samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

Ok after installing libpam-winbind etc I had someone try to connect from 
a MacOS and they got:


[2023/04/13 15:50:50.002773,? 1] 
../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
 ? auth3_generate_session_info_pac: Unexpected PAC for 
[testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2023/04/13 15:50:50.002891,? 3] 
../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_BAD_TOKEN_TYPE] || at 
../../source3/smbd/smb2_sesssetup.c:147
[2023/04/13 15:50:59.914944,? 3] 
../../source3/smbd/server_exit.c:229(exit_server_common)
 ? Server exit (NT_STATUS_END_OF_FILE)

So it looks like her mac tried to use her Kerberos identity but the 
Samba daemon didn't like that because "in standalone mode"

the samba settings during this test were:


security = user
realm = OURREALM.REALM
kerberos method = system keytab

server role = standalone server

Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect from 
> a MacOS and they got:
> 
> 
> [2023/04/13 15:50:50.002773,? 1] 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
>  ? auth3_generate_session_info_pac: Unexpected PAC for 
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891,? 3] 
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
>  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_BAD_TOKEN_TYPE] || at 
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944,? 3] 
> ../../source3/smbd/server_exit.c:229(exit_server_common)
>  ? Server exit (NT_STATUS_END_OF_FILE)
> 
> So it looks like her mac tried to use her Kerberos identity but the 
> Samba daemon didn't like that because "in standalone mode"
> 
> the samba settings during this test were:
> 
> 
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
> 
> server role = standalone server
> 
> 
> 

Speculation check your kerberos setup

/etc/krb5.keytab

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac

while windows server had an update a few months ago

redhat had a warning

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index



when it comes to shares with cifs mostly its broken in the kernel


-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schlei?heimer Stra?e 26/MG, 80333 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Op 14-04-2023 om 00:55 schreef Daniel Lakeland via
samba:
> Ok after installing libpam-winbind etc I had someone try to connect 
> from a MacOS and they got:
>
>
> [2023/04/13 15:50:50.002773,? 1] 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
> ? auth3_generate_session_info_pac: Unexpected PAC for 
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891,? 3] 
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_BAD_TOKEN_TYPE] || at 
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944,? 3] 
> ../../source3/smbd/server_exit.c:229(exit_server_common)
> ? Server exit (NT_STATUS_END_OF_FILE)
>
> So it looks like her mac tried to use her Kerberos identity but the 
> Samba daemon didn't like that because "in standalone mode"
>
> the samba settings during this test were:
>
>
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
>
> server role = standalone server
>
>
You could try what Rowland suggests: setup AD and add the users in it.

There is no (strict) need to join the client machines, the AD-DC 
provides a KDC and a LDAP server. You can still use kinit on the clients 
to authenticate and get a ticket.

With an AD-DC and a fileserver (joined to the domain) (on separate 
machines) your scenario will work pretty much as it always did but with 
a recent Samba version.

Do you see any obstacles, Rowland?

- Kees.

We are only talking about joining your server to your REALM not the clients.

It is possible to do this. See this example for FreeIPA:

https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview

But as you can see it is more complicated that just joining a Windows 
domain.

I think you should be able to do this with pam_krb and the nss IDMAP 
backend. But you will have to setup the keytab of your server etc.


Regards

Christian


Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect from 
> a MacOS and they got:
> 
> 
> [2023/04/13 15:50:50.002773,? 1] 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
>  ? auth3_generate_session_info_pac: Unexpected PAC for 
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891,? 3] 
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
>  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_BAD_TOKEN_TYPE] || at 
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944,? 3] 
> ../../source3/smbd/server_exit.c:229(exit_server_common)
>  ? Server exit (NT_STATUS_END_OF_FILE)
> 
> So it looks like her mac tried to use her Kerberos identity but the 
> Samba daemon didn't like that because "in standalone mode"
> 
> the samba settings during this test were:
> 
> 
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
> 
> server role = standalone server
> 
> 
>

On Thu, 2023-04-13 at 15:55 -0700, Daniel Lakeland via samba
wrote:
> Ok after installing libpam-winbind etc I had someone try to connect
> from 
> 
> a MacOS and they got:
> 
> 
> 
> 
> 
> [2023/04/13 15:50:50.002773,  1] 
> 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac
> )
> 
>    auth3_generate_session_info_pac: Unexpected PAC for 
> 
> [
> testuser at OURREALM.REALM
> ] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
So I knew this would happen, sorry about that.

When we did the big 2021 security fixes, we strictly set a line between
'AD has a PAC' and 'MIT Krb5 (traditional) does not'.

This was meant to ensure that folks would not connect Samba as a
'standalone' server in an AD domain, bypassing the security mitigation
we put in place against the 'dollar ticket attack' where users could
create an account called 'root$' but print it as 'root'.

The problem is that subsequent to that, I saw that the MIT folks
decided to always issue a PAC, just without the LOGON_INFO
component.  Samba doesn't do well with that, and a fix is needed both
in this code an in winbindd to change the test from 'has a PAC' to
'has a PAC with LOGON_INFO'.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions