samba - May 2020 - GSSAPI authentication issue with samba as AD DC.

Hello,

I am running samba 4.11.8 as Active Directory DC and a member server.

I wanted to authenticate cyrus-imapd by GSSAPI, and found this
mailhttps://lists.samba.org/archive/samba-technical/2013-April/091429.html

I tried to run the cyrus-imap server on a member server, which has
successfuly 'net ads join'ed and authenticate user with winbindd
without problems.
I followed the method written in the above mail, but the samba DC (KDC?)
does not respond to TGS request.

I created a user and an SPN as in the mail above,

# samba-tool user create --random-password imap-nowhere
# samba-tool spn add
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere

using samba-tool, I could verifiy the SPN exists.

# samba-tool spn list imap-nowhere

I generated  keytab on the domain member machine (which I want to make as an
imap server) as below:
# KRB5_KTNAME=/var/imap/krb5.keytab net ads keytab add imap -U administrator

This is from Samba Wikihttps://wiki.samba.org/index.php/Generating_Keytabs

Checking with ktutil, I verified that the key
imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET
was in the keytab.

# ktutil -k /var/imap/krb5.keytab list

I verified that cyrus-imap reads the keytab, and accept GSSAPI authentication.
But, when I try to authenticate with GSSAPI, it fails.

I captured the Kerberos5 communication between member and DC with wireshark.
Part of the dump of TGS-REQ packets from member to DC was:

* req-body
      realm: OIKUMENE.UKEHI.NET
  * sname
      name-type: KRB5-NT-PRINCIPAL
        * sname-string
           SNameString: imap
           SNameString: nowhere.oikumene.ukehi.net

The authentication step from member to DC seems OK.
But, DC returns:

   KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

where valid TGS-REP is expected.
Here, I am stacked. What can I do to make DC return TGS-REP and make
GSSAPI authentication succeed?

On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (????) via samba
wrote:
> Hello,
> 
> I am running samba 4.11.8 as Active Directory DC and a member server.
> 
> I wanted to authenticate cyrus-imapd by GSSAPI, and found this
> mail
> https://lists.samba.org/archive/samba-technical/2013-April/091429.html
> 
> I tried to run the cyrus-imap server on a member server, which has
> successfuly 'net ads join'ed and authenticate user with winbindd
> without problems.
> I followed the method written in the above mail, but the samba DC
> (KDC?)
> does not respond to TGS request.
> 
> I created a user and an SPN as in the mail above,
> 
> # samba-tool user create --random-password imap-nowhere
> # samba-tool spn add
> imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
Don't use the @REALM part.  An SPN in Samba doesn't have the realm.
> The authentication step from member to DC seems OK.
> But, DC returns:
> 
>    KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
> 
> where valid TGS-REP is expected.
Yeah, that will be because it is looking for it without the realm.

A patch to the client tool to reject this would be a very good idea.

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

Thank you.

I deleted the spn and re-added it without ream part.
Now, I succeeded imtest. All seem to work well.

2020?5?17?(?) 13:38 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2020-05-17 at 09:09 +0900, Hiroo Ono (????) via samba wrote:
>
> > I created a user and an SPN as in the mail above,
> >
> > # samba-tool user create --random-password imap-nowhere
> > # samba-tool spn add
> > imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
>
> Don't use the @REALM part.  An SPN in Samba doesn't have the realm.
>
> > The authentication step from member to DC seems OK.
> > But, DC returns:
> >
> >    KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
> >
> > where valid TGS-REP is expected.
>
> Yeah, that will be because it is looking for it without the realm.
>
> A patch to the client tool to reject this would be a very good idea.
>
>