samba - Nov 2019 - Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?

Your config looks ok, as far i can tell. 

This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" 
As it should spn/hostname.fqdn at REALM nothing wrong with that. 

But if i understand it right. 

Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  ( NTDOM:TC83 )
But you get TC84 back?. 

On the problem server run the following: 

dig a kvm7246-vm022.maas.local @IP_of_AD-DC
Gives an Returned_IP

dig -x Returned_IP @IP_of_AD-DC

hostname -s
hostname -f 
hostname -I
hostname -A
cat /etc/resolv.conf
route -n|grep default 
cat /etc/krb5.conf

Do you have 2 servers with the same hostname but in different DNS domains? 
Like this one vm7246-vm022  << 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Nathaniel W. Turner via samba
> Verzonden: dinsdag 19 november 2019 23:11
> Aan: banda bassotti
> CC: sambalist
> Onderwerp: Re: [Samba] Why is smbd looking for Kerberos 
> principal cifs/host at DOMB when it is a member of DOMA?
> 
> Is it expected that samba will be looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> 
> My guess is no, since the keytab (as I'd expect) only 
> contains keys for
> principals in the server's domain, TC83.LOCAL. Is this a bug, 
> or have I
> configured something incorrectly?
> 
> On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner <
> nathanielwyliet at gmail.com> wrote:
> 
> > In case you missed the link in the original email, here's 
> the smb.conf:
> >
> > [global]
> > 	kerberos method = secrets and keytab
> > 	logging = systemd
> > 	realm = TC83.LOCAL
> > 	security = ADS
> > 	template homedir = /home/%U@%D
> > 	template shell = /bin/bash
> > 	winbind offline logon = Yes
> > 	winbind refresh tickets = Yes
> > 	workgroup = TC83
> > 	idmap config * : range = 1000000-19999999
> > 	idmap config * : backend = autorid
> >
> >
> > [test]
> > 	path = /srv/test
> > 	valid users = "@tc83.local\domain users" 
> "@tc84.local\domain users"
> >
> >
> > On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner <
> > nathanielwyliet at gmail.com> wrote:
> >
> >> Here's the keytab info:
> >>
> >> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
> >> Keytab name: FILE:/etc/krb5.keytab
> >> KVNO Principal
> >> ----
> >> 
> --------------------------------------------------------------
> ------------
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL 
> (aes128-cts-hmac-sha1-96)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL 
> (aes256-cts-hmac-sha1-96)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes128-cts-hmac-sha1-96)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes256-cts-hmac-sha1-96)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >>   12 KVM7246-VM022$@TC83.LOCAL (etype 1)
> >>   12 KVM7246-VM022$@TC83.LOCAL (etype 3)
> >>   12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)
> >>
> >> The client is a Windows box, and I'm running this command:
> >>
> >> net use x: \\kvm7246-vm022.maas.local\test
/user:tc84\administrator
> >>
> >> I see the same behavior when I use smbclient:
> >>
> >> smbclient //kvm7246-vm022.maas.local/test -U 
> administrator at tc84.local
> >>
> >> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti 
> <bandabasotti at gmail.com>
> >> wrote:
> >>
> >>> Hi, please run the command:
> >>>
> >>> klist -ek /etc/krb5.keytab and post the output along with the
file
> >>> smb.conf.
> >>> how do you access your share?
> >>>
> >>> \\kvm7246-vm022.maas.local\\
> >>>
<https://lists.samba.org/mailman/listinfo/samba>sharename"
> >>>
> >>> or something like that?
> >>>
> >>> bb.
> >>>
> >>>
> >>>
> >>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. 
> Turner via samba <
> >>> samba at lists.samba.org> ha scritto:
> >>>
> >>>> Hi all. I?m trying to understand a weird authentication
failure:
> >>>>
> >>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in 
> a diferent
> >>>> forest,
> >>>> with a bidirectional forest trust.
> >>>> The samba server kvm7246-vm022.maas.local is a domain 
> member of TC83
> >>>> and is
> >>>> running a recent build from git master (f38077ea5ee).
> >>>>
> >>>> When I test authentication of users in each domain by 
> running ntlm_auth
> >>>> on
> >>>> the samba server, it is successful for users in either
domain.
> >>>>
> >>>> When I try to connect from a Windows client in TC84 
> using SMB, it is
> >>>> only
> >>>> successful for users in the TC83 domain. For users in 
> the TC84 domain,
> >>>> smbd
> >>>> seems to go off the rails looking for a Kerberos machine 
> principal in
> >>>> the
> >>>> TC84 domain, even though it is not a member of that 
> domain (it's a
> >>>> member
> >>>> of TC83, which trusts TC84):
> >>>>
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15
> >>>> 15:53:04.524996,  1,
> >>>> pid=15209, effective(0, 0), real(0, 0)]
> >>>>
../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   
> gss_accept_sec_context
> >>>> failed
> >>>> with [ Miscellaneous failure (see text): Failed to find
> >>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in
keytab
> >>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> >>>>
> >>>> Why is smbd looking for a principal of the form
> >>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> >>>>
> >>>> n
> >>>>
> >>>> [See
> >>>> 
> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt
> 2nQQ5cLpOQ
> >>>> for
> >>>> full logs and smb.conf]
> >>>> --
> >>>> To unsubscribe from this list go to the following URL 
> and read the
> >>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 20/11/2019 08:26, L.P.H. van Belle via samba wrote:
> Your config looks ok, as far i can tell.
>
> This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
> As it should spn/hostname.fqdn at REALM nothing wrong with that.
>
> But if i understand it right.
>
> Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  (
NTDOM:TC83 )
I have been looking at this thinking 'should I reply' and after that I 
think I must ;-)

