Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Joshua Hawkinson jhawkinson at overlandstorage.com
Fri Sep 24 17:04:05 MDT 2010


Oops!

s/LDAP signing/sasl signing/g

--Josh

And here is the struct as dumped from winbindd in the same failure case

Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
kerberos_kinit_password: as TIBERIUS$@CLASSICAL.SNAPQA using [MEMORY:winbind_ccache] as ccache and config [/var/lock/samba/smb_krb5/krb5.conf.CLASSICAL]
ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/aphrodite.classical.snapqa at CLASSICAL.SNAPQA (Decrypt integrity check failed)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt integrity check failed
ads_connect: leaving with: Decrypt integrity check failed
    ads: struct ads_struct
        is_mine                  : true
        ads: struct server
            realm                    : 'classical.snapqa'
            workgroup                : 'CLASSICAL'
            ldap_server              : NULL
            foreign                  : false
        ads: struct auth
            realm                    : 'CLASSICAL.SNAPQA'
            password                 : '(PASSWORD ommited)'
            user_name                : 'TIBERIUS$'
            kdc_server               : '192.168.193.52'
            flags                    : 0x00000000 (0)
                   0: ADS_AUTH_DISABLE_KERBEROS
                   0: ADS_AUTH_NO_BIND
                   0: ADS_AUTH_ANON_BIND
                   0: ADS_AUTH_SIMPLE_BIND
                   0: ADS_AUTH_ALLOW_NTLMSSP
                   0: ADS_AUTH_SASL_SIGN
                   0: ADS_AUTH_SASL_SEAL
                   0: ADS_AUTH_SASL_FORCE
            time_offset              : 0x00000001 (1)
            tgt_expire               : Fri 17 Sep 2010 02:05:43 AM PDT PDT
            tgs_expire               : (time_t)0
            renewable                : Fri 30 Jan 1970 04:00:00 PM PST PST
        ads: struct config
            flags                    : 0x000028fc (10492)
                   0: DS_SERVER_PDC
                   1: DS_SERVER_GC
                   1: DS_SERVER_LDAP
                   1: DS_SERVER_DS
                   1: DS_SERVER_KDC
                   1: DS_SERVER_TIMESERV
                   1: DS_SERVER_CLOSEST
                   0: DS_SERVER_WRITABLE
                   0: DS_SERVER_GOOD_TIMESERV
                   0: DS_SERVER_NDNC
                   1: DS_SERVER_SELECT_SECRET_DOMAIN_6
                   0: DS_SERVER_FULL_SECRET_DOMAIN_6
                   0: DS_DNS_CONTROLLER
                   0: DS_DNS_DOMAIN
                   0: DS_DNS_FOREST
            realm                    : 'CLASSICAL.SNAPQA'
            bind_path                : 'dc=CLASSICAL,dc=SNAPQA'
            ldap_server_name         : 'APHRODITE.classical.snapqa'
            server_site_name         : 'Default-First-Site-Name'
            client_site_name         : 'Default-First-Site-Name'
            current_time             : Thu 16 Sep 2010 04:05:43 PM PDT PDT
            schema_path              : NULL
            config_path              : NULL
        ads: struct ldap
            ld                       : *
            ss                       : 192.168.193.52
            last_attempt             : Thu 16 Sep 2010 04:05:42 PM PDT PDT
            port                     : 0x00000185 (389)
            wrap_type                : 0x0001 (1)
            mem_ctx                  : *
            wrap_ops                 : NULL
            wrap_private_data        : NULL
            ads: struct in
                ofs                      : 0x00000000 (0)
                needed                   : 0x00000000 (0)
                left                     : 0x00000000 (0)
                max_wrapped              : 0x00000000 (0)
                min_wrapped              : 0x00000000 (0)
                size                     : 0x00000000 (0)
                buf: ARRAY(0)
            ads: struct out
                ofs                      : 0x00000000 (0)
                left                     : 0x00000000 (0)
                max_unwrapped            : 0x00000000 (0)
                sig_size                 : 0x00000000 (0)
                size                     : 0x00000000 (0)
                buf: ARRAY(0)

