[Samba] Oracle 11 nts authentication againts samba4 AD DC

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 5 02:45:26 MST 2015 

On 03/03/15 09:56, Izan Díez Sánchez wrote:
> Hi again. I apologize for my vague previous question. After some 
> investigation I can be much more precise in my consult. Furthermore, I 
> think I found a bug...
>
> Context:
> -Samba4 AD DC working fine with many user and machine accouns.
> -Windows7 client trying to connect via sqlplus to an oracle database 
> residing in a Windows2008 server. Both machines are in the domain.
> -Server database is using Operating System Authentication, i.e. it 
> relies on the client to authenticate the user connecting to the 
> database. The user is a Domain User, therefore eventually 
> authentication falls to the domain controller and kerberos.
>
> Error:
> -ORA-12638: Credential retrieval failed.
>
> Samba logs:
> -log level = 10
> -User name -> ids
> -Domain -> domain.ad
> -Server account name -> DATABASE_SERVER
> -Client IP -> 192.168.0.100
> -------------------------------------------------------------------------------------------------- 
>
> [2015/03/02 19:57:03.794542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: TGS-REQ *ids*@*DOMAIN.AD* from ipv4:*192.168.0.100*:49276 
> for *DATABASE_SERVER*@DOMAIN.AD [canonicalize, renewable, forwardable]
> [2015/03/02 19:57:03.794633, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: SEARCH
>    dn: DC=domain,DC=ad
>    scope: sub
>    expr: (&(objectClass=user)(*samAccountName=DATABASE_SERVER*))
>    attr: objectClass
>    attr: sAMAccountName
>    attr: userPrincipalName
>    attr: servicePrincipalName
>    attr: msDS-KeyVersionNumber
>    attr: msDS-SecondaryKrbTgtNumber
>    attr: msDS-SupportedEncryptionTypes
>    attr: supplementalCredentials
>    attr: msDS-AllowedToDelegateTo
>    attr: dBCSPwd
>    attr: unicodePwd
>    attr: userAccountControl
>    attr: objectSid
>    attr: pwdLastSet
>    attr: accountExpires
>    control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
>    control: 1.2.840.113556.1.4.529  crit:1  data:yes
>
> [2015/03/02 19:57:03.794895, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_request: (resolve_oids)->search
> [2015/03/02 19:57:03.794938, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rootdse)->search
> [2015/03/02 19:57:03.794993, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (schema_load)->search
> [2015/03/02 19:57:03.795032, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (lazy_commit)->search
> [2015/03/02 19:57:03.795068, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (dirsync)->search
> [2015/03/02 19:57:03.795110, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (paged_results)->search
> [2015/03/02 19:57:03.795145, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (ranged_results)->search
> [2015/03/02 19:57:03.795184, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (anr)->search
> [2015/03/02 19:57:03.795220, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (server_sort)->search
> [2015/03/02 19:57:03.795255, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (asq)->search
> [2015/03/02 19:57:03.795289, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_in)->search
> [2015/03/02 19:57:03.795332, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (descriptor)->search
> [2015/03/02 19:57:03.795370, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (acl)->search
> [2015/03/02 19:57:03.795415, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (aclread)->search
> [2015/03/02 19:57:03.795452, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (operational)->search
> [2015/03/02 19:57:03.795503, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (rdn_name)->search
> [2015/03/02 19:57:03.795540, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (extended_dn_out_ldb)->search
> [2015/03/02 19:57:03.795589, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (show_deleted)->search
> [2015/03/02 19:57:03.795629, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (partition)->search
> [2015/03/02 19:57:03.795679, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: partition_request() -> (metadata partition)
> [2015/03/02 19:57:03.795716, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_next_request: (tdb)->search
> [2015/03/02 19:57:03.797351, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: REFERRAL
>   ref: ldap://domain.ad/CN=Configuration,DC=domain,DC=ad
>
> [2015/03/02 19:57:03.797428, 10, pid=6266, effective(0, 0), real(0, 
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:71(ldb_wrap_debug)
>   ldb: ldb_trace_response: DONE
>   error: 0
>
> [2015/03/02 19:57:03.797497,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/kdc/db-glue.c:1389(samba_kdc_lookup_server)
> *Failed to find an entry for DATABASE_SERVER*
> [2015/03/02 19:57:03.797542,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Searching referral for DATABASE_SERVER
> [2015/03/02 19:57:03.797595,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Server not found in database: DATABASE_SERVER at DOMAIN.AD: 
> No such entry in the database
> [2015/03/02 19:57:03.797637,  3, pid=6266, effective(0, 0), real(0, 
> 0)] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed building TGS-REP to ipv4:172.31.0.122:49276
> [2015/03/02 19:57:03.797891,  3, pid=6266, effective(0, 0), real(0, 
> 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'kdc_tcp_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> -------------------------------------------------------------------------------------------------- 
>
>
> User "ids" is requesting a ticket to connect to the "DATABASE_SERVER". 
> In the process samba makes an ldbsearch looking for the server but 
> does not find it. Why? Because the sAMAccountName that is searching 
> lacks the trailing dollar "$" that every machine account has.
>
> Is this a bug? Any idea on how can I workaround this issue?
> We have a production environment with Windows DC working and planned 
> to migrate to samba4 but need everything working flawlessly.
>
>
>

No, I don't think this is a bug, I think it is a mis-configuration of 
*oracle*.

If authentication works by removing the '$' sign from the computers 
samacountname, then there is your problem, oracle doesn't expect the '$' 
sign but it should because *every* AD computer samaccountname ends with 
a '$' sign.

So, to put it another way, this is not a samba problem, it is an oracle 
problem, try searching the internet with something like 'oracle windows 
authentication nts'

Rowland

More information about the samba mailing list