Rowland Penny
2015-Mar-05 09:45 UTC
[Samba] Oracle 11 nts authentication againts samba4 AD DC
On 03/03/15 09:56, Izan D?ez S?nchez wrote:> Hi again. I apologize for my vague previous question. After some > investigation I can be much more precise in my consult. Furthermore, I > think I found a bug... > > Context: > -Samba4 AD DC working fine with many user and machine accouns. > -Windows7 client trying to connect via sqlplus to an oracle database > residing in a Windows2008 server. Both machines are in the domain. > -Server database is using Operating System Authentication, i.e. it > relies on the client to authenticate the user connecting to the > database. The user is a Domain User, therefore eventually > authentication falls to the domain controller and kerberos. > > Error: > -ORA-12638: Credential retrieval failed. > > Samba logs: > -log level = 10 > -User name -> ids > -Domain -> domain.ad > -Server account name -> DATABASE_SERVER > -Client IP -> 192.168.0.100 > -------------------------------------------------------------------------------------------------- > > [2015/03/02 19:57:03.794542, 3, pid=6266, effective(0, 0), real(0, > 0)] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 > for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable] > [2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_request: SEARCH > dn: DC=domain,DC=ad > scope: sub > expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*)) > attr: objectClass > attr: sAMAccountName > attr: userPrincipalName > attr: servicePrincipalName > attr: msDS-KeyVersionNumber > attr: msDS-SecondaryKrbTgtNumber > attr: msDS-SupportedEncryptionTypes > attr: supplementalCredentials > attr: msDS-AllowedToDelegateTo > attr: dBCSPwd > attr: unicodePwd > attr: userAccountControl > attr: objectSid > attr: pwdLastSet > attr: accountExpires > control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no > control: 1.2.840.113556.1.4.529 crit:1 data:yes > > [2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_request: (resolve_oids)->search > [2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (rootdse)->search > [2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (schema_load)->search > [2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (lazy_commit)->search > [2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (dirsync)->search > [2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (paged_results)->search > [2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (ranged_results)->search > [2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (anr)->search > [2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (server_sort)->search > [2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (asq)->search > [2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (extended_dn_in)->search > [2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (descriptor)->search > [2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (acl)->search > [2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (aclread)->search > [2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (operational)->search > [2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (rdn_name)->search > [2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search > [2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (show_deleted)->search > [2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (partition)->search > [2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: partition_request() -> (metadata partition) > [2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_next_request: (tdb)->search > [2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_response: REFERRAL > ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad > > [2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug) > ldb: ldb_trace_response: DONE > error: 0 > > [2015/03/02 19:57:03.797497, 3, pid=6266, effective(0, 0), real(0, > 0)] ../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server) > *Failed to find an entry for DATABASE_SERVER* > [2015/03/02 19:57:03.797542, 3, pid=6266, effective(0, 0), real(0, > 0)] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Searching referral for DATABASE_SERVER > [2015/03/02 19:57:03.797595, 3, pid=6266, effective(0, 0), real(0, > 0)] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: > No such entry in the database > [2015/03/02 19:57:03.797637, 3, pid=6266, effective(0, 0), real(0, > 0)] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276 > [2015/03/02 19:57:03.797891, 3, pid=6266, effective(0, 0), real(0, > 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > -------------------------------------------------------------------------------------------------- > > > User "ids" is requesting a ticket to connect to the "DATABASE_SERVER". > In the process samba makes an ldbsearch looking for the server but > does not find it. Why? Because the sAMAccountName that is searching > lacks the trailing dollar "$" that every machine account has. > > Is this a bug? Any idea on how can I workaround this issue? > We have a production environment with Windows DC working and planned > to migrate to samba4 but need everything working flawlessly. > > >No, I don't think this is a bug, I think it is a mis-configuration of *oracle*. If authentication works by removing the '$' sign from the computers samacountname, then there is your problem, oracle doesn't expect the '$' sign but it should because *every* AD computer samaccountname ends with a '$' sign. So, to put it another way, this is not a samba problem, it is an oracle problem, try searching the internet with something like 'oracle windows authentication nts' Rowland
> On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny at googlemail.com> wrote: > > On 03/03/15 09:56, Izan D?ez S?nchez wrote: >> Hi again. I apologize for my vague previous question. After some investigation I can be much more precise in my consult. Furthermore, I think I found a bug? >> ... >> >> User "ids" is requesting a ticket to connect to the "DATABASE_SERVER". In the process samba makes an ldbsearch looking for the server but does not find it. Why? Because the sAMAccountName that is searching lacks the trailing dollar "$" that every machine account has. >> >> Is this a bug? Any idea on how can I workaround this issue? >> We have a production environment with Windows DC working and planned to migrate to samba4 but need everything working flawlessly. >> >> >> > > No, I don't think this is a bug, I think it is a mis-configuration of *oracle*. > > If authentication works by removing the '$' sign from the computers samacountname, then there is your problem, oracle doesn't expect the '$' sign but it should because *every* AD computer samaccountname ends with a '$' sign. > > So, to put it another way, this is not a samba problem, it is an oracle problem, try searching the internet with something like 'oracle windows authentication nts? >Yes, you are right. It?s not a samba problem if the oracle client tries to authenticate with a machine account name and stripping the $-sign. My fault. I?m gonna try some metawork searches. Maybe there will be any hints... BTW: we use a win 8.1pro with a local oracle server installation, not win7 and a remote oracle on a win 2008 server schnaggy:-)> Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaCarsten Wagner schnaggy at schnaggy.de
Izan DíezSánchez
2015-Mar-05 15:23 UTC
[Samba] Oracle 11 nts authentication againts samba4 AD DC
schnaggy <schnaggy <at> schnaggy.de> writes:> > > > On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at>googlemail.com> wrote:> > > > On 03/03/15 09:56, Izan D?ez S?nchez wrote: > >> Hi again. I apologize for my vague previous question. After someinvestigation I can be much more precise> in my consult. Furthermore, I think I found a bug? > >> ... > >> > >> User "ids" is requesting a ticket to connect to the"DATABASE_SERVER". In the process samba makes an> ldbsearch looking for the server but does not find it. Why? Becausethe sAMAccountName that is searching> lacks the trailing dollar "$" that every machine account has. > >> > >> Is this a bug? Any idea on how can I workaround this issue? > >> We have a production environment with Windows DC working andplanned to migrate to samba4 but need> everything working flawlessly. > >> > >> > >> > > > > No, I don't think this is a bug, I think it is a mis-configurationof *oracle*.> > > > If authentication works by removing the '$' sign from the computerssamacountname, then there is your> problem, oracle doesn't expect the '$' sign but it should because*every* AD computer samaccountname> ends with a '$' sign. > > > > So, to put it another way, this is not a samba problem, it is anoracle problem, try searching the internet> with something like 'oracle windows authentication nts? > > > > Yes, you are right. It?s not a samba problem if the oracle clienttries to authenticate with a machine> account name and stripping the $-sign. My fault. I?m gonna try somemetawork searches. Maybe there will> be any hints... > > BTW: we use a win 8.1pro with a local oracle server installation, notwin7 and a remote oracle on a win 2008 server> > schnaggy > > > Rowland > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > Carsten Wagner > > schnaggy <at> schnaggy.de >Thanks schnaggy ;) I had also tested the local setup and your workaround, but breaking another thing to fix this is not a solution. Rowland, how is it an oracle client problem if it works out of the box in a Windows Active Directory? I finally dug a bit into the code and found the line in which the unsuccessful query is performed: If in the samba_kdc_lookup_server function of the db-glue.c change the following piece of code: ---------------------------------------------- lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, *realm_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user) (samAccountName=%s))", ldb_binary_encode_string(mem_ctx, short_princ)); ---------------------------------------------- by ---------------------------------------------- lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, *realm_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user) (samAccountName=%s$))", ldb_binary_encode_string(mem_ctx, short_princ)); ---------------------------------------------- Note the dollar sign. Recompiled and get it working as expected. Problem here: I don't know how it will impact the normal functioning of kerberos. However, so far, I have not been able to notice any error. In any case I am not willing to trust this hack for a production environment and I need some help of people with understanding of why that line of code is written in that way and not the other. I hope we can reach a solution. Thank you for your time, \\Izan