samba - Mar 2015 - Oracle 11 nts authentication againts samba4 AD DC

On 03/03/15 09:56, Izan D?ez S?nchez wrote:
> Hi again. I apologize for my vague previous question. After some 
> investigation I can be much more precise in my consult. Furthermore, I 
> think I found a bug...
>
> Context:
> -Samba4 AD DC working fine with many user and machine accouns.
> -Windows7 client trying to connect via sqlplus to an oracle database 
> residing in a Windows2008 server. Both machines are in the domain.
> -Server database is using Operating System Authentication, i.e. it 
> relies on the client to authenticate the user connecting to the 
> database. The user is a Domain User, therefore eventually 
> authentication falls to the domain controller and kerberos.
>
> Error:
> -ORA-12638: Credential retrieval failed.
>
> Samba logs:
> -log level = 10
> -User name -> ids
> -Domain -> domain.ad
> -Server account name -> DATABASE_SERVER
> -Client IP -> 192.168.0.100
>
--------------------------------------------------------------------------------------------------
>
> [2015/03/02 19:57:03.794542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 
> for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
> [2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: SEARCH
>    dn: DC=domain,DC=ad
>    scope: sub
>    expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
>    attr: objectClass
>    attr: sAMAccountName
>    attr: userPrincipalName
>    attr: servicePrincipalName
>    attr: msDS-KeyVersionNumber
>    attr: msDS-SecondaryKrbTgtNumber
>    attr: msDS-SupportedEncryptionTypes
>    attr: supplementalCredentials
>    attr: msDS-AllowedToDelegateTo
>    attr: dBCSPwd
>    attr: unicodePwd
>    attr: userAccountControl
>    attr: objectSid
>    attr: pwdLastSet
>    attr: accountExpires
>    control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
>    control: 1.2.840.113556.1.4.529  crit:1  data:yes
>
> [2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: (resolve_oids)->search
> [2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rootdse)->search
> [2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (schema_load)->search
> [2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (lazy_commit)->search
> [2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (dirsync)->search
> [2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (paged_results)->search
> [2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (ranged_results)->search
> [2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (anr)->search
> [2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (server_sort)->search
> [2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (asq)->search
> [2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_in)->search
> [2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (descriptor)->search
> [2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (acl)->search
> [2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (aclread)->search
> [2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (operational)->search
> [2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rdn_name)->search
> [2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
> [2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (show_deleted)->search
> [2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (partition)->search
> [2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: partition_request() -> (metadata partition)
> [2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (tdb)->search
> [2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: REFERRAL
>   ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad
>
> [2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: DONE
>   error: 0
>
> [2015/03/02 19:57:03.797497,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
> *Failed to find an entry for DATABASE_SERVER*
> [2015/03/02 19:57:03.797542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Searching referral for DATABASE_SERVER
> [2015/03/02 19:57:03.797595,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: 
> No such entry in the database
> [2015/03/02 19:57:03.797637,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
> [2015/03/02 19:57:03.797891,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>
--------------------------------------------------------------------------------------------------
>
>
> User "ids" is requesting a ticket to connect to the
"DATABASE_SERVER".
> In the process samba makes an ldbsearch looking for the server but 
> does not find it. Why? Because the sAMAccountName that is searching 
> lacks the trailing dollar "$" that every machine account has.
>
> Is this a bug? Any idea on how can I workaround this issue?
> We have a production environment with Windows DC working and planned 
> to migrate to samba4 but need everything working flawlessly.
>
>
>
No, I don't think this is a bug, I think it is a mis-configuration of 
*oracle*.

If authentication works by removing the '$' sign from the computers 
samacountname, then there is your problem, oracle doesn't expect the
'$'
sign but it should because *every* AD computer samaccountname ends with 
a '$' sign.

So, to put it another way, this is not a samba problem, it is an oracle 
problem, try searching the internet with something like 'oracle windows 
authentication nts'

