Denis Cardon
2015-Feb-16 10:33 UTC
[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
Hi Garming,> As far I know, all this should work as you would expect. Quite recently, > Andrew Bartlett and I went about testing some of the behaviour of the > KDC and confirming behaviour such as RODC ticket forwarding.thanks for the input. It gives me hope to dig deeper! I have some more time to spend on this issue today, I gonna try some more scenario.> The one thing to check would be whether or not Samba is being linked > against system Heimdal. As it stands, there is no real testing of Samba > using system Heimdal and from the testing we've done, there are almost > certainly oddities and unexpected failures with this setup - this included.I didn't thought that I had some kerberos dev librairies on my debian wheezy compilation server where I run my build script. But after double-checking, I realized that libcups2-dev brings in libkrb5-dev and krb5-multidev (I use the same package build for both DC and member servers). However those packages are for MIT kerberos libraries I think and there should be no heimdal inside. I'm going to check that kind of setup with sernet packages and see if it gets any better. By the way, the issue can be reproduced on command line on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is the rwdc and everything works fine except this issue) : [root at rodc-nantes.tranq ~]# shorewall start [root at rodc-nantes.tranq ~]# kinit dcardon Password for dcardon at TRANQUILIT.LOCAL: [root at rodc-nantes.tranq ~]# shorewall clear [root at rodc-nantes.tranq ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: dcardon at TRANQUILIT.LOCAL Valid starting Expires Service principal 16/02/2015 11:22:47 16/02/2015 21:22:47 krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL renew until 17/02/2015 11:22:45 [root at rodc-nantes.tranq ~]# smbclient -k -L rodc-nantes Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.16) Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] Server Comment --------- ------- Workgroup Master --------- ------- [root at rodc-nantes.tranq ~]# smbclient -k -L srvads ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/srvads at TRANQUILIT.LOCAL (Generic error (see e-text)) cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Generic error (see e-text) session setup failed: NT_STATUS_UNSUCCESSFUL thanks for you input Garming. I keep you informed from our progress. Denis> > Cheers, > > Garming Sam > > On 11/02/15 09:54, Denis Cardon wrote: >> Hi everyone, >> >> I would like to have some input on ressources access from a >> workstation logged on a RODC server that has to connect on hub site >> servers. >> >> After login in the remote windows workstation, I have LOGONSERVER >> environment variable set to the local RODC server (workstation and >> user credentials have been preloaded). Everything works fine on local >> server. However if I want to connect to central office ressources, >> kerberos auth does not work for central servers. >> >> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to >> the hub RWDC so that it can compute the corresponding service ticket >> and send it back to the RODC which forwards it to the workstation. >> >> However it does not seem to happen in my case. I wanted to know if >> someone had succeeded to make it work in such a scenario, and what I >> may have done wrong. >> >> Samba 4.1.16 on both sites with rodc preload patches and no firewall >> inbetween (except temporarily when I want to force login on the rodc, >> then iptables clear). >> >> Thanks, >> >> Denis >> >> >> [1] >> https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC >> >> paragraph "BobKelly accesses a resource on a server in a different site" >> >> >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Garming Sam
2015-Feb-16 21:13 UTC
[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
Hi, If you don't make much progress on your own, one thing you could do is turn up the logging level and send in some logs and network traces (and the steps you took). This is usually the easiest way to diagnose any obvious issues and gives a much better sense of what is actually happening. One other thing is that we generally recommend against .LOCAL domains although I would have no idea if this was actually causing any issues (at least without any further evidence). There are certainly many other things that could have gone wrong. Cheers, Garming Sam On 16/02/15 23:33, Denis Cardon wrote:> Hi Garming, > >> As far I know, all this should work as you would expect. Quite recently, >> Andrew Bartlett and I went about testing some of the behaviour of the >> KDC and confirming behaviour such as RODC ticket forwarding. > > thanks for the input. It gives me hope to dig deeper! I have some more > time to spend on this issue today, I gonna try some more scenario. > >> The one thing to check would be whether or not Samba is being linked >> against system Heimdal. As it stands, there is no real testing of Samba >> using system Heimdal and from the testing we've done, there are almost >> certainly oddities and unexpected failures with this setup - this >> included. > > I didn't thought that I had some kerberos dev librairies on my debian > wheezy compilation server where I run my build script. But after > double-checking, I realized that libcups2-dev brings in libkrb5-dev > and krb5-multidev (I use the same package build for both DC and member > servers). However those packages are for MIT kerberos libraries I > think and there should be no heimdal inside. > > I'm going to check that kind of setup with sernet packages and see if > it gets any better. By the way, the issue can be reproduced on command > line on the rodc (in the excerpt below, rodc-nantes is the rodc, > srvads is the rwdc and everything works fine except this issue) : > > [root at rodc-nantes.tranq ~]# shorewall start > > [root at rodc-nantes.tranq ~]# kinit dcardon > Password for dcardon at TRANQUILIT.LOCAL: > > [root at rodc-nantes.tranq ~]# shorewall clear > > [root at rodc-nantes.tranq ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: dcardon at TRANQUILIT.LOCAL > > Valid starting Expires Service principal > 16/02/2015 11:22:47 16/02/2015 21:22:47 > krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL > renew until 17/02/2015 11:22:45 > > [root at rodc-nantes.tranq ~]# smbclient -k -L rodc-nantes > Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.1.16) > Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > [root at rodc-nantes.tranq ~]# smbclient -k -L srvads > ads_krb5_mk_req: smb_krb5_get_credentials failed for > cifs/srvads at TRANQUILIT.LOCAL (Generic error (see e-text)) > cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: > Generic error (see e-text) > session setup failed: NT_STATUS_UNSUCCESSFUL > > thanks for you input Garming. I keep you informed from our progress. > > Denis > > > > >> >> Cheers, >> >> Garming Sam >> >> On 11/02/15 09:54, Denis Cardon wrote: >>> Hi everyone, >>> >>> I would like to have some input on ressources access from a >>> workstation logged on a RODC server that has to connect on hub site >>> servers. >>> >>> After login in the remote windows workstation, I have LOGONSERVER >>> environment variable set to the local RODC server (workstation and >>> user credentials have been preloaded). Everything works fine on local >>> server. However if I want to connect to central office ressources, >>> kerberos auth does not work for central servers. >>> >>> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to >>> the hub RWDC so that it can compute the corresponding service ticket >>> and send it back to the RODC which forwards it to the workstation. >>> >>> However it does not seem to happen in my case. I wanted to know if >>> someone had succeeded to make it work in such a scenario, and what I >>> may have done wrong. >>> >>> Samba 4.1.16 on both sites with rodc preload patches and no firewall >>> inbetween (except temporarily when I want to force login on the rodc, >>> then iptables clear). >>> >>> Thanks, >>> >>> Denis >>> >>> >>> [1] >>> https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC >>> >>> >>> paragraph "BobKelly accesses a resource on a server in a different >>> site" >>> >>> >> > >
Denis Cardon
2015-Feb-22 23:10 UTC
[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
Hi Garming,> > If you don't make much progress on your own, one thing you could do is > turn up the logging level and send in some logs and network traces > (and the steps you took). This is usually the easiest way to diagnose > any obvious issues and gives a much better sense of what is actually > happening.sorry to come back to you so late... It seems inded to be some kind of compilation issue like you suggested : I tried the pre-compiled sernet package (adding the python patch for user/machine preloading). Then my previous scenario (blocked_fw / kinit / smbclient -k -L rodc / clear_fw / smbclient -k -L srvads) worked liked a charm. However on the windows side, I still couldn't log on the rodc and I had the same windows error message as Michael Brown in his post [1] (even tough the AS_REQ/AS_REP was going fine, checked with log level= 9). Having no clue at all, I started to setup a clean testbed with sernet packages on a dedicated LAN to reproduce the issue and hire the sernet guys to have a developper to look at it. But I couldn't reproduce the issue in the testbed, everything was working as it was supposed to do... Very frustrating. I didn't had time to dig more in this issue last week. Just trying a wild guess : I have a few DCs with the same samba name on my test LAN (but in different domain of course), so there might have been some NetBIOS name collision issues arising. Anyway, this week I will have plently of time to spend on that subject, so I hope I may come back with more information.