samba - Oct 2017 - Opensolaris-ish joins but does not seem to be valid

On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
Mike Ray <mray at xes-inc.com> wrote:
> ----- On Oct 11, 2017, at 5:56 PM, samba samba at lists.samba.org wrote:
> 
> > ----- On Oct 10, 2017, at 12:02 PM, samba samba at lists.samba.org
> > wrote:
> > 
> >> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> >> Andrew Martin <amartin at xes-inc.com> wrote:
> >> 
> >> 
> > 
> > Rowland-
> > 
> > I've been poking at this more and think the root of the problem is
> > a Kerberos problem.
> > 
> 
> 
> I threw the log level up to 10 in /etc/smb.conf on the domain
> controller and poked around more.
> 
> Below are some pieces of the log:
> 
> 
> 
> 
> 
>   Kerberos: AS-REQ root/hostname.example.com at EXAMPLE.COM from
> ipv4:192.168.0.115:41751 for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> expr:
> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
> servicePrincipalName: host/hostname.example.com servicePrincipalName:
> nfs/hostname.example.com servicePrincipalName:
> HTTP/hostname.example.com servicePrincipalName:
> root/hostname.example.com servicePrincipalName:
> cifs/hostname.example.com servicePrincipalName: host/hostname
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> root/hostname.example.com at EXAMPLE.COM Kerberos: AS-REQ
> root/hostname.example.com at EXAMPLE.COM from ipv4:192.168.0.115:40299
> for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> expr:
> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
> servicePrincipalName: host/hostname.example.com servicePrincipalName:
> nfs/hostname.example.com servicePrincipalName:
> HTTP/hostname.example.com servicePrincipalName:
> root/hostname.example.com servicePrincipalName:
> cifs/hostname.example.com servicePrincipalName: host/hostname
> Kerberos: Looking for PKINIT pa-data --
> root/hostname.example.com at EXAMPLE.COM Kerberos: Looking for ENC-TS
> pa-data -- root/hostname.example.com at EXAMPLE.COM Kerberos: ENC-TS
> Pre-authentication succeeded -- root/hostname.example.com at EXAMPLE.COM
> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS Pre-authentication]
> user [(null)]\[root/hostname.example.com at EXAMPLE.COM] at [Thu, 12 Oct
> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
> [NT_STATUS_OK] workstation [(null)] remote host
> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
> [NULL] authsam_account_ok: Checking SMB password for user
> root/hostname.example.com at EXAMPLE.COM logon_hours_ok: No hours
> restrictions for user root/hostname.example.com at EXAMPLE.COM Kerberos:
> TGS-REQ root/hostname.example.com at EXAMPLE.COM from
> ipv4:192.168.0.115:47146 for ldap/dc9.example.com at EXAMPLE.COM
> [canonicalize] expr:
> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> Kerberos: Client no longer in database:
> root/hostname.example.com at EXAMPLE.COM
> 
> 
> 
> 
> 
> 
> As you can see, during the AS-REQ, the DC makes 3 queries for
> specific SPNs and returns positively after finding that last SPN.
> However, on the TGS-REQ, it only searches for 2 of those SPNs. It is
> a mystery to me why "expr:
> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))"
> does not return -- it is not explicitly listed in the
> "servicePrinicipalName" attribute, but since
> "root/hostname.example.com" is and "@EXAMPLE.COM" is
the realm, I
> would think it could figure it out. I'll keep looking into that;
> however, the lack of the last SPN search seems to me to be a bug.
> 
> Any thoughts?
Yes, you shouldn't have a user called 'root' in AD.
'root' is a Unix user and the AD user 'Administrator' should be
mapped
to 'root'

