[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources

Denis Cardon denis.cardon at tranquil-it-systems.fr
Mon Feb 16 03:33:30 MST 2015


Hi Garming,

> As far I know, all this should work as you would expect. Quite recently,
> Andrew Bartlett and I went about testing some of the behaviour of the
> KDC and confirming behaviour such as RODC ticket forwarding.

thanks for the input. It gives me hope to dig deeper! I have some more 
time to spend on this issue today, I gonna try some more scenario.

> The one thing to check would be whether or not Samba is being linked
> against system Heimdal. As it stands, there is no real testing of Samba
> using system Heimdal and from the testing we've done, there are almost
> certainly oddities and unexpected failures with this setup - this included.

I didn't thought that I had some kerberos dev librairies on my debian 
wheezy compilation server where I run my build script. But after 
double-checking, I realized that libcups2-dev brings in libkrb5-dev and 
krb5-multidev (I use the same package build for both DC and member 
servers). However those packages are for MIT kerberos libraries I think 
and there should be no heimdal inside.

I'm going to check that kind of setup with sernet packages and see if it 
gets any better. By the way, the issue can be reproduced on command line 
on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is 
the rwdc and everything works fine except this issue) :

[root at rodc-nantes.tranq ~]# shorewall start

[root at rodc-nantes.tranq ~]# kinit dcardon
Password for dcardon at TRANQUILIT.LOCAL:

[root at rodc-nantes.tranq ~]# shorewall  clear

[root at rodc-nantes.tranq ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dcardon at TRANQUILIT.LOCAL

Valid starting       Expires              Service principal
16/02/2015 11:22:47  16/02/2015 21:22:47 
krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL
	renew until 17/02/2015 11:22:45

[root at rodc-nantes.tranq ~]# smbclient -k -L rodc-nantes
Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk
	sysvol          Disk
	IPC$            IPC       IPC Service (Samba 4.1.16)
Domain=[TRANQUILIT] OS=[Unix] Server=[Samba 4.1.16]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

[root at rodc-nantes.tranq ~]# smbclient -k -L srvads
ads_krb5_mk_req: smb_krb5_get_credentials failed for 
cifs/srvads at TRANQUILIT.LOCAL (Generic error (see e-text))
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Generic 
error (see e-text)
session setup failed: NT_STATUS_UNSUCCESSFUL

thanks for you input Garming. I keep you informed from our progress.

Denis




>
> Cheers,
>
> Garming Sam
>
> On 11/02/15 09:54, Denis Cardon wrote:
>> Hi everyone,
>>
>> I would like to have some input on ressources access from a
>> workstation logged on a RODC server that has to connect on hub site
>> servers.
>>
>> After login in the remote windows workstation, I have LOGONSERVER
>> environment variable set to the local RODC server (workstation and
>> user credentials have been preloaded). Everything works fine on local
>> server. However if I want to connect to central office ressources,
>> kerberos auth does not work for central servers.
>>
>> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to
>> the hub RWDC so that it can compute the corresponding service ticket
>> and send it back to the RODC which forwards it to the workstation.
>>
>> However it does not seem to happen in my case. I wanted to know if
>> someone had succeeded to make it work in such a scenario, and what I
>> may have done wrong.
>>
>> Samba 4.1.16 on both sites with rodc preload patches and no firewall
>> inbetween (except temporarily when I want to force login on the rodc,
>> then iptables clear).
>>
>> Thanks,
>>
>> Denis
>>
>>
>> [1]
>> https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC
>>
>> paragraph "BobKelly accesses a resource on a server in a different site"
>>
>>
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr



More information about the samba mailing list