ads_connect for domain CLASSICAL failed: Decrypt integrity check failed
refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
wcache_store_seqnum: success [CLASSICAL][4294967295 @ 1284678343]
refresh_sequence_number: CLASSICAL seq number is now -1
     wbint_QueryUserList: struct wbint_QueryUserList
        out: struct wbint_QueryUserList
            users                    : *
                users: struct wbint_userinfos
                    num_userinfos            : 0x00000000 (0)
                    userinfos: ARRAY(0)
            result                   : NT_STATUS_UNSUCCESSFUL
-----Original Message-----
From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Joshua Hawkinson
Sent: Friday, September 24, 2010 2:24 PM
To: Love Hörnquist Åstrand
Cc: Bill Fellows; samba-technical at lists.samba.org; Andrew Bartlett
Subject: RE: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Hello Love,

I've briefly reviewed the debug output of the net ads status command that I've attached to the first message then compared it with the code in libads/sasl.c, and it appears that in this test we are using the "normal" krb5_apis.  I have not yet traced back through the code completely to verify that, but at first glance (using the comments in the code) that seems to be the case.  It seems that with the detected mechanism that samba will only use the GSS style Princ if LDAP signing is enabled?!? That in mind all of our testing to this point has been with MIT krb5.  We have only reviewed Heimdal code thus far.  At any rate this gives us something to look at, so we'll give it a go. If nothing else perhaps the section of code you're referring to can give us some ideas *shrug

Perhaps you, or samba team wouldn't mind taking a look output here to verify?
[2010/09/16 16:02:41.724000, 10] libsmb/namequery.c:83(saf_store)
  saf_store: domain = [CLASSICAL], server = [APHRODITE.classical.snapqa], expire = [1284679061]
[2010/09/16 16:02:41.724000, 10] lib/gencache.c:180(gencache_set_data_blob)
  Adding cache entry with key = SAF/DOMAIN/CLASSICAL and timeout = Thu Sep 16 16:17:41 2010
   (900 seconds ahead)
[2010/09/16 16:02:41.724000, 10] libsmb/namequery.c:83(saf_store)
  saf_store: domain = [CLASSICAL.SNAPQA], server = [APHRODITE.classical.snapqa], expire = [1284679061]
[2010/09/16 16:02:41.724000, 10] lib/gencache.c:180(gencache_set_data_blob)
  Adding cache entry with key = SAF/DOMAIN/CLASSICAL.SNAPQA and timeout = Thu Sep 16 16:17:41 2010
   (900 seconds ahead)
[2010/09/16 16:02:41.724000,  4] libads/ldap.c:2852(ads_current_time)
  time offset is 0 seconds
[2010/09/16 16:02:41.728000,  4] libads/sasl.c:1113(ads_sasl_bind)
  Found SASL mechanism GSS-SPNEGO
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:781(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:781(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:781(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:781(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:781(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2010/09/16 16:02:41.732000,  3] libads/sasl.c:790(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
[2010/09/16 16:02:41.736000,  1] libsmb/clikrb5.c:710(ads_krb5_mk_req)
  ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/aphrodite.classical.snapqa at CLASSICAL.SNAPQA (Decrypt integrity check failed)
[2010/09/16 16:02:41.736000, 10] libads/sasl.c:811(ads_sasl_spnego_bind)
  ads_sasl_spnego_krb5_bind failed with: Decrypt integrity check failed, calling kinit
[2010/09/16 16:02:41.736000, 10] libads/kerberos.c:188(kerberos_kinit_password_ext)
  kerberos_kinit_password: as TIBERIUS$@CLASSICAL.SNAPQA using [MEMORY:net_ads] as ccache and config [/var/lock/samba/smb_krb5/krb5.conf.CLASSICAL]
[2010/09/16 16:02:41.740000,  0] libads/kerberos.c:338(ads_kinit_password)
  kerberos_kinit_password TIBERIUS$@CLASSICAL.SNAPQA failed: KRB5 error code 29
[2010/09/16 16:02:41.740000, 10] lib/gencache.c:345(gencache_get_data_blob)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/CLASSICAL.SNAPQA, value = Default-First-Site-Name, timeout = Mon Jan 18 19:14:07 2038
[2010/09/16 16:02:41.740000,  5] libads/dns.c:810(sitename_fetch)
  sitename_fetch: Returning sitename for CLASSICAL.SNAPQA: "Default-First-Site-Name"
[2010/09/16 16:02:41.740000, 10] libsmb/namequery.c:1400(internal_resolve_name)