Rowland

----- On Oct 12, 2017, at 1:52 PM, samba samba at lists.samba.org wrote:
> On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
> Mike Ray <mray at xes-inc.com> wrote:
> 
>> ----- On Oct 11, 2017, at 5:56 PM, samba samba at lists.samba.org
wrote:
>> 
>> > ----- On Oct 10, 2017, at 12:02 PM, samba samba at lists.samba.org
>> > wrote:
>> > 
>> >> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
>> >> Andrew Martin <amartin at xes-inc.com> wrote:
>> >> 
>> >> 
>> > 
>> > Rowland-
>> > 
>> > I've been poking at this more and think the root of the
problem is
>> > a Kerberos problem.
>> > 
>> 
>> 
>> I threw the log level up to 10 in /etc/smb.conf on the domain
>> controller and poked around more.
>> 
>> Below are some pieces of the log:
>> 
>> 
>> 
>> 
>> 
>>   Kerberos: AS-REQ root/hostname.example.com at EXAMPLE.COM from
>> ipv4:192.168.0.115:41751 for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
>> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>> expr:
>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>> servicePrincipalName: host/hostname.example.com servicePrincipalName:
>> nfs/hostname.example.com servicePrincipalName:
>> HTTP/hostname.example.com servicePrincipalName:
>> root/hostname.example.com servicePrincipalName:
>> cifs/hostname.example.com servicePrincipalName: host/hostname
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> root/hostname.example.com at EXAMPLE.COM Kerberos: AS-REQ
>> root/hostname.example.com at EXAMPLE.COM from ipv4:192.168.0.115:40299
>> for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
>> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>> expr:
>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>> servicePrincipalName: host/hostname.example.com servicePrincipalName:
>> nfs/hostname.example.com servicePrincipalName:
>> HTTP/hostname.example.com servicePrincipalName:
>> root/hostname.example.com servicePrincipalName:
>> cifs/hostname.example.com servicePrincipalName: host/hostname
>> Kerberos: Looking for PKINIT pa-data --
>> root/hostname.example.com at EXAMPLE.COM Kerberos: Looking for ENC-TS
>> pa-data -- root/hostname.example.com at EXAMPLE.COM Kerberos: ENC-TS
>> Pre-authentication succeeded -- root/hostname.example.com at
EXAMPLE.COM
>> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS Pre-authentication]
>> user [(null)]\[root/hostname.example.com at EXAMPLE.COM] at [Thu, 12
Oct
>> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
>> [NT_STATUS_OK] workstation [(null)] remote host
>> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
>> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
>> [NULL] authsam_account_ok: Checking SMB password for user
>> root/hostname.example.com at EXAMPLE.COM logon_hours_ok: No hours
>> restrictions for user root/hostname.example.com at EXAMPLE.COM
Kerberos:
>> TGS-REQ root/hostname.example.com at EXAMPLE.COM from
>> ipv4:192.168.0.115:47146 for ldap/dc9.example.com at EXAMPLE.COM
>> [canonicalize] expr:
>> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>> Kerberos: Client no longer in database:
>> root/hostname.example.com at EXAMPLE.COM
>> 
>> 
>> 
>> 
>> 
>> 
>> As you can see, during the AS-REQ, the DC makes 3 queries for
>> specific SPNs and returns positively after finding that last SPN.
>> However, on the TGS-REQ, it only searches for 2 of those SPNs. It is
>> a mystery to me why "expr:
>> (&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))"
>> does not return -- it is not explicitly listed in the
>> "servicePrinicipalName" attribute, but since
>> "root/hostname.example.com" is and "@EXAMPLE.COM"
is the realm, I
>> would think it could figure it out. I'll keep looking into that;
>> however, the lack of the last SPN search seems to me to be a bug.
>> 
>> Any thoughts?
> 
> Yes, you shouldn't have a user called 'root' in AD.
> 'root' is a Unix user and the AD user 'Administrator'
should be mapped
> to 'root'

That makes sense. When I posted earlier, I overlooked that it was searching for
that as a userPrinicpalName, not a servicePrincipalName. I do not have a
"root"
account in AD.


What I don't understand is why that last SPN isn't getting checked in
TGS-REQ
but is in the AS-REQ.

Hi,

This thread has not been alive for a while...

I'm stuck at the same point: joining the Solaris 11.3 system works but 
using Samba-AD for Solaris-idmap does not work, failing during kerberos 
authentication.

Did you ever find a solution?