Rowland

> On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> 
> On 03/03/15 09:56, Izan D?ez S?nchez wrote:
>> Hi again. I apologize for my vague previous question. After some
investigation I can be much more precise in my consult. Furthermore, I think I
found a bug?
>> ...
>> 
>> User "ids" is requesting a ticket to connect to the
"DATABASE_SERVER". In the process samba makes an ldbsearch looking for
the server but does not find it. Why? Because the sAMAccountName that is
searching lacks the trailing dollar "$" that every machine account
has.
>> 
>> Is this a bug? Any idea on how can I workaround this issue?
>> We have a production environment with Windows DC working and planned to
migrate to samba4 but need everything working flawlessly.
>> 
>> 
>> 
> 
> No, I don't think this is a bug, I think it is a mis-configuration of
*oracle*.
> 
> If authentication works by removing the '$' sign from the computers
samacountname, then there is your problem, oracle doesn't expect the
'$' sign but it should because *every* AD computer samaccountname ends
with a '$' sign.
> 
> So, to put it another way, this is not a samba problem, it is an oracle
problem, try searching the internet with something like 'oracle windows
authentication nts?
> 
Yes, you are right. It?s not a samba problem if the oracle client tries to
authenticate with a machine account name and stripping the $-sign. My fault. I?m
gonna try some metawork searches. Maybe there will be any hints...

BTW: we use a win 8.1pro with a local oracle server installation, not win7 and a
remote oracle on a win 2008 server

schnaggy:-)
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Carsten Wagner

schnaggy at schnaggy.de

schnaggy <schnaggy <at> schnaggy.de> writes:
> 
> 
> > On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at> 
googlemail.com> wrote:
> > 
> > On 03/03/15 09:56, Izan D?ez S?nchez wrote:
> >> Hi again. I apologize for my vague previous question. After some 
investigation I can be much more precise
> in my consult. Furthermore, I think I found a bug?
> >> ...
> >> 
> >> User "ids" is requesting a ticket to connect to the 
"DATABASE_SERVER". In the process samba makes
an
> ldbsearch looking for the server but does not find it. Why? Because 
the sAMAccountName that is searching
> lacks the trailing dollar "$" that every machine account has.
> >> 
> >> Is this a bug? Any idea on how can I workaround this issue?
> >> We have a production environment with Windows DC working and 
planned to migrate to samba4 but need
> everything working flawlessly.
> >> 
> >> 
> >> 
> > 
> > No, I don't think this is a bug, I think it is a mis-configuration
of *oracle*.
> > 
> > If authentication works by removing the '$' sign from the
computers
samacountname, then there is your
> problem, oracle doesn't expect the '$' sign but it should
because
*every* AD computer samaccountname
> ends with a '$' sign.
> > 
> > So, to put it another way, this is not a samba problem, it is an 
oracle problem, try searching the internet
> with something like 'oracle windows authentication nts?
> > 
> 
> Yes, you are right. It?s not a samba problem if the oracle client 
tries to authenticate with a machine
> account name and stripping the $-sign. My fault. I?m gonna try some 
metawork searches. Maybe there will
> be any hints...
> 
> BTW: we use a win 8.1pro with a local oracle server installation, not 
win7 and a remote oracle on a win 2008 server
> 
> schnaggy
> 
> > Rowland
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> Carsten Wagner
> 
> schnaggy <at> schnaggy.de
> 
Thanks schnaggy ;) I had also tested the local setup and your 
workaround, but breaking another thing to fix this is not a solution.

Rowland, how is it an oracle client problem if it works out of the box 
in a Windows Active Directory? 

I finally dug a bit into the code and found the line in which the 
unsuccessful query is performed:

If in the samba_kdc_lookup_server function of the db-glue.c change the 
following piece of code:
----------------------------------------------

		lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
				       *realm_dn, LDB_SCOPE_SUBTREE,
				       attrs,
				       DSDB_SEARCH_SHOW_EXTENDED_DN | 
DSDB_SEARCH_NO_GLOBAL_CATALOG,
				       "(&(objectClass=user)
(samAccountName=%s))",
				       ldb_binary_encode_string(mem_ctx, 
short_princ));
----------------------------------------------
by
----------------------------------------------
		lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
				       *realm_dn, LDB_SCOPE_SUBTREE,
				       attrs,
				       DSDB_SEARCH_SHOW_EXTENDED_DN | 
DSDB_SEARCH_NO_GLOBAL_CATALOG,
				       "(&(objectClass=user)
(samAccountName=%s$))",
				       ldb_binary_encode_string(mem_ctx, 
short_princ));
----------------------------------------------
Note the dollar sign. Recompiled and get it working as expected. 

Problem here: I don't know how it will impact the normal functioning of 
kerberos. However, so far, I have not been able to notice any error. In 
any case I am not willing to trust this hack for a production 
environment and I need some help of people with understanding of why 
that line of code is written in that way and not the other.

I hope we can reach a solution. Thank you for your time,

\\Izan