[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?

Paul Sobey buddha at the-annexe.net
Fri Nov 14 10:09:33 GMT 2008 


On Wed, 12 Nov 2008, Paul Sobey wrote:

> On Wed, 5 Nov 2008, Paul Sobey wrote:
>
>> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to 
>> a Windows 2008 domain works perfectly, having pre-created the servername in 
>> the appropriate OU.
>> 
>> In my winbind logs, I see the following (domain name obfuscated):
>> [2008/11/05 11:28:06,  2] 
>> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>>  Doing kerberos session setup
>> 
>> [2008/11/05 11:28:06,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>>  ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot 
>> resolve network address for KDC in requested realm)
>> 
>> [2008/11/05 11:28:06,  1] 
>> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>>  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve 
>> network address for KDC in requested realm
>> 
>> The realm is guessed wrongly - only the short name of the domain, rather 
>> than the fully qualified realm name, as specified in krb5.conf.
>> 
>> My AD full name is foo.bar.com, short name FOO. My question is - when 
>> guessing the principal for the target DC, why does Samba guess 'FOO', 
>> rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain 
>> running 3.0.28 which correctly guesses the realm.
>
> Not sure whether this helps diagnose, but I just upgraded my Linux desktop to 
> Samba 3.2.4 and now get exactly the same error - winbind is refusing to 
> authenticate me at all. In my pam.conf I have krb5_auth set to try and make 
> winbind authenticate my via kerberos.
>
> How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm 
> wrong when authenticating against Windows 2008. I thought it was a Solaris 
> issue before but it seems to be OS independent. Is anybody else seeing it?

Not sure whether this helps anybody, but by patching the source of 
libsmb/cliconnect.c with the following, ie hard coding the proper name of 
the Kerberos realm, the error goes away.

893a894
>                               DEBUG(3,("cli_session_setup_spnego: 
dest_realm is %s\n", dest_realm));
895a897,900
>                               DEBUG(3,("cli_session_setup_spnego: 
hacking realm!\n", dest_realm));
>                               realm = SMB_STRDUP("FOO.BAR.COM");
>                               strupper_m(realm);
>                               DEBUG(3,("cli_session_setup_spnego: realm 
is now %s\n", realm));
896a902
>                               DEBUG(3,("cli_session_setup_spnego: 
getting realm from cache\n", realm));

To reiterate - under 3.2.4 code, 'realm' gets set to 'FOO', rather than 
'FOO.BAR.COM'.

Difference in winbind logs:

Bad version:

[2008/11/12 15:49:17,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(839)
   got principal=not_defined_in_RFC4178 at please_ignore

[2008/11/12 15:49:17,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(880)
   cli_session_setup_spnego: got a bad server principal, trying to guess 
...

[2008/11/12 15:49:17,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(908)
   cli_session_setup_spnego: guessed server 
principal=domaincontroller$@FOO

[2008/11/12 15:49:17,  2] 
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
   Doing kerberos session setup

[2008/11/12 15:49:17,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for domaincontroller$@FOO
   (Cannot resolve network address for KDC in requested realm)

[2008/11/12 15:49:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot 
resolve network address for KDC in requested realm

[2008/11/12 15:49:17, 4] winbindd/winbindd_cm.c:cm_prepare_connection(843)
   failed kerberos session setup with Cannot resolve network address for 
KDC in requested realm

[2008/11/12 15:49:17,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(804)
   Doing spnego session setup (blob length=124)

Hacked version:

[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(839)
   got principal=not_defined_in_RFC4178 at please_ignore
[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(880)
   cli_session_setup_spnego: got a bad server principal, trying to guess 
...
[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(894)
   cli_session_setup_spnego: dest_realm is FOO
[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(897)
   cli_session_setup_spnego: hacking realm!
[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(900)
   cli_session_setup_spnego: realm is now FOO.BAR.COM
[2008/11/12 18:23:55,  3] 
libsmb/cliconnect.c:cli_session_setup_spnego(914)
   cli_session_setup_spnego: guessed server 
principal=domaincontroller$@FOO.BAR.COM
[2008/11/12 18:23:55,  2] 
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
   Doing kerberos session setup
[2008/11/12 18:23:55,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
expiration Thu, 13 Nov 2008 04:23:55 GMT
[2008/11/12 18:23:55,  3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
   ads_krb5_mk_req: server marked as OK to delegate to, building 
forwardable TGT
[2008/11/12 18:23:55,  5] 
libsmb/smb_signing.c:set_smb_signing_real_common(144)
   SMB signing enabled!


Hope this is useful for somebody.

Paul

More information about the samba mailing list