is cached. This results in 
destroying the ticket cache. My question is, if this is a configuration 
error and what I have to change to avoid destroying the ticket cache?

[2022/06/23 16:24:06.069415, 10, pid=11448, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_cred_cache.c:123(krb5_ticket_refresh_handler)
   krb5_ticket_refresh_handler: event called for:FILE:/tmp/krb5cc_103321,
DOM+account
[2022/06/23 16:24:06.069772, 10, pid=11448, effective(103321, 0), real(103321,
0), class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
   smb_krb5_trace_cb: [11448] 1655994246.069600: Retrievingaccount at
DOM.TU-DRESDEN.DE  -> krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE 
fromFILE:/tmp/krb5cc_103321  with result: -1765328243/Matching credential not
found (filename: /tmp/krb5cc_103321)
[2022/06/23 16:24:06.069819,  3, pid=11448, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_cred_cache.c:227(krb5_ticket_refresh_handler)
   krb5_ticket_refresh_handler: could not renew tickets: Matching credential not
found
[2022/06/23 16:24:06.069908, 10, pid=11448, effective(0, 0), real(0, 0),
class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
   smb_krb5_trace_cb: [11448] 1655994246.069602: Destroying
ccacheFILE:/tmp/krb5cc_103321

smb.conf

[global]
 ???????bind interfaces only = Yes
 ???????dedicated keytab file = /etc/krb5.keytab
 ???????interfaces = lo eth0
 ???????kerberos method = secrets and keytab
 ???????realm = ILRW.ING.DOM.TU-DRESDEN.DE
 ???????security = ADS
 ???????template homedir = /home/home_ilrw/%U
 ???????template shell = /bin/bash
winbind refresh tickets = yes
 ?????? winbind separator = +
 ???????workgroup = ILRW
 ???????idmap config dom : range = 10000-9999999 # UID aus RID fuer DOM
 ???????idmap config dom : backend = rid
 ???????idmap config ilrw : range = 3000-9999 # UID aus RID fuer ILRW
 ???????idmap config ilrw : backend = rid
 ???????idmap config * : range = 2000-2999
 ???????idmap config * : backend = tdb

krb5.conf

[libdefaults]
 ???????default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
 ???????dns_lookup_realm = false
 ???????dns_lookup_kdc = true
 ???????ticket_lifetime = 24h
 ???????renew_lifetime = 7d
 ???????forwardable = true

[realms]
 ??ILRW.ING.DOM.TU-DRESDEN.DE = {
 ???????auth_to_local = 
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at
.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
 ???????auth_to_local = 
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
 ???????auth_to_local = DEFAULT
 ??}

Regards,

-- 
Andreas Hauffe**

On Mon, 2022-06-27 at 12:45 +0200, Andreas Hauffe via samba
wrote:
> 	Error verifying signature: parse error
> Dear list,
> 
> I'm having trouble with refreshing kerberos tickets with winbind.
> Our 
> clients are openSUSE Leap 15.4 clients with a separately build samba 
> 4.16.2 and they are domain members of an AD domain named 
> ilrw.ing.dom.tu-dresden.de. This domain is a subdomain (two-way, 
> transitive trusts) of ing.dom.tu-dresden.de, which again is a
> subdomain 
> of dom.tu-dresden.de. User accounts are administered centrally in
> the 
> root domain dom.tu-dresden.de. If I logon to a client with a
> useraccount 
> I'm getting a tgt and service tickets and everything works fine, as
> seen 
> in the klist output:
I wonder if this is a 'trusts' problem ?
Stefan Kania probably knows more about them than anyone else, he gave a
talk about them at SambaXP, see here for the pdf:

https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial-en.pdf

Reading that may give you help.

Rowland

I think it's not a configuration error it must have someting to do with
winbind it self. I would say that winbind is trying to get a new ticket
from the domain where the maschine is member of. The parameter Rowland
was posting:
'winbind scan trusted domains = yes'
should fix this problem (it did in 4.12 and 4.13) that was the last time
I've configured a trust with more then two domains. I would open a
bug-report.


