Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed

Stefan Metzmacher metze at samba.org
Wed Apr 20 20:43:31 UTC 2016 

Hi Thomas,

can you please file a bug report?

I need level 10 log together with a network capture,
See https://wiki.samba.org/index.php/Capture_Packets
(we need all traffic from all ports)

Thanks!
metze

Am 20.04.2016 um 19:36 schrieb Thomas Schulz:
>> I wonder if the fillowing indicates a reduction in security with
>> Samba 4.4.2, or is it just an unimportant warning.
>>
>>> Testing Samba 4.4.2 as a file server running on Solaris 10 i386
>>> with a Windows Server 2000 computer as the DC.
>>>
>>> Upon startup the smb.log contains the following:
>>>
>>> [2016/04/15 10:08:09.738117,  0] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
>>>   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
>>> [2016/04/15 10:08:09.738732,  0] ../source3/printing/nt_printing.c:187(nt_printing_init)
>>>   nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
>>>
>>>
>>> These messages do not show up with 4.4.0.
> 
> A section of a debug level 10 log:
> 
> [2016/04/20 13:13:56.743529,  3, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:907(gensec_register)
>   GENSEC backend 'fake_gssapi_krb5' registered
> [2016/04/20 13:13:56.743943,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>   Starting GENSEC mechanism spnego
> [2016/04/20 13:13:56.744019,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>   Starting GENSEC submechanism gse_krb5
> [2016/04/20 13:13:56.779593,  5, pid=27195, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:265(gse_init_client)
>   gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
> [2016/04/20 13:13:56.779738,  4, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:687(gensec_start_mech)
>   Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
> [2016/04/20 13:13:56.780824,  1, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
>   Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> [2016/04/20 13:13:56.780925, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:752(ads_sasl_spnego_bind)
>   ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit
> [2016/04/20 13:13:56.788411, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/kerberos.c:217(kerberos_kinit_password_ext)
>   kerberos_kinit_password: as MACKEREL$@ADI.COM using [MEMORY:prtpub_cache] as ccache and config [/var/samba/locks/%h/smb_krb5/krb5.conf.ADI]
> [2016/04/20 13:13:56.796453,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>   Starting GENSEC mechanism spnego
> [2016/04/20 13:13:56.796506,  5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>   Starting GENSEC submechanism gse_krb5
> [2016/04/20 13:13:56.806980,  2, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:1179(gensec_spnego_update)
>   GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_INVALID_PARAMETER
> [2016/04/20 13:13:56.807283,  0, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
> [2016/04/20 13:13:56.811445,  3, pid=27195, effective(0, 0), real(0, 0)] ../source3/printing/nt_printing_ads.c:648(check_published_printers)
>   ads_connect failed: Unexpected information received
> 
> 
>>> The output to testparm is:
>>>
>>> # Global parameters
>>> [global]
>>>         realm = ADI.COM
>>>         server string = 
>>>         workgroup = ADI
>>>         client ldap sasl wrapping = plain
>>>         log file = /opt/local/samba4/var/logs/%h/log.%m
>>>         max log size = 1500
>>>         lock directory = /var/samba/locks/%h
>>>         pid directory = /var/samba/locks/%h
>>>         load printers = No
>>>         printcap name = /etc/printers.samba
>>>         name resolve order = bcast host
>>>         unix extensions = No
>>>         client NTLMv2 auth = No
>>>         client signing = if_required
>>>         guest account = nobody2
>>>         security = ADS
>>>         require strong key = No
>>>         winbind sealed pipes = No
>>>         dns proxy = No
>>>         idmap config * : backend = tdb
>>>         delete readonly = Yes
>>>         dos filemode = Yes
>>>         include = /opt/local/samba4/etc/smb.conf.mackerel
>>>         wide links = Yes
>>>         printing = sysv
>>>         msdfs root = Yes
>>
>> Just for testing I added the following parameters to see if they had
>> any effect on the above messages. There was no change.
>>
>>         ldap server require strong auth = No
>>         client use spnego = No
>>         use spnego = No
>>         client ipc signing = No
>>         client lanman auth = Yes
>>         lanman auth = Yes
>>         raw NTLMv2 auth = Yes
>>         server signing = if_required
>>         tls verify peer = no_check
> 
> 
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160420/5b3b3ceb/signature.sig>

More information about the samba-technical mailing list