SPNEGO failure with spnego:simulate_w2k=yes after MIT patches

Andrew Bartlett abartlet at samba.org
Sat Jun 10 10:15:28 UTC 2017 

G'Day Andreas,

While working on the ldb locking patches, I noticed that this test
fails on master:

make test 'TESTS=schema.*2000'

(samba4.drs.repl_schema.python(vampire_2000_dc)(vampire_2000_dc))

In debugging this, I noticed that removing:

spnego:simulate_w2k=yes

allows the test to pass.

I've bisected the failure back to 

3781eb250173981a8890b82d1ff9358f144034cd is the first bad commit
commit 3781eb250173981a8890b82d1ff9358f144034cd
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Mar 8 11:03:17 2017 +0100

    s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
    
    With credentials for administrator at FOREST1.EXAMPLE.COM
    this patch changes the target_principal for
    the ldap service of host dc2.forest2.example.com
    from
    
      ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.COM
    
    to
    
      ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM
    
    Typically ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.COM
    should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
    to generate a referral ticket for
    krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM.
    
    The problem is that KDCs only return such referral tickets
    if there's a forest trust between FOREST1.EXAMPLE.COM
    and FOREST2.EXAMPLE.COM. If there's only an external domain
    trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
    the KDC of FOREST1.EXAMPLE.COM will respond with
S_PRINCIPAL_UNKNOWN
    when being asked for ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.C
OM.
    
    In the case of an external trust the client can still ask
    explicitly for krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM
    and the KDC of FOREST1.EXAMPLE.COM will generate it.
    
    From there the client can use the
    krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM
    ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
    service ticket for ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM
.
    
    With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
    when we pass ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM as
    target principal. As _krb5_get_cred_kdc_any() first calls
    get_cred_kdc_referral() (which always starts with the client realm)
    and falls back to get_cred_kdc_capath() (which starts with the
given realm).
    
    MIT krb5 only tries the given realm of the target principal,
    if we want to autodetect support for transitive forest trusts,
    we'll have to do the fallback ourself.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>


The failure is a server-side DCE/RPC fault because the client attempts
to continue sending packets after a failed authentication.  I think it
is trying NTLMSSP after a krb5 failure (see below). 

The test output is:

ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
vampire2000dc failed - drsException: DRS connection to vampire2000dc
failed: (-1073610723, 'An RPC protocol error occurred.')
  File "bin/python/samba/netcmd/drs.py", line 44, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "bin/python/samba/drs_utils.py", line 56, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
Failed to replicate
SOCKET_WRAPPER_DEFAULT_IFACE="39"
RESOLV_WRAPPER_HOSTS="/data/samba/git/samba-
push/st/dns_host_file"  KRB5_CONFIG="/data/samba/git/samba-
push/st/vampire_2000_dc/etc/krb5.conf"KRB5CCNAME="/data/samba/git/samba
-push/st/vampire_2000_dc/krb5_ccache"  ./bin/samba-tool drs replicate
vampire2000dc dc5 --configfile=/data/samba/git/samba-
push/st/fl2000dc/etc/smb.conf -UAdministrator%locDCpass5
"CN=Configuration,DC=SAMBA2000,DC=EXAMPLE,DC=COM" at
/data/samba/git/samba-push/selftest/target/Samba4.pm line 2308.
failed to start up environment 'vampire_2000_dc' at
/data/samba/git/samba-push/selftest/target/Samba.pm line 49.
samba can't start up known environment 'vampire_2000_dc' at
/data/samba/git/samba-push/selftest/selftest.pl line 917.
teardown_env(fl2000dc)
samba: EOF on stdin - PID 6210 terminating

What I don't understand is why this passes as part of a full make test,
but fails when only running the test on its own.

The level 4 logs give this clue:

kerberos_get_realm_from_hostname VAMPIRE2000DC: failed Cannot determine
realm for host
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/VAMPIRE2000DC
failed (next[ntlmssp]): NT_STATUS_NO_MEMORY

Could you (and presumably metze) please have a look at this for me
please?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list