The server with the FQDN of kvm7246-vm022.maas.local cannot be in the 
REALM TC84.LOCAL, it would have to be kvm7246-vm022.tc84.local

I think you have a configuration error somewhere, I would start with 
your smb.conf:

[global]
 ??? kerberos method = secrets and keytab
 ??? logging = systemd
 ??? realm = TC83.LOCAL
 ??? security = ADS
 ??? template homedir = /home/%U@%D
 ??? template shell = /bin/bash
 ??? winbind offline logon = Yes
 ??? winbind refresh tickets = Yes
 ??? workgroup = TC83
 ??? idmap config * : range = 1000000-19999999
 ??? idmap config * : backend = autorid


[test]
 ??? path = /srv/test
 ??? valid users = "@tc83.local\domain users" "@tc84.local\domain
users"

I wouldn't use 'valid users', but if you must it should be like
this:

valid users = '@TC83\domain users' 'TC84\domain users'

Rowland

Good Morning Rowland.  
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 20 november 2019 10:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Why is smbd looking for Kerberos 
> principal cifs/host at DOMB when it is a member of DOMA?
> 
> On 20/11/2019 08:26, L.P.H. van Belle via samba wrote:
> > Your config looks ok, as far i can tell.
> >
> > This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
> > As it should spn/hostname.fqdn at REALM nothing wrong with that.
> >
> > But if i understand it right.
> >
> > Your server : kvm7246-vm022.maas.local is in REALM : 
> TC83.LOCAL  ( NTDOM:TC83 )
> 
> I have been looking at this thinking 'should I reply' and 
> after that I think I must ;-)
If you think "should I reply" then yes please, always..  :-) 
> 
> The server with the FQDN of kvm7246-vm022.maas.local cannot be in the 
> REALM TC84.LOCAL, it would have to be kvm7246-vm022.tc84.local
Not entirely.. Or at least, its not obligated to have the DNSdomain in REALM. 

You can have. 
kvm7246-vm022.maas.local 
 while REALM can be : @LETS.DONT.CARE.ABOUT.REALM 

You can also have. 

kvm7246-vm022.maas.local And kvm7246-vm022.maas.local 
Where  ( by example ) 
kvm7246-vm022.maas.local is 192.168.0.1 AND kvm7246-vm022.maas.local is 10.1.2.3
Here 
kvm7246-vm022.maas.local 192.168.0.1 is in REALM: @LETS.DONT.CARE.ABOUT.REALM  
And the other 10.1.2.3 is in @LETS.CARE.ABOUT.REALM 

This is resolving, that needs to be verified first before we can change/advice
samba changes.
That group change is not that big, so that should be ok but I suspect a
routing/resolving problems in this case.

