[Samba] Oracle 11 nts authentication againts samba4 AD DC
Izan Díez Sánchez
ids at empre.es
Tue Mar 3 02:56:36 MST 2015
Hi again. I apologize for my vague previous question. After some
investigation I can be much more precise in my consult. Furthermore, I
think I found a bug...
Context:
-Samba4 AD DC working fine with many user and machine accouns.
-Windows7 client trying to connect via sqlplus to an oracle database
residing in a Windows2008 server. Both machines are in the domain.
-Server database is using Operating System Authentication, i.e. it
relies on the client to authenticate the user connecting to the
database. The user is a Domain User, therefore eventually authentication
falls to the domain controller and kerberos.
Error:
-ORA-12638: Credential retrieval failed.
Samba logs:
-log level = 10
-User name -> ids
-Domain -> domain.ad
-Server account name -> DATABASE_SERVER
-Client IP -> 192.168.0.100
--------------------------------------------------------------------------------------------------
[2015/03/02 19:57:03.794542, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276
for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
[2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_request: SEARCH
dn: DC=domain,DC=ad
scope: sub
expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
attr: objectClass
attr: sAMAccountName
attr: userPrincipalName
attr: servicePrincipalName
attr: msDS-KeyVersionNumber
attr: msDS-SecondaryKrbTgtNumber
attr: msDS-SupportedEncryptionTypes
attr: supplementalCredentials
attr: msDS-AllowedToDelegateTo
attr: dBCSPwd
attr: unicodePwd
attr: userAccountControl
attr: objectSid
attr: pwdLastSet
attr: accountExpires
control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no
control: 1.2.840.113556.1.4.529 crit:1 data:yes
[2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_request: (resolve_oids)->search
[2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (rootdse)->search
[2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (schema_load)->search
[2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (lazy_commit)->search
[2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (dirsync)->search
[2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (paged_results)->search
[2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (ranged_results)->search
[2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (anr)->search
[2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (server_sort)->search
[2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (asq)->search
[2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (extended_dn_in)->search
[2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (descriptor)->search
[2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (acl)->search
[2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (aclread)->search
[2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (operational)->search
[2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (rdn_name)->search
[2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
[2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (show_deleted)->search
[2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (partition)->search
[2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: partition_request() -> (metadata partition)
[2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_next_request: (tdb)->search
[2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_response: REFERRAL
ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad
[2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
ldb: ldb_trace_response: DONE
error: 0
[2015/03/02 19:57:03.797497, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
*Failed to find an entry for DATABASE_SERVER*
[2015/03/02 19:57:03.797542, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Searching referral for DATABASE_SERVER
[2015/03/02 19:57:03.797595, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: No
such entry in the database
[2015/03/02 19:57:03.797637, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
[2015/03/02 19:57:03.797891, 3, pid=6266, effective(0, 0), real(0, 0)]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
--------------------------------------------------------------------------------------------------
User "ids" is requesting a ticket to connect to the "DATABASE_SERVER".
In the process samba makes an ldbsearch looking for the server but does
not find it. Why? Because the sAMAccountName that is searching lacks the
trailing dollar "$" that every machine account has.
Is this a bug? Any idea on how can I workaround this issue?
We have a production environment with Windows DC working and planned to
migrate to samba4 but need everything working flawlessly.
--
Izan DÃez Sánchez
Empresarios Agrupados
Magallanes 3
28015 Madrid
Tel. +34 91 309 80 00 (ext: 8813)
ids at empre.es
---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message by mistake, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es
Este mensaje puede contener información confidencial o privilegiada.
Si Vd. no es el destinatario ni está autorizado por el mismo para
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar
ninguna medida basada en este mensaje o en la información que
contiene. Si Vd. ha recibido este mensaje por error, notifíquelo de
forma inmediata al remitente por correo electrónico y borre el
mensaje. Gracias por su cooperación.
Visite nuestra página web: www.empre.es
---------------------------------------------------------------------
Please, Do not print this message unless it is necessary.
Our environment is in our hands.
Antes de imprimir este mensaje, asegúrese de que es necesario.
El medio ambiente está en nuestra mano.
More information about the samba
mailing list