Thank you very much
Joshua

From: Love Hörnquist Åstrand [mailto:lha at kth.se]
Sent: Friday, September 24, 2010 11:58 AM
To: Joshua Hawkinson
Cc: samba-technical at lists.samba.org; Andrew Bartlett
Subject: Re: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Joshua,

It depends on your codepath, if you use the "normal" krb5_ apis, that true, if you use gss_ it will have different behavior ?

What api are you using ?

Love

24 sep 2010 kl. 10.48 skrev Joshua Hawkinson:


hmmm, I took a look at Heimdal 1.4 -- I think it's the latest -- and they had the name-type set to PRINCIPAL like samba4 Heimdal.  It is however certainly worth a test to verify.

Thank you both for your responses.  I'll be back after installing a new test client with Heimdal, and compiling samba.

--Joshua

From: Love Hörnquist Åstrand [mailto:lha at kth.se]
Sent: Thursday, September 23, 2010 11:03 PM
To: Joshua Hawkinson
Cc: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>
Subject: Re: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Modern Heimdal sets name-type to KRB5_NT_SRV_HST when going though gss-api with serviced based names.



That doesn't work ?



Love

Skickat från min iPhone

23 sep 2010 kl. 15:06 skrev Joshua Hawkinson <jhawkinson at overlandstorage.com<mailto:jhawkinson at overlandstorage.com>>:
Ugh!  So we've reviewed both Heimdal and MIT krb5 and it seems that the problem persists everywhere. After reading the krb5 RFC it seems that Microsoft should not be so touchy about the NAME-TYPE, but the linux Kerberos implementations should also set the correct NAME-TYPE.  We're thinking that perhaps we should modify the krb libs on the system to inspect the principal as it is building it and if it is krbtgt at REALM we'll just set the NAME-TYPE to NT-SRV-INST.  This approach seems to be consistent with a) what works in this situation, b) the krb5 rfc.  I realize this is super hacky but I'd like to know your thoughts on the matter.

Have you guys integrated Heimdal into samba 4 so you can customize it to work with windows servers in cases like this?

--Josh

-----Original Message-----
From: Joshua Hawkinson
Sent: Tuesday, September 21, 2010 12:46 PM
To: Joshua Hawkinson; samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>
Subject: RE: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Hello everyone,

Well here is a quick update -- By setting the Microsoft recommended setting ((2) service and instance, or KRB5_NT_SRV_INST (as defined in the krb5 code)) into the Kerberos libs on system seems to have worked.  Unfortunately it seems that the current krb5 code both Heimdal and MIT have this value statically assigned to name-type (1) and (0) respectively (or principal and unknown).  Microsoft seems to be a bit slicker about setting the name-type in different situations.  At any rate other than specifying a "password server" parameter in the smb.conf to the writable DC there does not seem to be a good work around.  We're testing the static (2) setting to see what -- if anything -- it breaks in our environment...

Samba folks,
As this seems to be a more generic krb5 issue; should I enter a defect into bugzilla?

--Josh

-----Original Message-----
From: samba-technical-bounces at lists.samba.org<mailto:samba-technical-bounces at lists.samba.org> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Joshua Hawkinson
Sent: Thursday, September 16, 2010 5:12 PM
To: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>
Subject: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Hi guys,

I seem to have uncovered a defect in the latest stable version of samba (3.5.5) where I'm unable to authenticate through Kerberos to a 2008 R2 read only domain controller (RODC).  I've been digging in on this issue for about a couple of days and I've found that the problem only seems to occur during TGS-REQ to the RODC.  The RODC seems to reject this request (with error 31 decrypt integrity check failed) without forwarding it on to the writeable DC. If I replace the 2008 R2 RODC with a standard 2008 RODC the problem does not occur.  Also if I set the samba server to directly authenticate to the writeable DC no problems occur (obviously).  I've received word from an engineer at Microsoft that the problem is due to.... Well I'll paste in his message



More information about the samba-technical mailing list