SPNEGO failure with spnego:simulate_w2k=yes after MIT patches

Stefan Metzmacher metze at samba.org
Sun Jun 11 21:00:24 UTC 2017 

Am 10.06.2017 um 12:15 schrieb Andrew Bartlett:
> G'Day Andreas,
> 
> While working on the ldb locking patches, I noticed that this test
> fails on master:
> 
> make test 'TESTS=schema.*2000'
> 
> (samba4.drs.repl_schema.python(vampire_2000_dc)(vampire_2000_dc))
> 
> In debugging this, I noticed that removing:
> 
> spnego:simulate_w2k=yes
> 
> allows the test to pass.
> 
> I've bisected the failure back to 
> 
> 3781eb250173981a8890b82d1ff9358f144034cd is the first bad commit
> commit 3781eb250173981a8890b82d1ff9358f144034cd
> Author: Andreas Schneider <asn at samba.org>
> Date:   Wed Mar 8 11:03:17 2017 +0100
> 
>     s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
>     
>     With credentials for administrator at FOREST1.EXAMPLE.COM
>     this patch changes the target_principal for
>     the ldap service of host dc2.forest2.example.com
>     from
>     
>       ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.COM
>     
>     to
>     
>       ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM
>     
>     Typically ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.COM
>     should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
>     to generate a referral ticket for
>     krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM.
>     
>     The problem is that KDCs only return such referral tickets
>     if there's a forest trust between FOREST1.EXAMPLE.COM
>     and FOREST2.EXAMPLE.COM. If there's only an external domain
>     trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
>     the KDC of FOREST1.EXAMPLE.COM will respond with
> S_PRINCIPAL_UNKNOWN
>     when being asked for ldap/dc2.forest2.example.com at FOREST1.EXAMPLE.C
> OM.
>     
>     In the case of an external trust the client can still ask
>     explicitly for krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM
>     and the KDC of FOREST1.EXAMPLE.COM will generate it.
>     
>     From there the client can use the
>     krbtgt/FOREST2.EXAMPLE.COM at FOREST1.EXAMPLE.COM
>     ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
>     service ticket for ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM
> .
>     
>     With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
>     when we pass ldap/dc2.forest2.example.com at FOREST2.EXAMPLE.COM as
>     target principal. As _krb5_get_cred_kdc_any() first calls
>     get_cred_kdc_referral() (which always starts with the client realm)
>     and falls back to get_cred_kdc_capath() (which starts with the
> given realm).
>     
>     MIT krb5 only tries the given realm of the target principal,
>     if we want to autodetect support for transitive forest trusts,
>     we'll have to do the fallback ourself.
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
>     
>     Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
>     
>     Signed-off-by: Andreas Schneider <asn at samba.org>
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> 
> The failure is a server-side DCE/RPC fault because the client attempts
> to continue sending packets after a failed authentication.  I think it
> is trying NTLMSSP after a krb5 failure (see below). 
> 
> The test output is:
> 
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> vampire2000dc failed - drsException: DRS connection to vampire2000dc
> failed: (-1073610723, 'An RPC protocol error occurred.')
>   File "bin/python/samba/netcmd/drs.py", line 44, in drsuapi_connect
>     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>   File "bin/python/samba/drs_utils.py", line 56, in drsuapi_connect
>     raise drsException("DRS connection to %s failed: %s" % (server, e))
> Failed to replicate
> SOCKET_WRAPPER_DEFAULT_IFACE="39"
> RESOLV_WRAPPER_HOSTS="/data/samba/git/samba-
> push/st/dns_host_file"  KRB5_CONFIG="/data/samba/git/samba-
> push/st/vampire_2000_dc/etc/krb5.conf"KRB5CCNAME="/data/samba/git/samba
> -push/st/vampire_2000_dc/krb5_ccache"  ./bin/samba-tool drs replicate
> vampire2000dc dc5 --configfile=/data/samba/git/samba-
> push/st/fl2000dc/etc/smb.conf -UAdministrator%locDCpass5
> "CN=Configuration,DC=SAMBA2000,DC=EXAMPLE,DC=COM" at
> /data/samba/git/samba-push/selftest/target/Samba4.pm line 2308.
> failed to start up environment 'vampire_2000_dc' at
> /data/samba/git/samba-push/selftest/target/Samba.pm line 49.
> samba can't start up known environment 'vampire_2000_dc' at
> /data/samba/git/samba-push/selftest/selftest.pl line 917.
> teardown_env(fl2000dc)
> samba: EOF on stdin - PID 6210 terminating
> 
> What I don't understand is why this passes as part of a full make test,
> but fails when only running the test on its own.
> 
> The level 4 logs give this clue:
> 
> kerberos_get_realm_from_hostname VAMPIRE2000DC: failed Cannot determine
> realm for host
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/VAMPIRE2000DC
> failed (next[ntlmssp]): NT_STATUS_NO_MEMORY
> 
> Could you (and presumably metze) please have a look at this for me
> please?

I can't reproduce this, but I had a patch with
'ntlmssp_client:force_old_spnego=yes' in my tree.

But I'll have a closer look at the capture tomorrow.

In some other situations, e.g. adding a trust
between 'samba.example.com' and 'addom.samba.example.com'
I found that the heimdal libraries send the referall ticket
for to the smb server instead of following the referall to
get the correct ticket. This also happened with some s4u2self
tests over trusts. So there're a lot of things to fix in future.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170611/fd96c5e0/signature.sig>

More information about the samba-technical mailing list