Andrew Bartlett
2021-Nov-16 17:36 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:> Hi! > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many > years, > but after update to version 4.13.14, I have some troubles with > issuing > kerberos tickets for ldap service at my DC. When I downgrades samba > back, all work fine again. > > Some strings from log.samba: > > Kerberos: samba_kdc_fetch: message2entry failed > [2021/11/16 09:22:47.367864, 3] > Kerberos: Server not found in database: > LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found > in hdb > > When I check SPNs for my DC: > > # samba-tool spn list dc$ > dc$ > User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the > following > servicePrincipalName: > HOST/DC > HOST/dc.samdom.local > GC/dc.samdom.local/samdom.local > E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- > 6e838dc29369/samdom.local > HOST/dc.samdom.local/SAMDOM > ldap/dc.samdom.local/SAMDOM > ldap/dc.samdom.local > HOST/dc.samdom.local/samdom.local > ldap/dc.samdom.local/samdom.local > ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local > ldap/DC > RestrictedKrbHost/DC > RestrictedKrbHost/dc.samdom.local > ldap/dc.samdom.local/DomainDnsZones.samdom.local > ldap/dc.samdom.local/ForestDnsZones.samdom.local > > What is wrong in my case?Thanks for your mail and I'm sorry for this regression. I should have called out this behaviour change more strongly in our release notes, or at least put a better DEBUG message on it. In this commit: commit 4888e198110a811a1815e2fdffc7562fe979f477 Author: Andrew Bartlett <abartlet at samba.org> Date: Mon Oct 4 15:18:34 2021 +1300 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 Signed-off-by: Andrew Bartlett <abartlet at samba.org> Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> We restricted 3-part SPNs to DCs. This is what the rule was always meant to be, but there are codepaths were this wasn't enforced. For various reasons it was simplest to enforce the rule at read time on the KDC. Can you check: - the userAccountControl on your DC - your compiler. I'm wondering if this is some FreeBSD-only thing given that the tests passed on linux, perhaps around that boolean logic or 'bool' variable type? If you do a full developer build, does make test TESTS="samba.tests.krb5.spn_tests" fail? Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Nikita Druba
2021-Nov-17 07:36 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
16.11.2021 18:36, Andrew Bartlett ?????:> On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote: >> Hi! >> >> I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many >> years, >> but after update to version 4.13.14, I have some troubles with >> issuing >> kerberos tickets for ldap service at my DC. When I downgrades samba >> back, all work fine again. >> >> Some strings from log.samba: >> >> Kerberos: samba_kdc_fetch: message2entry failed >> [2021/11/16 09:22:47.367864, 3] >> Kerberos: Server not found in database: >> LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found >> in hdb >> >> When I check SPNs for my DC: >> >> # samba-tool spn list dc$ >> dc$ >> User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the >> following >> servicePrincipalName: >> HOST/DC >> HOST/dc.samdom.local >> GC/dc.samdom.local/samdom.local >> E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- >> 6e838dc29369/samdom.local >> HOST/dc.samdom.local/SAMDOM >> ldap/dc.samdom.local/SAMDOM >> ldap/dc.samdom.local >> HOST/dc.samdom.local/samdom.local >> ldap/dc.samdom.local/samdom.local >> ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local >> ldap/DC >> RestrictedKrbHost/DC >> RestrictedKrbHost/dc.samdom.local >> ldap/dc.samdom.local/DomainDnsZones.samdom.local >> ldap/dc.samdom.local/ForestDnsZones.samdom.local >> >> What is wrong in my case? > Thanks for your mail and I'm sorry for this regression. I should have > called out this behaviour change more strongly in our release notes, or > at least put a better DEBUG message on it. > > In this commit: > > commit 4888e198110a811a1815e2fdffc7562fe979f477 > Author: Andrew Bartlett <abartlet at samba.org> > Date: Mon Oct 4 15:18:34 2021 +1300 > > CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN > (ending in our domain/realm) unless a DC > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 > > Signed-off-by: Andrew Bartlett <abartlet at samba.org> > Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> > > We restricted 3-part SPNs to DCs. This is what the rule was always > meant to be, but there are codepaths were this wasn't enforced. For > various reasons it was simplest to enforce the rule at read time on the > KDC. > > Can you check: > - the userAccountControl on your DC > - your compiler. I'm wondering if this is some FreeBSD-only thing > given that the tests passed on linux, perhaps around that boolean logic > or 'bool' variable type? > > If you do a full developer build, does make test > TESTS="samba.tests.krb5.spn_tests" fail? > > Thanks, > > Andrew Bartlett >Ok. I checked ldap base and for my DC$ account userAccountControl=69632 After update I dont seen any changes here. I use samba, builded from sources at my server and use the last versions of any other software from FreeBSD ports tree. I see, that for samba 4.13.14 I have builded spn_tests.py file. How I should to run this script? I don not tried decision from other reply about "min domain uid" this time, but I can do it at the next. Also I have full building log and some working logs of samba 4.13.14. Thanks, Nikita Druba