regards,

Norbert


On 12.10.2017 21:14, Mike Ray via samba wrote:
> ----- On Oct 12, 2017, at 1:52 PM, samba samba at lists.samba.org wrote:
>
>> On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
>> Mike Ray <mray at xes-inc.com> wrote:
>>
>>> ----- On Oct 11, 2017, at 5:56 PM, samba samba at lists.samba.org
wrote:
>>>
>>>> ----- On Oct 10, 2017, at 12:02 PM, samba samba at
lists.samba.org
>>>> wrote:
>>>>
>>>>> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
>>>>> Andrew Martin <amartin at xes-inc.com> wrote:
>>>>>
>>>>>
>>>> Rowland-
>>>>
>>>> I've been poking at this more and think the root of the
problem is
>>>> a Kerberos problem.
>>>>
>>>
>>> I threw the log level up to 10 in /etc/smb.conf on the domain
>>> controller and poked around more.
>>>
>>> Below are some pieces of the log:
>>>
>>>
>>>
>>>
>>>
>>>    Kerberos: AS-REQ root/hostname.example.com at EXAMPLE.COM from
>>> ipv4:192.168.0.115:41751 for krbtgt/EXAMPLE.COM at EXAMPLE.COM
expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> expr:
>>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>>> servicePrincipalName: host/hostname.example.com
servicePrincipalName:
>>> nfs/hostname.example.com servicePrincipalName:
>>> HTTP/hostname.example.com servicePrincipalName:
>>> root/hostname.example.com servicePrincipalName:
>>> cifs/hostname.example.com servicePrincipalName: host/hostname
>>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>>> root/hostname.example.com at EXAMPLE.COM Kerberos: AS-REQ
>>> root/hostname.example.com at EXAMPLE.COM from
ipv4:192.168.0.115:40299
>>> for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> expr:
>>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>>> servicePrincipalName: host/hostname.example.com
servicePrincipalName:
>>> nfs/hostname.example.com servicePrincipalName:
>>> HTTP/hostname.example.com servicePrincipalName:
>>> root/hostname.example.com servicePrincipalName:
>>> cifs/hostname.example.com servicePrincipalName: host/hostname
>>> Kerberos: Looking for PKINIT pa-data --
>>> root/hostname.example.com at EXAMPLE.COM Kerberos: Looking for
ENC-TS
>>> pa-data -- root/hostname.example.com at EXAMPLE.COM Kerberos:
ENC-TS
>>> Pre-authentication succeeded -- root/hostname.example.com at
EXAMPLE.COM
>>> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS
Pre-authentication]
>>> user [(null)]\[root/hostname.example.com at EXAMPLE.COM] at [Thu,
12 Oct
>>> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
>>> [NT_STATUS_OK] workstation [(null)] remote host
>>> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
>>> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
>>> [NULL] authsam_account_ok: Checking SMB password for user
>>> root/hostname.example.com at EXAMPLE.COM logon_hours_ok: No hours
>>> restrictions for user root/hostname.example.com at EXAMPLE.COM
Kerberos:
>>> TGS-REQ root/hostname.example.com at EXAMPLE.COM from
>>> ipv4:192.168.0.115:47146 for ldap/dc9.example.com at EXAMPLE.COM
>>> [canonicalize] expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> Kerberos: Client no longer in database:
>>> root/hostname.example.com at EXAMPLE.COM
>>>
>>>
>>>
>>>
>>>
>>>
>>> As you can see, during the AS-REQ, the DC makes 3 queries for
>>> specific SPNs and returns positively after finding that last SPN.
>>> However, on the TGS-REQ, it only searches for 2 of those SPNs. It
is
>>> a mystery to me why "expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))"
>>> does not return -- it is not explicitly listed in the
>>> "servicePrinicipalName" attribute, but since
>>> "root/hostname.example.com" is and
"@EXAMPLE.COM" is the realm, I
>>> would think it could figure it out. I'll keep looking into
that;
>>> however, the lack of the last SPN search seems to me to be a bug.
>>>
>>> Any thoughts?
>> Yes, you shouldn't have a user called 'root' in AD.
>> 'root' is a Unix user and the AD user 'Administrator'
should be mapped
>> to 'root'
>
> That makes sense. When I posted earlier, I overlooked that it was searching
for
> that as a userPrinicpalName, not a servicePrincipalName. I do not have a
"root"
> account in AD.
>
>
> What I don't understand is why that last SPN isn't getting checked
in TGS-REQ
> but is in the AS-REQ.
>