And just asking.. 
 '@TC83\domain users' 'TC84\domain users' << 

On purpus that the TC84 is not having the @ ? 


Greetz,

Louis

Hi Louis,

On Wed, Nov 20, 2019 at 3:27 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Your config looks ok, as far i can tell.
>
> This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
> As it should spn/hostname.fqdn at REALM nothing wrong with that.
>
> But if i understand it right.
>
> Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  (
> NTDOM:TC83 )
> But you get TC84 back?.
>
> On the problem server run the following:
>
> dig a kvm7246-vm022.maas.local @IP_of_AD-DC
> Gives an Returned_IP
>
ubuntu at kvm7246-vm022:~/samba$ host -t srv _ldap._tcp.tc83.local
_ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc2.tc83.local.
_ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc.tc83.local.
ubuntu at kvm7246-vm022:~/samba$ host tc83dc2.tc83.local.
tc83dc2.tc83.local has address 172.21.83.6
ubuntu at kvm7246-vm022:~/samba$ host tc83dc.tc83.local.
tc83dc.tc83.local has address 172.21.83.4
ubuntu at kvm7246-vm022:~/samba$ dig a kvm7246-vm022.maas.local @172.21.83.4

; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> a
kvm7246-vm022.maas.local @
172.21.83.4
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to
DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46573
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;kvm7246-vm022.maas.local. IN A

;; ANSWER SECTION:
kvm7246-vm022.maas.local. 26 IN A 172.23.4.52

;; Query time: 1 msec
;; SERVER: 172.21.83.4#53(172.21.83.4)
;; WHEN: Wed Nov 20 17:45:41 UTC 2019
;; MSG SIZE  rcvd: 69

(The other DC gives the same answer.)


dig -x Returned_IP @IP_of_AD-DC
>
ubuntu at kvm7246-vm022:~/samba$ dig -x 172.23.4.52 @172.21.83.4

; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> -x
172.23.4.52 @172.21.83.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13322
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;52.4.23.172.in-addr.arpa. IN PTR

;; ANSWER SECTION:
52.4.23.172.in-addr.arpa. 25 IN PTR kvm7246-vm022.maas.local.

;; Query time: 2 msec
;; SERVER: 172.21.83.4#53(172.21.83.4)
;; WHEN: Wed Nov 20 17:46:07 UTC 2019
;; MSG SIZE  rcvd: 91

(The other DC gives the same answer.)


> hostname -s
> hostname -f
> hostname -I
> hostname -A
>
ubuntu at kvm7246-vm022:~/samba$ hostname -s
kvm7246-vm022
ubuntu at kvm7246-vm022:~/samba$ hostname -f
kvm7246-vm022.maas.local
ubuntu at kvm7246-vm022:~/samba$ hostname -I
172.23.4.52
ubuntu at kvm7246-vm022:~/samba$ hostname -A
kvm7246-vm022.maas.local


> cat /etc/resolv.conf
>
ubuntu at kvm7246-vm022:~/samba$ grep -v ^# /etc/resolv.conf

nameserver 172.23.4.4
options edns0
search maas.local tc82.local local

(DNS is in sync between this nameserver and the DC, and it give the same
answers to the queries above.)


> route -n|grep default
>
I don't have the legacy route command installed, but I think this is what
you want:

ubuntu at kvm7246-vm022:~/samba$ ip route
default via 172.23.4.1 dev ens6 proto static
172.23.4.0/24 dev ens6 proto kernel scope link src 172.23.4.52

cat /etc/krb5.conf
>
ubuntu at kvm7246-vm022:~/samba$ cat /etc/krb5.conf
[libdefaults]
default_realm = TC83.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

> Do you have 2 servers with the same hostname but in different DNS domains?
> Like this one vm7246-vm022  <<
>
No.

So to me this doesn't look like a DNS issue. (Maybe I'm missing
something.)
Should I file a bug?

