[PATCH] heimdal fixes for the new keytab code

Guenther Deschner gd at sernet.de
Wed Jul 7 09:33:14 GMT 2004


Hi Jeremy & Jerry,

sorry for beeing a bit unprecise. I'll do my best to clarify things now.

On Tue, Jul 06, 2004 at 09:19:37PM -0500, Gerald (Jerry) Carter wrote:
> On Tue, 6 Jul 2004, Jeremy Allison wrote:
>
> > > * why do we let samba now kinit with HOST/fqdn at REALM, instead of
> > >   HOST/machine at REALM in security=ads ? the current code does not
> > >   even create
> > >   HOST/fqdn at REAM-principals but HOST/fqdn-principals.
> > >
> > >   AFAIK, this will break all existing security=ads installations
> > >   prior to
> > >   current svn. We should at least provide an internal upgrade path
> > >   or describe
> > >   the to-be-expected-effect in WHATSNEW.TXT. Or am I completely
> > >   wrong here ?
> >
> > Can you explain this more clearly. I'm not understanding you here.
> > Please explain *exactly* what the problem is.
>
> I'm not sure I see it either.  Guenther, can you provide a test case ?
> service principals in the keytab have to be fully qualifgied I thought.
> While the principal name in the kdc store does not (the realm is
> implcitly
> defined).

* Joining ADS (w2k3 in my case) with current 3_0 svn with security = ads (no unix keytab involved)

mthelena:~ # net ads join -U administrator%secret -d0
Using short domain name -- W2K3TEST
Joined 'MTHELENA' to realm 'W2K3TEST.SERNET.DE'

* lets see what principals were created 

-----8<------------------snip--------------8<--------------
mthelena: # net ads status -U administrator%secret | egrep -i -e '(princ|dnshost|samaccountn)'
sAMAccountName: mthelena$
dNSHostName: mthelena.W2K3TEST.SERNET.DE
userPrincipalName: HOST/mthelena at W2K3TEST.SERNET.DE
servicePrincipalName: CIFS/mthelena.w2k3test.sernet.de
servicePrincipalName: CIFS/mthelena
servicePrincipalName: HOST/mthelena.w2k3test.sernet.de
servicePrincipalName: HOST/mthelena
----->8------------------snap-------------->8--------------

* now try to start winbindd

-----8<------------------snip--------------8<--------------
mthelena: # winbindd -i -d 3
...
got ldap server name w2k3ts at W2K3TEST.SERNET.DE, using bind path: dc=W2K3TEST,dc=SERNET,dc=DE
IPC$ connections done anonymously
Connecting to host=W2K3TS
Connecting to 172.16.200.5 at port 445
Doing spnego session setup (blob length=114)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=w2k3ts$@W2K3TEST.SERNET.DE
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Wed, 07 Jul 2004 09:31:01 GMT
lsa_io_sec_qos: length c does not match size 8
ads: alternate_name
Connected to LDAP server 172.16.200.5
got ldap server name w2k3ts at W2K3TEST.SERNET.DE, using bind path: dc=W2K3TEST,dc=SERNET,dc=DE
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=w2k3ts$@W2K3TEST.SERNET.DE
krb5_cc_get_principal failed (No such file or directory)
kerberos_kinit_password host/mthelena.w2k3test.sernet.de at W2K3TEST.SERNET.DE failed: Client not found in Kerberos database
ads_connect for domain W2K3TEST failed: Client not found in Kerberos database
----->8------------------snap-------------->8--------------

* sure, we cannot to kinit to host/fqdn at realm because we have not created
  such a principal. we cant kinit and we broke backward-compatibility, AFAIK.

Hopefully you are seeing this as well. There are several ways to solve
that problem.

> > > * The cleanup in libads might be a good chance to apply the
> > > remaining
> > > parts of
> > >   the fix for #1208 (fix existing one-direction
> > >   clock-skew-correction that can
> > >   lead to infite loops whereever libsmb/clikrb5.c's
> > >   cli_krb5_get_ticket is
> > >   used) :)
> >
> > Is there a patch in that bug report ? I'll take a look if so.
>
> What's left to be done on bug 1208 ?  Is the clock skew issue the last
> bug?  It's unclear to me if that is a real world example or just a loop
> error in the code.

The last remaining patch is:
https://bugzilla.samba.org/attachment.cgi?id=484&action=view

There are real world examples (and some complaints on samba at samba.org that
might be related to that, too). Volker was hit by this at a customer site
a while ago.

The easiest way to reproduce:

mthelena:~ # net time -S w2k3ts
Wed Jul  7 10:24:32 2004

* ADS KDC time is 10:24, service ticket lifetime is set to 10 minutes via
  Group Policy for Domains

mthelena:~ # date -s 10:35
Wed Jul  7 10:35:00 CEST 2004

* Clocks are not synchronized, our time is KDC's time + 11 minutes (thus
  any aquired tickets are immediatly expired), although this clock skew is
  now forced and somewhat artificial, non-synchronized clocks are very
  common unfortunately.

-----8<------------------snip--------------8<--------------
mthelena:~ net ads search
cn=administrator -U administrator%secret -d 3
...
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2004/07/07 10:35:07.247847, 3, pid=7847] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 172.16.200.5
[2004/07/07 10:35:07.250643, 3, pid=7847] libads/ldap.c:ads_server_info(2329)
  got ldap server name w2k3ts at W2K3TEST.SERNET.DE, using bind path: dc=W2K3TEST,dc=SERNET,dc=DE
[2004/07/07 10:35:07.253107, 3, pid=7847] libads/sasl.c:ads_sasl_spnego_bind(204)
  got OID=1 2 840 48018 1 2 2
[2004/07/07 10:35:07.253697, 3, pid=7847] libads/sasl.c:ads_sasl_spnego_bind(204)
  got OID=1 2 840 113554 1 2 2
[2004/07/07 10:35:07.254270, 3, pid=7847] libads/sasl.c:ads_sasl_spnego_bind(204)
  got OID=1 2 840 113554 1 2 2 3
[2004/07/07 10:35:07.254779, 3, pid=7847] libads/sasl.c:ads_sasl_spnego_bind(204)
  got OID=1 3 6 1 4 1 311 2 2 10
[2004/07/07 10:35:07.255347, 3, pid=7847] libads/sasl.c:ads_sasl_spnego_bind(211)
  got principal=w2k3ts$@W2K3TEST.SERNET.DE
[2004/07/07 10:35:07.256779, 1, pid=7847] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No such file or directory)
[2004/07/07 10:35:08.007227, 3, pid=7847] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 07 Jul 2004 10:34:42 GMT
[2004/07/07 10:35:08.299137, 3, pid=7847] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 07 Jul 2004 10:34:42 GMT
[2004/07/07 10:35:08.590169, 3, pid=7847] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 07 Jul 2004 10:34:43 GMT
[2004/07/07 10:35:08.883670, 3, pid=7847] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[MEMORY:net_ads] expiration Wed, 07 Jul 2004 10:34:43 GMT
...
----->8------------------snap-------------->8--------------

* cli_krb5_get_ticket loops forever until aborted with ctrl-c (and this function
  is used a lot), even worse when called without debug-level:

-----8<------------------snip--------------8<--------------
mthelena:~ net ads join -U Administrator%secret
----->8------------------snap-------------->8--------------


* you'll see nothing then the "hanging" join 

If you need any more information, I'll be happy to send it to you.

Thank you,
Guenther
-- 
Guenther Deschner,  SerNet Service Network GmbH
Phone: +49-(0)551-370000-0,  Fax: +49-(0)551-370000-9


More information about the samba-technical mailing list