Samba 3.5.6 against Samba 4 authentication woes

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Wed Nov 28 10:57:28 MST 2012 

On 23.11.2012 21:14, Pekka L.J. Jalkanen wrote:
> Specifically, I noticed that the Samba shipped with Debian Squeeze
> (version 3.5.6) always fails to connect to my Samba 4 installation.
> 
> Symptoms are that if the DC is Windows 2003 R2, the Samba client will
> successfully obtain a TGT, but if it is Samba 4, it will fail with an
> error "Server not found in Kerberos database".

OK, I think that I've finally got forward with this. Since I got no
answers here, I started to search more information about SPNs.

I finally found the setspn utility for Windows. (Documentation for W2k3 at
http://technet.microsoft.com/en-us/library/cc773257%28v=ws.10%29.aspx
and for W2k8 at
http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx

Note that the "samba-tool spn" command can't be used to list SPNs for
computer objects, so it didn't help me here.

Back to my original Winbind error:

> [2012/11/23 20:13:02.347555,  1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
>   ads_krb5_mk_req: smb_krb5_get_credentials failed for
> ldap/samba4dc.mydomain.site at MYDOMAIN.SITE (Server not found in Kerberos
> database)
> [2012/11/23 20:13:02.347599,  0] libads/sasl.c:821(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found
> in Kerberos database
> [2012/11/23 20:13:02.347686,  1]
> winbindd/winbindd_ads.c:126(ads_cached_connection)
>   ads_connect for domain MYDOMAIN failed: Server not found in Kerberos
> database

I first used setspn to list the SPNs for my DCs. Below are the results
for my Windows DC:

PS C:\> setspn -l w2k3r2dc
Registered ServicePrincipalNames for CN=W2K3R2DC,OU=Domain
Controllers,DC=mydomain,DC=site:
    WSMAN/w2k3r2dc.mydomain.site
    WSMAN/w2k3r2dc
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/w2k3r2dc.mydomain.site
    GC/w2k3r2dc.mydomain.site/mydomain.site
    HOST/w2k3r2dc.mydomain.site/MYDOMAIN
    HOST/MYDOMAIN
    HOST/w2k3r2dc.mydomain.site
    HOST/w2k3r2dc.mydomain.site/mydomain.site

E3514235-4B06-11D1-AB04-00C04FC2DCD2/b3157fd4-db4b-429d-9609-f18d7dba64fc/mydomain.site
    ldap/b3157fd4-db4b-429d-9609-f18d7dba64fc._msdcs.mydomain.site
    ldap/w2k3r2dc.mydomain.site/MYDOMAIN
    ldap/MYDOMAIN
    ldap/w2k3r2dc.mydomain.site
    ldap/w2k3r2dc.mydomain.site/mydomain.site

But the same command for my Samba 4 DC gave me only this:

PS C:\> setspn -l ganymede
Registered ServicePrincipalNames for CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site:

E3514235-4B06-11D1-AB04-00C04FC2DCD2/06dfbcf0-1efe-4613-9fbc-4329abd5de54/mydomain.site
    GC/SAMBA4DC.mydomain.site/mydomain.site
    HOST/SAMBA4DC.mydomain.site
    HOST/SAMBA4DC

While the WSMANs are cleary unrelated and NtFrs is something that Samba
isn't simply supporting just yet, the rest of the missing entries are
more suspicious.

Now, as soon as I ran "setspn -a ldap/samba4dc.mydomain.site samba4dc",
and restarted wbinfo on my test client (where I'd set iptables rules so
that it only communicates with my Samba 4 DC and not with my Windows
DC), winbind got a TGT:

[2012/11/28 18:07:53.579887,  3] libads/sasl.c:791(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
[2012/11/28 18:07:53.580111,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2012/11/28 18:07:53.607052,  4] libsmb/clikrb5.c:807(ads_krb5_mk_req)
  ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
[2012/11/28 18:07:53.607089,  3]
libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Thu, 29 Nov 2012 04:07:55 EET
[2012/11/28 18:07:53.607114,  3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
  ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT

This, however, while fixing my initial problem, raises a number of
questions:

1. Why are all the ldap-SPNs and two of the four HOST-SPNs missing from
my Samba 4 DC? Are there any likely reasons?

2. Should I add similar HOST and ldap SPNs for my Samba 4 DC as already
exist on my Windows DC, where they don't yet exist (I'm assuming yes)?

3. Are there any adverse effects in adding new SPNs manually (provided
that I'm not creating duplicates)?

4. How can I add, remove and edit SPNs of the computer objects if I
wouldn't have any Windows DCs (and thus couldn't run setspn) but just
Samba 4 DCs (samba-tool spn only works with user objects)?

5. If I'd provision new Samba 4 DCs in the future, is it likely that
they'd also have missing SPNs?

6. In the log.samba on my Samba 4 DC (-d2) the following error is
repeated every ten minutes (or so):

[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call last):
[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate:   File
"/usr/local/samba/sbin/samba_spnupdate", line 252, in <module>
[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate:     local_update(add_list)
[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate:   File
"/usr/local/samba/sbin/samba_spnupdate", line 198, in local_update
[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate:     res = samdb.modify(msg)
[2012/11/28 18:59:09,  0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate: _ldb.LdbError: (53, 'cannot
change replicated attribute on partial replica at
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1402')

How likely is it related to this problem?

7. If I run "samba-tool dbcheck --cross-ncs --fix" I get a lot of
messages akin to the following:

Checking 3352 objects
ERROR: wrong instanceType 4 on CN=NTDS
Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site,
should be 0
Change instanceType from 4 to 0 on CN=NTDS
Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site?
[y/N/all/none]

But if I press "y", they won't get fixed. Instead a "not found" error is
given:

Failed to correct missing instanceType on CN=NTDS
Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
by setting instanceType=0 : (32, "Base-DN
'<GUID=35a8e35d-2a28-4e20-8bb6-ece963ca0ae5>;CN=NTDS
Settings\\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=GANYMEDE\\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site'
not found")

There are over 80 of those instanceType failures printed every time the
command "samba-tool dbcheck --cross-ncs --fix" is run. I think that most
of those are referring to objects that no longer exist, but some are
referring to the DC itself, though even those could be related to an
earlier provision.

How likely it is that those errors are related to my SPN problems?

8. Last but not least: could any of the above refer to a heretofore
unreported bug? Or are these related to some already-addressed bug? (The
DC was provisioned around b4, even though it is rc5 now).

Thanks in advance for any answers... I hope I can get this to work on my
own now, but I'm still grateful for any answers that could help me to
understand things better!


Pekka L.J. Jalkanen

More information about the samba-technical mailing list