On Wed, Nov 20, 2019 at 12:54 PM Nathaniel W. Turner <nate at
houseofnate.net>
wrote:
> Hi Louis,
>
> On Wed, Nov 20, 2019 at 3:27 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> Your config looks ok, as far i can tell.
>>
>> This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
>> As it should spn/hostname.fqdn at REALM nothing wrong with that.
>>
>> But if i understand it right.
>>
>> Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  (
>> NTDOM:TC83 )
>> But you get TC84 back?.
>>
>> On the problem server run the following:
>>
>> dig a kvm7246-vm022.maas.local @IP_of_AD-DC
>> Gives an Returned_IP
>>
>
> ubuntu at kvm7246-vm022:~/samba$ host -t srv _ldap._tcp.tc83.local
> _ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc2.tc83.local.
> _ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc.tc83.local.
> ubuntu at kvm7246-vm022:~/samba$ host tc83dc2.tc83.local.
> tc83dc2.tc83.local has address 172.21.83.6
> ubuntu at kvm7246-vm022:~/samba$ host tc83dc.tc83.local.
> tc83dc.tc83.local has address 172.21.83.4
> ubuntu at kvm7246-vm022:~/samba$ dig a kvm7246-vm022.maas.local
@172.21.83.4
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> a
kvm7246-vm022.maas.local @
> 172.21.83.4
> ;; global options: +cmd
> ;; Got answer:
> ;; WARNING: .local is reserved for Multicast DNS
> ;; You are currently testing what happens when an mDNS query is leaked to
> DNS
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46573
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;kvm7246-vm022.maas.local. IN A
>
> ;; ANSWER SECTION:
> kvm7246-vm022.maas.local. 26 IN A 172.23.4.52
>
> ;; Query time: 1 msec
> ;; SERVER: 172.21.83.4#53(172.21.83.4)
> ;; WHEN: Wed Nov 20 17:45:41 UTC 2019
> ;; MSG SIZE  rcvd: 69
>
> (The other DC gives the same answer.)
>
>
> dig -x Returned_IP @IP_of_AD-DC
>>
>
> ubuntu at kvm7246-vm022:~/samba$ dig -x 172.23.4.52 @172.21.83.4
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> -x
172.23.4.52 @172.21.83.4
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13322
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;52.4.23.172.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 52.4.23.172.in-addr.arpa. 25 IN PTR kvm7246-vm022.maas.local.
>
> ;; Query time: 2 msec
> ;; SERVER: 172.21.83.4#53(172.21.83.4)
> ;; WHEN: Wed Nov 20 17:46:07 UTC 2019
> ;; MSG SIZE  rcvd: 91
>
> (The other DC gives the same answer.)
>
>
>
>> hostname -s
>> hostname -f
>> hostname -I
>> hostname -A
>>
>
> ubuntu at kvm7246-vm022:~/samba$ hostname -s
> kvm7246-vm022
> ubuntu at kvm7246-vm022:~/samba$ hostname -f
> kvm7246-vm022.maas.local
> ubuntu at kvm7246-vm022:~/samba$ hostname -I
> 172.23.4.52
> ubuntu at kvm7246-vm022:~/samba$ hostname -A
> kvm7246-vm022.maas.local
>
>
>
>> cat /etc/resolv.conf
>>
>
> ubuntu at kvm7246-vm022:~/samba$ grep -v ^# /etc/resolv.conf
>
> nameserver 172.23.4.4
> options edns0
> search maas.local tc82.local local
>
> (DNS is in sync between this nameserver and the DC, and it give the same
> answers to the queries above.)
>
>
>
>> route -n|grep default
>>
>
> I don't have the legacy route command installed, but I think this is
what
> you want:
>
> ubuntu at kvm7246-vm022:~/samba$ ip route
> default via 172.23.4.1 dev ens6 proto static
> 172.23.4.0/24 dev ens6 proto kernel scope link src 172.23.4.52
>
> cat /etc/krb5.conf
>>
>
> ubuntu at kvm7246-vm022:~/samba$ cat /etc/krb5.conf
> [libdefaults]
> default_realm = TC83.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
>> Do you have 2 servers with the same hostname but in different DNS
>> domains?
>> Like this one vm7246-vm022  <<
>>
>
> No.
>