[Samba] Oracle 11 nts authentication againts samba4 AD DC
Izan DíezSánchez
ids at empre.es
Thu Mar 5 08:23:28 MST 2015
schnaggy <schnaggy <at> schnaggy.de> writes:
>
>
> > On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at>
googlemail.com> wrote:
> >
> > On 03/03/15 09:56, Izan Díez Sánchez wrote:
> >> Hi again. I apologize for my vague previous question. After some
investigation I can be much more precise
> in my consult. Furthermore, I think I found a bug…
> >> ...
> >>
> >> User "ids" is requesting a ticket to connect to the
"DATABASE_SERVER". In the process samba makes an
> ldbsearch looking for the server but does not find it. Why? Because
the sAMAccountName that is searching
> lacks the trailing dollar "$" that every machine account has.
> >>
> >> Is this a bug? Any idea on how can I workaround this issue?
> >> We have a production environment with Windows DC working and
planned to migrate to samba4 but need
> everything working flawlessly.
> >>
> >>
> >>
> >
> > No, I don't think this is a bug, I think it is a mis-configuration
of *oracle*.
> >
> > If authentication works by removing the '$' sign from the computers
samacountname, then there is your
> problem, oracle doesn't expect the '$' sign but it should because
*every* AD computer samaccountname
> ends with a '$' sign.
> >
> > So, to put it another way, this is not a samba problem, it is an
oracle problem, try searching the internet
> with something like 'oracle windows authentication nts’
> >
>
> Yes, you are right. It’s not a samba problem if the oracle client
tries to authenticate with a machine
> account name and stripping the $-sign. My fault. I’m gonna try some
metawork searches. Maybe there will
> be any hints...
>
> BTW: we use a win 8.1pro with a local oracle server installation, not
win7 and a remote oracle on a win 2008 server
>
> schnaggy
>
> > Rowland
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> Carsten Wagner
>
> schnaggy <at> schnaggy.de
>
Thanks schnaggy ;) I had also tested the local setup and your
workaround, but breaking another thing to fix this is not a solution.
Rowland, how is it an oracle client problem if it works out of the box
in a Windows Active Directory?
I finally dug a bit into the code and found the line in which the
unsuccessful query is performed:
If in the samba_kdc_lookup_server function of the db-glue.c change the
following piece of code:
----------------------------------------------
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
*realm_dn, LDB_SCOPE_SUBTREE,
attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)
(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx,
short_princ));
----------------------------------------------
by
----------------------------------------------
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
*realm_dn, LDB_SCOPE_SUBTREE,
attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)
(samAccountName=%s$))",
ldb_binary_encode_string(mem_ctx,
short_princ));
----------------------------------------------
Note the dollar sign. Recompiled and get it working as expected.
Problem here: I don't know how it will impact the normal functioning of
kerberos. However, so far, I have not been able to notice any error. In
any case I am not willing to trust this hack for a production
environment and I need some help of people with understanding of why
that line of code is written in that way and not the other.
I hope we can reach a solution. Thank you for your time,
\\Izan
More information about the samba
mailing list