AW: Kerberos PAC verification fails (patch included)
Marcel Ritter
Marcel.Ritter at rrze.uni-erlangen.de
Mon Jun 27 01:10:28 MDT 2011
Hi again,
a short update on this topic. After deleting all objects via LDAP and
recreating them using msktutil (without --no-pac option) everything
started to work again.
Looks like I got an odd combination of principal credentials
and userAccountControl attributes causing samba to complain
:-(
BTW: msktutil seems to set userAccountControl attribute only
while creating objects, not during updates
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] Im Auftrag von Marcel Ritter
Gesendet: Dienstag, 21. Juni 2011 08:55
An: 'mat at samba.org'; 'samba-technical at lists.samba.org'
Betreff: AW: Kerberos PAC verification fails (patch included)
Hi Matthieu,
I did some LDB searches for the accounts involved:
# test2-nfs (Host: NFS Server):
dn: CN=test2-nfs,CN=Computers,DC=mydomain,DC=de
userAccountControl: 33558528
# test1-nfs (Host: NFS Client)
dn: CN=test1-nfs,CN=Computers,DC=mydomain,DC=de
userAccountControl: 33558528
# User Account:
dn: CN=testuser1,CN=Users,DC=mydomain,DC=de
userAccountControl: 66048
The host accounts were created with msktutil-0.4 and I tried to get rid of the mentioned flag by using the "--no-pac" option.
However msktutil did not reset this bit on update (seems this is only supported during creation of principals).
So I removed the two host objects and recreated them (now with correct userAccountControl(s)) ... but at the same time the whole setup collapsed:
The mount command itself does no longer work, all I get on the samba side are error messages like:
"Kerberos: UNKNOWN --- nfs/test1.mydomain.de at MYDOMAIN.DE: no such entry in hdb"
I'll have to figure out what went wrong before I can continue testing...
Bye,
Marcel
________________________________________
Von: samba-technical-bounces at lists.samba.org [samba-technical-bounces at lists.samba.org]" im Auftrag von "Matthieu Patou [mat at samba.org]
Gesendet: Samstag, 18. Juni 2011 14:11
Bis: samba-technical at lists.samba.org
Betreff: Re: Kerberos PAC verification fails (patch included)
On 18/06/2011 13:13, Marcel Ritter wrote:
> Hi,
>
> I'm trying to use Samba 4 as KDC for NFS authentication.
>
> After solving some general problems concerning nfs-utils, I was able
> to mount the filesystem (using nfs4 and sec=krb5), however file access
> was denied for users (with valid ticket).
>
> When attempting to access files Samba4 reported:
>
> [2011/06/18 10:06:54, 3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: Verify PAC failed for nfs/test2.mydomain.de at MYDOMAIN.DE
> (user1 at MYDOMAIN.DE) from ipv4:192.168.1.199:57245 with<unknown error:
> 22>
>
> Digging the source code showed:
>
> Function check_PAC (source4/heimdal/kdc/krb5tgs.c) returns EINVAL:
> _kdc_pac_verify() = 22 (EINVAL)
>
> Looks like checking an unneeded PAC results in an error instead of
> just being skipped:
>
> _kdc_pac_verify (source4/heimdal/kdc/windc.c) calls samba_wdc_reget_pac (source4/kdc/wdc-samba4.c):
>
> <...>
> /* The user account may be set not to want the PAC */
> if (!samba_princ_needs_pac(server)) {
> talloc_free(mem_ctx);
> return EINVAL;
> }
> <...>
Well this part of the code isn't wrong it's more the handling of _kdc_pac_verify that is a problem
Can you extract the userAccountControl field for this particular user (I guess it"s the account associated with your NFS server) ? for instance like this:
./bin/ldbsearch -H <path_to_samba_provision>/private/sam.ldb
'(cn=<myuser>)' userAccountControl
You should get something like:
# record 1
dn: CN=Administrator,CN=Users,DC=home,DC=matws,DC=net
userAccountControl: 640
Also I suggest to try to remove the bit that says that this account didn't need AUTH_DATA, this flag has the value 0x2000000 (33554432).
Matthieu
>
>
> My trivial patch just returns "0" instead of "EINVAL" - and suddenly
> file access is granted as expected.
>
> There may be better places to fix this, however I hope the patch helps
> to diagnose and fix the issue.
>
> Bye,
> Marcel
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba-technical
mailing list