[Samba] Oracle 11 nts authentication againts samba4 AD DC
Rowland Penny
rowlandpenny at googlemail.com
Thu Mar 5 02:45:26 MST 2015
On 03/03/15 09:56, Izan Díez Sánchez wrote:
> Hi again. I apologize for my vague previous question. After some
> investigation I can be much more precise in my consult. Furthermore, I
> think I found a bug...
>
> Context:
> -Samba4 AD DC working fine with many user and machine accouns.
> -Windows7 client trying to connect via sqlplus to an oracle database
> residing in a Windows2008 server. Both machines are in the domain.
> -Server database is using Operating System Authentication, i.e. it
> relies on the client to authenticate the user connecting to the
> database. The user is a Domain User, therefore eventually
> authentication falls to the domain controller and kerberos.
>
> Error:
> -ORA-12638: Credential retrieval failed.
>
> Samba logs:
> -log level = 10
> -User name -> ids
> -Domain -> domain.ad
> -Server account name -> DATABASE_SERVER
> -Client IP -> 192.168.0.100
> --------------------------------------------------------------------------------------------------
>
> [2015/03/02 19:57:03.794542, 3, pid=6266, effective(0, 0), real(0,
> 0)]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276
> for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
> [2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_request: SEARCH
> dn: DC=domain,DC=ad
> scope: sub
> expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
> attr: objectClass
> attr: sAMAccountName
> attr: userPrincipalName
> attr: servicePrincipalName
> attr: msDS-KeyVersionNumber
> attr: msDS-SecondaryKrbTgtNumber
> attr: msDS-SupportedEncryptionTypes
> attr: supplementalCredentials
> attr: msDS-AllowedToDelegateTo
> attr: dBCSPwd
> attr: unicodePwd
> attr: userAccountControl
> attr: objectSid
> attr: pwdLastSet
> attr: accountExpires
> control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no
> control: 1.2.840.113556.1.4.529 crit:1 data:yes
>
> [2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_request: (resolve_oids)->search
> [2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (rootdse)->search
> [2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (schema_load)->search
> [2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (lazy_commit)->search
> [2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (dirsync)->search
> [2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (paged_results)->search
> [2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (ranged_results)->search
> [2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (anr)->search
> [2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (server_sort)->search
> [2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (asq)->search
> [2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (extended_dn_in)->search
> [2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (descriptor)->search
> [2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (acl)->search
> [2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (aclread)->search
> [2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (operational)->search
> [2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (rdn_name)->search
> [2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
> [2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (show_deleted)->search
> [2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (partition)->search
> [2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: partition_request() -> (metadata partition)
> [2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_next_request: (tdb)->search
> [2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_response: REFERRAL
> ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad
>
> [2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
> ldb: ldb_trace_response: DONE
> error: 0
>
> [2015/03/02 19:57:03.797497, 3, pid=6266, effective(0, 0), real(0,
> 0)] ../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
> *Failed to find an entry for DATABASE_SERVER*
> [2015/03/02 19:57:03.797542, 3, pid=6266, effective(0, 0), real(0,
> 0)]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Searching referral for DATABASE_SERVER
> [2015/03/02 19:57:03.797595, 3, pid=6266, effective(0, 0), real(0,
> 0)]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD:
> No such entry in the database
> [2015/03/02 19:57:03.797637, 3, pid=6266, effective(0, 0), real(0,
> 0)]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
> [2015/03/02 19:57:03.797891, 3, pid=6266, effective(0, 0), real(0,
> 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> --------------------------------------------------------------------------------------------------
>
>
> User "ids" is requesting a ticket to connect to the "DATABASE_SERVER".
> In the process samba makes an ldbsearch looking for the server but
> does not find it. Why? Because the sAMAccountName that is searching
> lacks the trailing dollar "$" that every machine account has.
>
> Is this a bug? Any idea on how can I workaround this issue?
> We have a production environment with Windows DC working and planned
> to migrate to samba4 but need everything working flawlessly.
>
>
>
No, I don't think this is a bug, I think it is a mis-configuration of
*oracle*.
If authentication works by removing the '$' sign from the computers
samacountname, then there is your problem, oracle doesn't expect the '$'
sign but it should because *every* AD computer samaccountname ends with
a '$' sign.
So, to put it another way, this is not a samba problem, it is an oracle
problem, try searching the internet with something like 'oracle windows
authentication nts'
Rowland
More information about the samba
mailing list