Izan DíezSánchez
2015-Mar-05 15:23 UTC
[Samba] Oracle 11 nts authentication againts samba4 AD DC
schnaggy <schnaggy <at> schnaggy.de> writes:> > > > On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at>googlemail.com> wrote:> > > > On 03/03/15 09:56, Izan D?ez S?nchez wrote: > >> Hi again. I apologize for my vague previous question. After someinvestigation I can be much more precise> in my consult. Furthermore, I think I found a bug? > >> ... > >> > >> User "ids" is requesting a ticket to connect to the"DATABASE_SERVER". In the process samba makes an> ldbsearch looking for the server but does not find it. Why? Becausethe sAMAccountName that is searching> lacks the trailing dollar "$" that every machine account has. > >> > >> Is this a bug? Any idea on how can I workaround this issue? > >> We have a production environment with Windows DC working andplanned to migrate to samba4 but need> everything working flawlessly. > >> > >> > >> > > > > No, I don't think this is a bug, I think it is a mis-configurationof *oracle*.> > > > If authentication works by removing the '$' sign from the computerssamacountname, then there is your> problem, oracle doesn't expect the '$' sign but it should because*every* AD computer samaccountname> ends with a '$' sign. > > > > So, to put it another way, this is not a samba problem, it is anoracle problem, try searching the internet> with something like 'oracle windows authentication nts? > > > > Yes, you are right. It?s not a samba problem if the oracle clienttries to authenticate with a machine> account name and stripping the $-sign. My fault. I?m gonna try somemetawork searches. Maybe there will> be any hints... > > BTW: we use a win 8.1pro with a local oracle server installation, notwin7 and a remote oracle on a win 2008 server> > schnaggy > > > Rowland > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > Carsten Wagner > > schnaggy <at> schnaggy.de >Thanks schnaggy ;) I had also tested the local setup and your workaround, but breaking another thing to fix this is not a solution. Rowland, how is it an oracle client problem if it works out of the box in a Windows Active Directory? I finally dug a bit into the code and found the line in which the unsuccessful query is performed: If in the samba_kdc_lookup_server function of the db-glue.c change the following piece of code: ---------------------------------------------- lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, *realm_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user) (samAccountName=%s))", ldb_binary_encode_string(mem_ctx, short_princ)); ---------------------------------------------- by ---------------------------------------------- lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, *realm_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(&(objectClass=user) (samAccountName=%s$))", ldb_binary_encode_string(mem_ctx, short_princ)); ---------------------------------------------- Note the dollar sign. Recompiled and get it working as expected. Problem here: I don't know how it will impact the normal functioning of kerberos. However, so far, I have not been able to notice any error. In any case I am not willing to trust this hack for a production environment and I need some help of people with understanding of why that line of code is written in that way and not the other. I hope we can reach a solution. Thank you for your time, \\Izan
Rowland Penny
2015-Mar-05 16:15 UTC
[Samba] Oracle 11 nts authentication againts samba4 AD DC
On 05/03/15 15:23, Izan D?ezS?nchez wrote:> > > schnaggy <schnaggy <at> schnaggy.de> writes: > >> >>> On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at> > googlemail.com> wrote: >>> On 03/03/15 09:56, Izan D?ez S?nchez wrote: >>>> Hi again. I apologize for my vague previous question. After some > investigation I can be much more precise >> in my consult. Furthermore, I think I found a bug? >>>> ... >>>> >>>> User "ids" is requesting a ticket to connect to the > "DATABASE_SERVER". In the process samba makes an >> ldbsearch looking for the server but does not find it. Why? Because > the sAMAccountName that is searching >> lacks the trailing dollar "$" that every machine account has. >>>> Is this a bug? Any idea on how can I workaround this issue? >>>> We have a production environment with Windows DC working and > planned to migrate to samba4 but need >> everything working flawlessly. >>>> >>>> >>> No, I don't think this is a bug, I think it is a mis-configuration > of *oracle*. >>> If authentication works by removing the '$' sign from the computers > samacountname, then there is your >> problem, oracle doesn't expect the '$' sign but it should because > *every* AD computer samaccountname >> ends with a '$' sign. >>> So, to put it another way, this is not a samba problem, it is an > oracle problem, try searching the internet >> with something like 'oracle windows authentication nts? >> Yes, you are right. It?s not a samba problem if the oracle client > tries to authenticate with a machine >> account name and stripping the $-sign. My fault. I?m gonna try some > metawork searches. Maybe there will >> be any hints... >> >> BTW: we use a win 8.1pro with a local oracle server installation, not > win7 and a remote oracle on a win 2008 server >> schnaggy >> >>> Rowland >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> Carsten Wagner >> >> schnaggy <at> schnaggy.de >> > Thanks schnaggy ;) I had also tested the local setup and your > workaround, but breaking another thing to fix this is not a solution. > > Rowland, how is it an oracle client problem if it works out of the box > in a Windows Active Directory?No body said it worked against a windows AD DC and as someone else posted a work around, it was too easy to say it wasn't a bug, but now that you say it works with windows, then yes it does sound like a bug and your best course would be file a bug report.> I finally dug a bit into the code and found the line in which the > unsuccessful query is performed: > > If in the samba_kdc_lookup_server function of the db-glue.c change the > following piece of code: > ---------------------------------------------- > > lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, > *realm_dn, LDB_SCOPE_SUBTREE, > attrs, > DSDB_SEARCH_SHOW_EXTENDED_DN | > DSDB_SEARCH_NO_GLOBAL_CATALOG, > "(&(objectClass=user) > (samAccountName=%s))", > ldb_binary_encode_string(mem_ctx, > short_princ)); > ---------------------------------------------- > by > ---------------------------------------------- > lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, > *realm_dn, LDB_SCOPE_SUBTREE, > attrs, > DSDB_SEARCH_SHOW_EXTENDED_DN | > DSDB_SEARCH_NO_GLOBAL_CATALOG, > "(&(objectClass=user) > (samAccountName=%s$))", > ldb_binary_encode_string(mem_ctx, > short_princ)); > ---------------------------------------------- > Note the dollar sign. Recompiled and get it working as expected. > > Problem here: I don't know how it will impact the normal functioning of > kerberos. However, so far, I have not been able to notice any error. In > any case I am not willing to trust this hack for a production > environment and I need some help of people with understanding of why > that line of code is written in that way and not the other.I personally would have changed the search filter to this: "(&(objectClass=user)(|(samAccountName=%s)(cn=%s)))", With this filter, you would get the same result as previously, but it would also find machines if 'cn' is matched. However, I am no expert in kerberos and there are probably valid reasons why the search filter is the way it is, so I would urge you to file a bug report on this. Rowland> I hope we can reach a solution. Thank you for your time, > > \\Izan
Izan DíezSánchez
2015-Mar-05 16:30 UTC
[Samba] Oracle 11 nts authentication againts samba4 AD DC
Rowland Penny <rowlandpenny <at> googlemail.com> writes:> I personally would have changed the search filter to this: > > "(&(objectClass=user)(|(samAccountName=%s)(cn=%s)))", > > With this filter, you would get the same result as previously, but it > would also find machines if 'cn' is matched. > > However, I am no expert in kerberos and there are probably validreasons> why the search filter is the way it is, so I would urge you to file a > bug report on this. > > Rowland > >That definitely seems a neat solution! I already reported a bug https://bugzilla.samba.org/show_bug.cgi?id=11130 but I don't know if I posted it in the right section and it's assigned to the correct person. Who is in charge of the kerberos implementation here? Thanks again for your answers, \\Izan