On 12.10.2017 21:14, Mike Ray via samba wrote:
> ----- On Oct 12, 2017, at 1:52 PM, samba samba at lists.samba.org wrote:
>
>> On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
>> Mike Ray <mray at xes-inc.com> wrote:
>>
>>> ----- On Oct 11, 2017, at 5:56 PM, samba samba at lists.samba.org
wrote:
>>>
>>>> ----- On Oct 10, 2017, at 12:02 PM, samba samba at
lists.samba.org
>>>> wrote:
>>>>
>>>>> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
>>>>> Andrew Martin <amartin at xes-inc.com> wrote:
>>>>>
>>>>>
>>>> Rowland-
>>>>
>>>> I've been poking at this more and think the root of the
problem is
>>>> a Kerberos problem.
>>>>
>>>
>>> I threw the log level up to 10 in /etc/smb.conf on the domain
>>> controller and poked around more.
>>>
>>> Below are some pieces of the log:
>>>
>>>
>>>
>>>
>>>
>>>    Kerberos: AS-REQ root/hostname.example.com at EXAMPLE.COM from
>>> ipv4:192.168.0.115:41751 for krbtgt/EXAMPLE.COM at EXAMPLE.COM
expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> expr:
>>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>>> servicePrincipalName: host/hostname.example.com
servicePrincipalName:
>>> nfs/hostname.example.com servicePrincipalName:
>>> HTTP/hostname.example.com servicePrincipalName:
>>> root/hostname.example.com servicePrincipalName:
>>> cifs/hostname.example.com servicePrincipalName: host/hostname
>>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>>> root/hostname.example.com at EXAMPLE.COM Kerberos: AS-REQ
>>> root/hostname.example.com at EXAMPLE.COM from
ipv4:192.168.0.115:40299
>>> for krbtgt/EXAMPLE.COM at EXAMPLE.COM expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> expr:
>>>
(&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>>> userPrincipalName: host/hostname.example.com at EXAMPLE.COM
>>> servicePrincipalName: host/hostname.example.com
servicePrincipalName:
>>> nfs/hostname.example.com servicePrincipalName:
>>> HTTP/hostname.example.com servicePrincipalName:
>>> root/hostname.example.com servicePrincipalName:
>>> cifs/hostname.example.com servicePrincipalName: host/hostname
>>> Kerberos: Looking for PKINIT pa-data --
>>> root/hostname.example.com at EXAMPLE.COM Kerberos: Looking for
ENC-TS
>>> pa-data -- root/hostname.example.com at EXAMPLE.COM Kerberos:
ENC-TS
>>> Pre-authentication succeeded -- root/hostname.example.com at
EXAMPLE.COM
>>> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS
Pre-authentication]
>>> user [(null)]\[root/hostname.example.com at EXAMPLE.COM] at [Thu,
12 Oct
>>> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
>>> [NT_STATUS_OK] workstation [(null)] remote host
>>> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
>>> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
>>> [NULL] authsam_account_ok: Checking SMB password for user
>>> root/hostname.example.com at EXAMPLE.COM logon_hours_ok: No hours
>>> restrictions for user root/hostname.example.com at EXAMPLE.COM
Kerberos:
>>> TGS-REQ root/hostname.example.com at EXAMPLE.COM from
>>> ipv4:192.168.0.115:47146 for ldap/dc9.example.com at EXAMPLE.COM
>>> [canonicalize] expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))
>>> expr:
(&(objectClass=user)(samAccountName=root/hostname.example.com))
>>> Kerberos: Client no longer in database:
>>> root/hostname.example.com at EXAMPLE.COM
>>>
>>>
>>>
>>>
>>>
>>>
>>> As you can see, during the AS-REQ, the DC makes 3 queries for
>>> specific SPNs and returns positively after finding that last SPN.
>>> However, on the TGS-REQ, it only searches for 2 of those SPNs. It
is
>>> a mystery to me why "expr:
>>>
(&(objectClass=user)(userPrincipalName=root/hostname.example.com at
EXAMPLE.COM))"
>>> does not return -- it is not explicitly listed in the
>>> "servicePrinicipalName" attribute, but since
>>> "root/hostname.example.com" is and
"@EXAMPLE.COM" is the realm, I
>>> would think it could figure it out. I'll keep looking into
that;
>>> however, the lack of the last SPN search seems to me to be a bug.
>>>
>>> Any thoughts?
>> Yes, you shouldn't have a user called 'root' in AD.
>> 'root' is a Unix user and the AD user 'Administrator'
should be mapped
>> to 'root'
>
> That makes sense. When I posted earlier, I overlooked that it was searching
for
> that as a userPrinicpalName, not a servicePrincipalName. I do not have a
"root"
> account in AD.
>
>
> What I don't understand is why that last SPN isn't getting checked
in TGS-REQ
> but is in the AS-REQ.
>
With an AD DC based on Samba with the MIT KDC this use case works, 
tested with Samba 4.7.5 on Fedora 27.

The KDC complains a bit:
Mar 11 11:50:54 dc3 krb5kdc[962](info): TGS_REQ (4 etypes {18 17 16 23}) 
192.168.1.5: HANDLE_AUTHDATA: authtime 
1520765454,root/client.ad.domain.ch at AD.DOMAIN.CH for 
ldap/dc3.ad.domain.ch at AD.DOMAIN.CH, Wrong principal in request

but issues the ticket nonetheless.

The same with the Heimdahl compiled-in KDC fails:
[2018/03/11 10:26:19.068905,3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ root/client.ad.domain.ch at AD.DOMAIN.CH from 
ipv4:192.168.1.5:43766 for ldap/dc2.ad.domain.ch at AD.DOMAIN.CH [canonicalize]
[2018/03/11 10:26:19.089188,3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client no longer in database: 
root/client.ad.domain.ch at AD.DOMAIN.CH
[2018/03/11 10:26:19.089676,3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:192.168.1.5:43766

Finally, I got it to work with built-in Heimdahl by renaming the UPN of 
the Computer account from
host/client.ad.domain.ch at AD.DOMAIN.CH
to
root/client.ad.domain.ch at AD.DOMAIN.CH
**
Maybe not really nice, but so far this works.

regards,
Norbert