> > One other thing is that we generally recommend against .LOCAL domains > although I would have no idea if this was actually causing any issues > (at least without any further evidence). There are certainly many > other things that could have gone wrong.yes I know the .local suffixe is not good. It is there for quite some time before Apple and their bonjour protocol declared a hijacking on that suffixe. I disabled mdns on all the linux machines, and there is a ban on apple hardware, so everything is working fine. Thanks for your input, Denis [1] https://lists.samba.org/archive/samba/2013-November/176986.html> > Cheers, > > Garming Sam > > On 16/02/15 23:33, Denis Cardon wrote: >> Hi Garming, >> >>> As far I know, all this should work as you would expect. Quite >>> recently, >>> Andrew Bartlett and I went about testing some of the behaviour of the >>> KDC and confirming behaviour such as RODC ticket forwarding. >> >> thanks for the input. It gives me hope to dig deeper! I have some >> more time to spend on this issue today, I gonna try some more scenario. >> >>> The one thing to check would be whether or not Samba is being linked >>> against system Heimdal. As it stands, there is no real testing of Samba >>> using system Heimdal and from the testing we've done, there are almost >>> certainly oddities and unexpected failures with this setup - this >>> included. >> >> I didn't thought that I had some kerberos dev librairies on my debian >> wheezy compilation server where I run my build script. But after >> double-checking, I realized that libcups2-dev brings in libkrb5-dev >> and krb5-multidev (I use the same package build for both DC and >> member servers). However those packages are for MIT kerberos >> libraries I think and there should be no heimdal inside. >> >> I'm going to check that kind of setup with sernet packages and see if >> it gets any better. By the way, the issue can be reproduced on >> command line on the rodc (in the excerpt below, rodc-nantes is the >> rodc, srvads is the rwdc and everything works fine except this issue) : >> >> [root at rodc-nantes.tranq ~]# shorewall start >> >> [root at rodc-nantes.tranq ~]# kinit dcardon >> Password for dcardon at TRANQUILIT.LOCAL: >> >> [root at rodc-nantes.tranq ~]# shorewall clear >> >> [root at rodc-nantes.tranq ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: dcardon at TRANQUILIT.LOCAL >> >> Valid starting Expires Service principal >> 16/02/2015 11:22:47 16/02/2015 21:22:47 >> krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL >> renew until 17/02/2015 11:22:45 >> >> [root at rodc-nantes.tranq ~]# smbclient -k -L rodc-nantes >> Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk >> sysvol Disk >> IPC$ IPC IPC Service (Samba 4.1.16) >> Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> >> [root at rodc-nantes.tranq ~]# smbclient -k -L srvads >> ads_krb5_mk_req: smb_krb5_get_credentials failed for >> cifs/srvads at TRANQUILIT.LOCAL (Generic error (see e-text)) >> cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: >> Generic error (see e-text) >> session setup failed: NT_STATUS_UNSUCCESSFUL >> >> thanks for you input Garming. I keep you informed from our progress. >> >> Denis >> >> >> >> >>> >>> Cheers, >>> >>> Garming Sam >>> >>> On 11/02/15 09:54, Denis Cardon wrote: >>>> Hi everyone, >>>> >>>> I would like to have some input on ressources access from a >>>> workstation logged on a RODC server that has to connect on hub site >>>> servers. >>>> >>>> After login in the remote windows workstation, I have LOGONSERVER >>>> environment variable set to the local RODC server (workstation and >>>> user credentials have been preloaded). Everything works fine on local >>>> server. However if I want to connect to central office ressources, >>>> kerberos auth does not work for central servers. >>>> >>>> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to >>>> the hub RWDC so that it can compute the corresponding service ticket >>>> and send it back to the RODC which forwards it to the workstation. >>>> >>>> However it does not seem to happen in my case. I wanted to know if >>>> someone had succeeded to make it work in such a scenario, and what I >>>> may have done wrong. >>>> >>>> Samba 4.1.16 on both sites with rodc preload patches and no firewall >>>> inbetween (except temporarily when I want to force login on the rodc, >>>> then iptables clear). >>>> >>>> Thanks, >>>> >>>> Denis >>>> >>>> >>>> [1] >>>> https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC >>>> >>>> >>>> paragraph "BobKelly accesses a resource on a server in a different >>>> site" >>>> >>>> >>> >> >> >
Maybe Matching Threads
- rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
- rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
- rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
- rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
- Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC