Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed

Thomas Schulz schulz at adi.com
Wed Apr 20 17:36:39 UTC 2016 

> I wonder if the fillowing indicates a reduction in security with
> Samba 4.4.2, or is it just an unimportant warning.
> 
>> Testing Samba 4.4.2 as a file server running on Solaris 10 i386
>> with a Windows Server 2000 computer as the DC.
>> 
>> Upon startup the smb.log contains the following:
>> 
>> [2016/04/15 10:08:09.738117,  0] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
>>   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
>> [2016/04/15 10:08:09.738732,  0] ../source3/printing/nt_printing.c:187(nt_printing_init)
>>   nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
>> 
>> 
>> These messages do not show up with 4.4.0.

A section of a debug level 10 log:

[2016/04/20 13:13:56.743529,  3, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2016/04/20 13:13:56.743943,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2016/04/20 13:13:56.744019,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC submechanism gse_krb5
[2016/04/20 13:13:56.779593,  5, pid=27195, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:265(gse_init_client)
  gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
[2016/04/20 13:13:56.779738,  4, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:687(gensec_start_mech)
  Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/04/20 13:13:56.780824,  1, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
[2016/04/20 13:13:56.780925, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:752(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit
[2016/04/20 13:13:56.788411, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/kerberos.c:217(kerberos_kinit_password_ext)
  kerberos_kinit_password: as MACKEREL$@ADI.COM using [MEMORY:prtpub_cache] as ccache and config [/var/samba/locks/%h/smb_krb5/krb5.conf.ADI]
[2016/04/20 13:13:56.796453,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2016/04/20 13:13:56.796506,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC submechanism gse_krb5
[2016/04/20 13:13:56.806980,  2, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:1179(gensec_spnego_update)
  GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_INVALID_PARAMETER
[2016/04/20 13:13:56.807283,  0, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
[2016/04/20 13:13:56.811445,  3, pid=27195, effective(0, 0), real(0, 0)] ../source3/printing/nt_printing_ads.c:648(check_published_printers)
  ads_connect failed: Unexpected information received


>> The output to testparm is:
>> 
>> # Global parameters
>> [global]
>>         realm = ADI.COM
>>         server string = 
>>         workgroup = ADI
>>         client ldap sasl wrapping = plain
>>         log file = /opt/local/samba4/var/logs/%h/log.%m
>>         max log size = 1500
>>         lock directory = /var/samba/locks/%h
>>         pid directory = /var/samba/locks/%h
>>         load printers = No
>>         printcap name = /etc/printers.samba
>>         name resolve order = bcast host
>>         unix extensions = No
>>         client NTLMv2 auth = No
>>         client signing = if_required
>>         guest account = nobody2
>>         security = ADS
>>         require strong key = No
>>         winbind sealed pipes = No
>>         dns proxy = No
>>         idmap config * : backend = tdb
>>         delete readonly = Yes
>>         dos filemode = Yes
>>         include = /opt/local/samba4/etc/smb.conf.mackerel
>>         wide links = Yes
>>         printing = sysv
>>         msdfs root = Yes
> 
> Just for testing I added the following parameters to see if they had
> any effect on the above messages. There was no change.
> 
>         ldap server require strong auth = No
>         client use spnego = No
>         use spnego = No
>         client ipc signing = No
>         client lanman auth = Yes
>         lanman auth = Yes
>         raw NTLMv2 auth = Yes
>         server signing = if_required
>         tls verify peer = no_check


Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba-technical mailing list