Andrew Bartlett
2021-Nov-17 09:27 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote:> 16.11.2021 18:36, Andrew Bartlett ?????: > > On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote: > > > Hi! > > > > > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many > > > years, > > > but after update to version 4.13.14, I have some troubles with > > > issuing > > > kerberos tickets for ldap service at my DC. When I downgrades > > > samba > > > back, all work fine again. > > > > > > Some strings from log.samba: > > > > > > Kerberos: samba_kdc_fetch: message2entry failed > > > [2021/11/16 09:22:47.367864, 3] > > > Kerberos: Server not found in database: > > > LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry > > > found > > > in hdb > > > > > > When I check SPNs for my DC: > > > > > > # samba-tool spn list dc$ > > > dc$ > > > User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the > > > following > > > servicePrincipalName: > > > HOST/DC > > > HOST/dc.samdom.local > > > GC/dc.samdom.local/samdom.local > > > E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f- > > > 6e838dc29369/samdom.local > > > HOST/dc.samdom.local/SAMDOM > > > ldap/dc.samdom.local/SAMDOM > > > ldap/dc.samdom.local > > > HOST/dc.samdom.local/samdom.local > > > ldap/dc.samdom.local/samdom.local > > > ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local > > > ldap/DC > > > RestrictedKrbHost/DC > > > RestrictedKrbHost/dc.samdom.local > > > ldap/dc.samdom.local/DomainDnsZones.samdom.local > > > ldap/dc.samdom.local/ForestDnsZones.samdom.local > > > > > > What is wrong in my case? > > Thanks for your mail and I'm sorry for this regression. I should > > have > > called out this behaviour change more strongly in our release > > notes, or > > at least put a better DEBUG message on it. > > > > In this commit: > > > > commit 4888e198110a811a1815e2fdffc7562fe979f477 > > Author: Andrew Bartlett <abartlet at samba.org> > > Date: Mon Oct 4 15:18:34 2021 +1300 > > > > CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN > > (ending in our domain/realm) unless a DC > > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776 > > > > Signed-off-by: Andrew Bartlett <abartlet at samba.org> > > Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz> > > > > We restricted 3-part SPNs to DCs. This is what the rule was always > > meant to be, but there are codepaths were this wasn't > > enforced. For > > various reasons it was simplest to enforce the rule at read time on > > the > > KDC. > > > > Can you check: > > - the userAccountControl on your DC > > - your compiler. I'm wondering if this is some FreeBSD-only > > thing > > given that the tests passed on linux, perhaps around that boolean > > logic > > or 'bool' variable type? > > > > If you do a full developer build, does make test > > TESTS="samba.tests.krb5.spn_tests" fail? > > > > Thanks, > > > > Andrew Bartlett > > > Ok. > > I checked ldap base and for my DC$ account > > userAccountControl=69632This is your issue. Have you perhaps joined a FreeNAS server to your DC at some point? It had a very confusing GUI that encouraged you to wipe out the DC account. This userAccountControl is UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore not a real Domain Controller.> After update I dont seen any changes here. > > I use samba, builded from sources at my server and use the last > versions > of any other software from FreeBSD ports tree. > I see, that for samba 4.13.14 I have builded spn_tests.py file. How > I > should to run this script?./configure.developer make -j make test TESTS="samba.tests.krb5.spn_tests"> I don not tried decision from other reply about "min domain uid" > this > time, but I can do it at the next.This isn't relevant. This is a totally different part of the codebase. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Nikita Druba
2021-Nov-17 15:28 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
17.11.2021 10:27, Andrew Bartlett via samba ?????:> On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote: >> 16.11.2021 18:36, Andrew Bartlett ?????: >> >> I checked ldap base and for my DC$ account >> >> userAccountControl=69632 > This is your issue. Have you perhaps joined a FreeNAS server to your > DC at some point? It had a very confusing GUI that encouraged you to > wipe out the DC account. > > This userAccountControl is > UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore not > a real Domain Controller.This domain was started from samba 4.0 and DC several time moved from one server to other by adding new DC and removing old. May be somewhere in this migration procedures was some failures. I see at one of my new domain, that there userAccountControl=532480 I need just to set this value to userAccountControl? Or this task not so easy? I will try to run tests today's night.