Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Love Hörnquist Åstrand lha at kth.se
Fri Sep 24 12:57:51 MDT 2010


Joshua,

It depends on your codepath, if you use the "normal" krb5_ apis, that true, if you use gss_ it will have different behavior ?

What api are you using ?

Love

24 sep 2010 kl. 10.48 skrev Joshua Hawkinson:

> hmmm, I took a look at Heimdal 1.4 -- I think it's the latest -- and they had the name-type set to PRINCIPAL like samba4 Heimdal.  It is however certainly worth a test to verify.
>  
> Thank you both for your responses.  I’ll be back after installing a new test client with Heimdal, and compiling samba.
>  
> --Joshua
>  
> From: Love Hörnquist Åstrand [mailto:lha at kth.se] 
> Sent: Thursday, September 23, 2010 11:03 PM
> To: Joshua Hawkinson
> Cc: samba-technical at lists.samba.org
> Subject: Re: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?
>  
> Modern Heimdal sets name-type to KRB5_NT_SRV_HST when going though gss-api with serviced based names.
> 
> 
> That doesn't work ?
> 
> 
> Love
> 
> Skickat från min iPhone
> 
> 23 sep 2010 kl. 15:06 skrev Joshua Hawkinson <jhawkinson at overlandstorage.com>:
> 
> Ugh!  So we've reviewed both Heimdal and MIT krb5 and it seems that the problem persists everywhere. After reading the krb5 RFC it seems that Microsoft should not be so touchy about the NAME-TYPE, but the linux Kerberos implementations should also set the correct NAME-TYPE.  We're thinking that perhaps we should modify the krb libs on the system to inspect the principal as it is building it and if it is krbtgt at REALM we'll just set the NAME-TYPE to NT-SRV-INST.  This approach seems to be consistent with a) what works in this situation, b) the krb5 rfc.  I realize this is super hacky but I'd like to know your thoughts on the matter.
> 
> Have you guys integrated Heimdal into samba 4 so you can customize it to work with windows servers in cases like this? 
> 
> --Josh
> 
> -----Original Message-----
> From: Joshua Hawkinson 
> Sent: Tuesday, September 21, 2010 12:46 PM
> To: Joshua Hawkinson; samba-technical at lists.samba.org
> Subject: RE: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?
> 
> Hello everyone,
> 
> Well here is a quick update -- By setting the Microsoft recommended setting ((2) service and instance, or KRB5_NT_SRV_INST (as defined in the krb5 code)) into the Kerberos libs on system seems to have worked.  Unfortunately it seems that the current krb5 code both Heimdal and MIT have this value statically assigned to name-type (1) and (0) respectively (or principal and unknown).  Microsoft seems to be a bit slicker about setting the name-type in different situations.  At any rate other than specifying a "password server" parameter in the smb.conf to the writable DC there does not seem to be a good work around.  We're testing the static (2) setting to see what -- if anything -- it breaks in our environment...
> 
> Samba folks,
> As this seems to be a more generic krb5 issue; should I enter a defect into bugzilla? 
> 
> --Josh
> 
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Joshua Hawkinson
> Sent: Thursday, September 16, 2010 5:12 PM
> To: samba-technical at lists.samba.org
> Subject: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?
> 
> Hi guys,
> 
> I seem to have uncovered a defect in the latest stable version of samba (3.5.5) where I'm unable to authenticate through Kerberos to a 2008 R2 read only domain controller (RODC).  I've been digging in on this issue for about a couple of days and I've found that the problem only seems to occur during TGS-REQ to the RODC.  The RODC seems to reject this request (with error 31 decrypt integrity check failed) without forwarding it on to the writeable DC. If I replace the 2008 R2 RODC with a standard 2008 RODC the problem does not occur.  Also if I set the samba server to directly authenticate to the writeable DC no problems occur (obviously).  I've received word from an engineer at Microsoft that the problem is due to.... Well I'll paste in his message
> 
> From M$ support...
> 
> "I have received an update from my SME on the data which has been provided to us. The problem is the name-type used for the TGT request is set to
> 
> Unknown:
> 
> 
> 
> 133         2010-08-26 17:15:17.284157         x.x.x.x
> 
> x.x.x.x     KRB5      AS-REQ
> 
> Server Name (Unknown): krbtgt/EXAMPLE.COM
> 
> Name-type: Unknown (0)
> 
> Name: krbtgt
> 
> Name: EXAMPLE.COM
> 
> 
> 
> The name-type needs to be Service and Instance.  The reason why it works against the Writable DC¡¦s is because those DC¡¦s don¡¦t need to proxy the authentication, RODC¡¦s do.  In W2K8R2 there were additional checks in the Kerberos decryption code path which now exposes this problem."
> As I'm still a bit skeptical about this analysis of the problem -- I'm working on verifying the problem and performing further isolation.  I was also wondering if such a problem was uncovered in you testing as well.
> 
> I've attached the following to the mail:
> Interactive winbindd debug 100 log
> net ads status -machine-pass debug 10
> a network capture from the samba server during the net ads status
> 
> Thanks for reading
> Joshua Hawkinson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100924/4e7628aa/attachment.bin>


More information about the samba-technical mailing list