Am 27.06.22 um 12:45 schrieb Andreas Hauffe via samba:
> Dear list,
> 
> I'm having trouble with refreshing kerberos tickets with winbind. Our
> clients are openSUSE Leap 15.4 clients with a separately build samba
> 4.16.2 and they are domain members of an AD domain named
> ilrw.ing.dom.tu-dresden.de. This domain is a subdomain (two-way,
> transitive trusts) of ing.dom.tu-dresden.de, which again is a subdomain
> of dom.tu-dresden.de. User accounts are administered centrally in the
> root domain dom.tu-dresden.de. If I logon to a client with a useraccount
> I'm getting a tgt and service tickets and everything works fine, as
seen
> in the klist output:
> 
> Ticketzwischenspeicher:FILE:/tmp/krb5cc_103321
> Standard-Principal:account at DOM.TU-DRESDEN.DE
> 
> Valid starting?????? Expires????????????? Service principal
> 23.06.2022 17:34:16? 24.06.2022 03:34:16?
> krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
> ??????? erneuern bis 30.06.2022 17:34:16
> 23.06.2022 17:34:16? 24.06.2022
> 03:34:16LFTWORKLI06$@ILRW.ING.DOM.TU-DRESDEN.DE
> ??????? erneuern bis 30.06.2022 17:34:16
> 
> But after a while or over night the ticket cache is deleted by winbind.
> The logs say that winbind was trying to refresh the ticket. But winbind
> tries to refresh krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
> which is not in the cache since
> krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE is cached. This results in
> destroying the ticket cache. My question is, if this is a configuration
> error and what I have to change to avoid destroying the ticket cache?
> 
> [2022/06/23 16:24:06.069415, 10, pid=11448, effective(0, 0), real(0, 0),
> class=winbind]
>
../../source3/winbindd/winbindd_cred_cache.c:123(krb5_ticket_refresh_handler)
> 
> ? krb5_ticket_refresh_handler: event called for:FILE:/tmp/krb5cc_103321,
> DOM+account
> [2022/06/23 16:24:06.069772, 10, pid=11448, effective(103321, 0),
> real(103321, 0), class=kerberos]
> ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
> ? smb_krb5_trace_cb: [11448] 1655994246.069600:
> Retrievingaccount at DOM.TU-DRESDEN.DE? ->
> krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE?
> fromFILE:/tmp/krb5cc_103321? with result: -1765328243/Matching
> credential not found (filename: /tmp/krb5cc_103321)
> [2022/06/23 16:24:06.069819,? 3, pid=11448, effective(0, 0), real(0, 0),
> class=winbind]
>
../../source3/winbindd/winbindd_cred_cache.c:227(krb5_ticket_refresh_handler)
> 
> ? krb5_ticket_refresh_handler: could not renew tickets: Matching
> credential not found
> [2022/06/23 16:24:06.069908, 10, pid=11448, effective(0, 0), real(0, 0),
> class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
> ? smb_krb5_trace_cb: [11448] 1655994246.069602: Destroying
> ccacheFILE:/tmp/krb5cc_103321
> 
> smb.conf
> 
> [global]
> ???????bind interfaces only = Yes
> ???????dedicated keytab file = /etc/krb5.keytab
> ???????interfaces = lo eth0
> ???????kerberos method = secrets and keytab
> ???????realm = ILRW.ING.DOM.TU-DRESDEN.DE
> ???????security = ADS
> ???????template homedir = /home/home_ilrw/%U
> ???????template shell = /bin/bash
> winbind refresh tickets = yes
> ?????? winbind separator = +
> ???????workgroup = ILRW
> ???????idmap config dom : range = 10000-9999999 # UID aus RID fuer DOM
> ???????idmap config dom : backend = rid
> ???????idmap config ilrw : range = 3000-9999 # UID aus RID fuer ILRW
> ???????idmap config ilrw : backend = rid
> ???????idmap config * : range = 2000-2999
> ???????idmap config * : backend = tdb
> 
> krb5.conf
> 
> [libdefaults]
> ???????default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
> ???????dns_lookup_realm = false
> ???????dns_lookup_kdc = true
> ???????ticket_lifetime = 24h
> ???????renew_lifetime = 7d
> ???????forwardable = true
> 
> [realms]
> ??ILRW.ING.DOM.TU-DRESDEN.DE = {
> ???????auth_to_local > RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at
.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
> 
> ???????auth_to_local > RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at
.*)s/\.TU-DRESDEN\.DE@/+/
> ???????auth_to_local = DEFAULT
> ??}
> 
> Regards,
> 
> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html