[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
Jelmer Jaarsma
jelmer.jaarsma at sara.nl
Wed Nov 19 10:45:53 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
I just wanted to state that I am seeing this issue as well. Haven't
tried your hack yet but I plan to if a better solution won't be
provided. Thanks for reporting this to the list!
Jelmer Jaarsma
Paul Sobey wrote:
>
> On Wed, 12 Nov 2008, Paul Sobey wrote:
>
>> On Wed, 5 Nov 2008, Paul Sobey wrote:
>>
>>> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to
>>> a Windows 2008 domain works perfectly, having pre-created the servername in
>>> the appropriate OU.
>>>
>>> In my winbind logs, I see the following (domain name obfuscated):
>>> [2008/11/05 11:28:06, 2]
>>> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>>> Doing kerberos session setup
>>>
>>> [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>>> ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot
>>> resolve network address for KDC in requested realm)
>>>
>>> [2008/11/05 11:28:06, 1]
>>> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve
>>> network address for KDC in requested realm
>>>
>>> The realm is guessed wrongly - only the short name of the domain, rather
>>> than the fully qualified realm name, as specified in krb5.conf.
>>>
>>> My AD full name is foo.bar.com, short name FOO. My question is - when
>>> guessing the principal for the target DC, why does Samba guess 'FOO',
>>> rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain
>>> running 3.0.28 which correctly guesses the realm.
>> Not sure whether this helps diagnose, but I just upgraded my Linux desktop to
>> Samba 3.2.4 and now get exactly the same error - winbind is refusing to
>> authenticate me at all. In my pam.conf I have krb5_auth set to try and make
>> winbind authenticate my via kerberos.
>>
>> How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm
>> wrong when authenticating against Windows 2008. I thought it was a Solaris
>> issue before but it seems to be OS independent. Is anybody else seeing it?
>
> Not sure whether this helps anybody, but by patching the source of
> libsmb/cliconnect.c with the following, ie hard coding the proper name of
> the Kerberos realm, the error goes away.
>
> 893a894
>> DEBUG(3,("cli_session_setup_spnego:
> dest_realm is %s\n", dest_realm));
> 895a897,900
>> DEBUG(3,("cli_session_setup_spnego:
> hacking realm!\n", dest_realm));
>> realm = SMB_STRDUP("FOO.BAR.COM");
>> strupper_m(realm);
>> DEBUG(3,("cli_session_setup_spnego: realm
> is now %s\n", realm));
> 896a902
>> DEBUG(3,("cli_session_setup_spnego:
> getting realm from cache\n", realm));
>
> To reiterate - under 3.2.4 code, 'realm' gets set to 'FOO', rather than
> 'FOO.BAR.COM'.
>
> Difference in winbind logs:
>
> Bad version:
>
> [2008/11/12 15:49:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(839)
> got principal=not_defined_in_RFC4178 at please_ignore
>
> [2008/11/12 15:49:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(880)
> cli_session_setup_spnego: got a bad server principal, trying to guess
> ...
>
> [2008/11/12 15:49:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(908)
> cli_session_setup_spnego: guessed server
> principal=domaincontroller$@FOO
>
> [2008/11/12 15:49:17, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
> Doing kerberos session setup
>
> [2008/11/12 15:49:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
> ads_krb5_mk_req: krb5_get_credentials failed for domaincontroller$@FOO
> (Cannot resolve network address for KDC in requested realm)
>
> [2008/11/12 15:49:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> resolve network address for KDC in requested realm
>
> [2008/11/12 15:49:17, 4] winbindd/winbindd_cm.c:cm_prepare_connection(843)
> failed kerberos session setup with Cannot resolve network address for
> KDC in requested realm
>
> [2008/11/12 15:49:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(804)
> Doing spnego session setup (blob length=124)
>
> Hacked version:
>
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(839)
> got principal=not_defined_in_RFC4178 at please_ignore
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(880)
> cli_session_setup_spnego: got a bad server principal, trying to guess
> ...
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(894)
> cli_session_setup_spnego: dest_realm is FOO
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(897)
> cli_session_setup_spnego: hacking realm!
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(900)
> cli_session_setup_spnego: realm is now FOO.BAR.COM
> [2008/11/12 18:23:55, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(914)
> cli_session_setup_spnego: guessed server
> principal=domaincontroller$@FOO.BAR.COM
> [2008/11/12 18:23:55, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
> Doing kerberos session setup
> [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Thu, 13 Nov 2008 04:23:55 GMT
> [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
> ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
> [2008/11/12 18:23:55, 5]
> libsmb/smb_signing.c:set_smb_signing_real_common(144)
> SMB signing enabled!
>
>
> Hope this is useful for somebody.
>
> Paul
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkj7mEACgkQ3bV1+S5veEjvJQCfV3ANhyqTHwtYgaQnmKMSHiRZ
GZYAn3FsZ/v+YnP7AL2/U+8lUw8OSRSl
=Y4pG
-----END PGP SIGNATURE-----
More information about the samba
mailing list