[Samba] Oracle 11 nts authentication againts samba4 AD DC

Izan Díez Sánchez ids at empre.es
Tue Mar 3 02:56:36 MST 2015 

Hi again. I apologize for my vague previous question. After some 
investigation I can be much more precise in my consult. Furthermore, I 
think I found a bug...

Context:
-Samba4 AD DC working fine with many user and machine accouns.
-Windows7 client trying to connect via sqlplus to an oracle database 
residing in a Windows2008 server. Both machines are in the domain.
-Server database is using Operating System Authentication, i.e. it 
relies on the client to authenticate the user connecting to the 
database. The user is a Domain User, therefore eventually authentication 
falls to the domain controller and kerberos.

Error:
-ORA-12638: Credential retrieval failed.

Samba logs:
-log level = 10
-User name -> ids
-Domain -> domain.ad
-Server account name -> DATABASE_SERVER
-Client IP -> 192.168.0.100
--------------------------------------------------------------------------------------------------
[2015/03/02 19:57:03.794542,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 
for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
[2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_request: SEARCH
    dn: DC=domain,DC=ad
    scope: sub
    expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
    attr: objectClass
    attr: sAMAccountName
    attr: userPrincipalName
    attr: servicePrincipalName
    attr: msDS-KeyVersionNumber
    attr: msDS-SecondaryKrbTgtNumber
    attr: msDS-SupportedEncryptionTypes
    attr: supplementalCredentials
    attr: msDS-AllowedToDelegateTo
    attr: dBCSPwd
    attr: unicodePwd
    attr: userAccountControl
    attr: objectSid
    attr: pwdLastSet
    attr: accountExpires
    control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
    control: 1.2.840.113556.1.4.529  crit:1  data:yes

[2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_request: (resolve_oids)->search
[2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (rootdse)->search
[2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (schema_load)->search
[2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (lazy_commit)->search
[2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (dirsync)->search
[2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (paged_results)->search
[2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (ranged_results)->search
[2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (anr)->search
[2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (server_sort)->search
[2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (asq)->search
[2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (extended_dn_in)->search
[2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (descriptor)->search
[2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (acl)->search
[2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (aclread)->search
[2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (operational)->search
[2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (rdn_name)->search
[2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
[2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (show_deleted)->search
[2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (partition)->search
[2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: partition_request() -> (metadata partition)
[2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_next_request: (tdb)->search
[2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_response: REFERRAL
   ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad

[2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
   ldb: ldb_trace_response: DONE
   error: 0

[2015/03/02 19:57:03.797497,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
*Failed to find an entry for DATABASE_SERVER*
[2015/03/02 19:57:03.797542,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Searching referral for DATABASE_SERVER
[2015/03/02 19:57:03.797595,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: No 
such entry in the database
[2015/03/02 19:57:03.797637,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
[2015/03/02 19:57:03.797891,  3, pid=6266, effective(0, 0), real(0, 0)] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
--------------------------------------------------------------------------------------------------

User "ids" is requesting a ticket to connect to the "DATABASE_SERVER". 
In the process samba makes an ldbsearch looking for the server but does 
not find it. Why? Because the sAMAccountName that is searching lacks the 
trailing dollar "$" that every machine account has.

Is this a bug? Any idea on how can I workaround this issue?
We have a production environment with Windows DC working and planned to 
migrate to samba4 but need everything working flawlessly.

-- 
Izan Díez Sánchez
Empresarios Agrupados
Magallanes 3
28015 Madrid
Tel. +34 91 309 80 00 (ext: 8813)
ids at empre.es


---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based 
on this message or any information herein. If you have received this 
message by mistake, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es

Este mensaje puede contener información confidencial o privilegiada.
Si Vd. no es el destinatario ni está autorizado por el mismo para 
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar 
ninguna medida basada en este mensaje o en la información que 
contiene. Si Vd. ha recibido este mensaje por error, notifíquelo de 
forma inmediata al remitente por correo electrónico y borre el 
mensaje. Gracias por su cooperación.
Visite nuestra página web: www.empre.es
---------------------------------------------------------------------

Please, Do not print this message unless it is necessary. 
Our environment is in our hands.
Antes de imprimir este mensaje, asegúrese de que es necesario.
El medio ambiente está en nuestra mano.

More information about the samba mailing list