Samba 3.5.6 against Samba 4 authentication woes

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Fri Nov 23 12:14:15 MST 2012 

I've boasted on this list quite sometime in october that my Samba 4 (now
4.0.0 RC5) installation now works, and I'm no longer having any
authentication problems. Unfortunately, it turned out that it was not
so... but I didn't find a time to build a test (client) box and properly
dig into this until now.

Specifically, I noticed that the Samba shipped with Debian Squeeze
(version 3.5.6) always fails to connect to my Samba 4 installation. So I
built a test box using that specific version, because
a) having Samba on client side makes testing easier,
b) I'd like to be able use the Debian-shipped "stock" Samba on the
client side, and
c) on Linux I can easily use iptables to force the box to communicate
only with a specific DC.

Symptoms are that if the DC is Windows 2003 R2, the Samba client will
successfully obtain a TGT, but if it is Samba 4, it will fail with an
error "Server not found in Kerberos database".

I've now used iptables to force the client to communicate with my DCs
one at a time, first with the Windows DC, then with the Samba DC,
restarting Winbind on the client in between, trying to dump user list
each time with "wbinfo -u" and logging Winbind with "-d6".


The following is what gets logged by the client, when the server is Windows:

[2012/11/23 20:06:18.791668,  4] libsmb/namequery_dc.c:145(ads_dc_name)
  ads_dc_name: using server='W2K3R2DC.MYDOMAIN.SITE' IP=10.10.100.1
[2012/11/23 20:06:18.791697,  5] libads/dns.c:810(sitename_fetch)
  sitename_fetch: Returning sitename for MYDOMAIN.SITE:
"Default-First-Site-Name"
[2012/11/23 20:06:18.791721,  5] libsmb/namecache.c:192(namecache_fetch)
  name w2k3r2dc.mydomain.site#20 found.
[2012/11/23 20:06:18.791770,  5] libads/ldap.c:226(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.10.100.1 (realm:
mydomain.site)
[2012/11/23 20:06:18.792549,  3] libads/ldap.c:634(ads_connect)
  Successfully contacted LDAP server 10.10.100.1
[2012/11/23 20:06:18.794237,  3] libads/ldap.c:688(ads_connect)
  Connected to LDAP server w2k3r2dc.mydomain.site
[2012/11/23 20:06:18.794850,  4] libads/ldap.c:2852(ads_current_time)
  time offset is 2 seconds
[2012/11/23 20:06:18.795344,  4] libads/sasl.c:1114(ads_sasl_bind)
  Found SASL mechanism GSS-SPNEGO
[2012/11/23 20:06:18.795960,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2012/11/23 20:06:18.795996,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2012/11/23 20:06:18.796012,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2012/11/23 20:06:18.796061,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2012/11/23 20:06:18.796083,  3] libads/sasl.c:791(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = w2k3r2dc$@MYDOMAIN.SITE
[2012/11/23 20:06:18.796187,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2012/11/23 20:06:18.803355,  4] libsmb/clikrb5.c:807(ads_krb5_mk_req)
  ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
[2012/11/23 20:06:18.803392,  3]
libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Sat, 24 Nov 2012 06:06:20 EET
[2012/11/23 20:06:18.803416,  3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
  ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT

And the following will end up into the log if the server is Samba 4:

[2012/11/23 20:13:02.180863,  4] libsmb/namequery_dc.c:145(ads_dc_name)
  ads_dc_name: using server='SAMBA4DC.MYDOMAIN.SITE' IP=10.10.100.2
[2012/11/23 20:13:02.180880,  5] libads/dns.c:810(sitename_fetch)
  sitename_fetch: Returning sitename for MYDOMAIN.SITE:
"Default-First-Site-Name"
[2012/11/23 20:13:02.180903,  5] libsmb/namecache.c:192(namecache_fetch)
  name SAMBA4DC.MYDOMAIN.SITE#20 found.
[2012/11/23 20:13:02.180944,  5] libads/ldap.c:226(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.10.100.2 (realm:
mydomain.site)
[2012/11/23 20:13:02.305750,  3] libads/ldap.c:634(ads_connect)
  Successfully contacted LDAP server 10.10.100.2
[2012/11/23 20:13:02.308816,  3] libads/ldap.c:688(ads_connect)
  Connected to LDAP server samba4dc.mydomain.site
[2012/11/23 20:13:02.321147,  4] libads/ldap.c:2852(ads_current_time)
  time offset is 1 seconds
[2012/11/23 20:13:02.322344,  4] libads/sasl.c:1114(ads_sasl_bind)
  Found SASL mechanism GSS-SPNEGO
[2012/11/23 20:13:02.323762,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2012/11/23 20:13:02.323815,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2012/11/23 20:13:02.323831,  3] libads/sasl.c:782(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2012/11/23 20:13:02.323844,  3] libads/sasl.c:791(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
[2012/11/23 20:13:02.324064,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2012/11/23 20:13:02.347555,  1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
  ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/samba4dc.mydomain.site at MYDOMAIN.SITE (Server not found in Kerberos
database)
[2012/11/23 20:13:02.347599,  0] libads/sasl.c:821(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found
in Kerberos database
[2012/11/23 20:13:02.347686,  1]
winbindd/winbindd_ads.c:126(ads_cached_connection)
  ads_connect for domain MYDOMAIN failed: Server not found in Kerberos
database


I wonder if this is because Samba 3.5.6 lacks the "client use spnego
principal" option, and Samba 4 behaves like Windows 2008 in this regard,
no longer having the "send spnego principal" option. But is it really
that Samba 3.5.6 is totally incompatible with Samba 4?

Or should there be some way to make this work?

Thanks for any help!

Pekka L.J. Jalkanen

More information about the samba-technical mailing list