[Samba] Oracle 11 nts authentication againts samba4 AD DC

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 5 09:15:41 MST 2015 

On 05/03/15 15:23, Izan DíezSánchez wrote:
>
>
> schnaggy <schnaggy <at> schnaggy.de> writes:
>
>>
>>> On 05 Mar 2015, at 10:45, Rowland Penny <rowlandpenny <at>
> googlemail.com> wrote:
>>> On 03/03/15 09:56, Izan Díez Sánchez wrote:
>>>> Hi again. I apologize for my vague previous question. After some
> investigation I can be much more precise
>> in my consult. Furthermore, I think I found a bug…
>>>> ...
>>>>
>>>> User "ids" is requesting a ticket to connect to the
> "DATABASE_SERVER". In the process samba makes an
>> ldbsearch looking for the server but does not find it. Why? Because
> the sAMAccountName that is searching
>> lacks the trailing dollar "$" that every machine account has.
>>>> Is this a bug? Any idea on how can I workaround this issue?
>>>> We have a production environment with Windows DC working and
> planned to migrate to samba4 but need
>> everything working flawlessly.
>>>>
>>>>
>>> No, I don't think this is a bug, I think it is a mis-configuration
> of *oracle*.
>>> If authentication works by removing the '$' sign from the computers
> samacountname, then there is your
>> problem, oracle doesn't expect the '$' sign but it should because
> *every* AD computer samaccountname
>> ends with a '$' sign.
>>> So, to put it another way, this is not a samba problem, it is an
> oracle problem, try searching the internet
>> with something like 'oracle windows authentication nts’
>> Yes, you are right. It’s not a samba problem if the oracle client
> tries to authenticate with a machine
>> account name and stripping the $-sign. My fault. I’m gonna try some
> metawork searches. Maybe there will
>> be any hints...
>>
>> BTW: we use a win 8.1pro with a local oracle server installation, not
> win7 and a remote oracle on a win 2008 server
>> schnaggy
>>
>>> Rowland
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> Carsten Wagner
>>
>> schnaggy <at> schnaggy.de
>>
> Thanks schnaggy ;) I had also tested the local setup and your
> workaround, but breaking another thing to fix this is not a solution.
>
> Rowland, how is it an oracle client problem if it works out of the box
> in a Windows Active Directory?

No body said it worked against a windows AD DC and as someone else 
posted a work around, it was too easy to say it wasn't a bug, but now 
that you say it works with windows, then yes it does sound like a bug 
and your best course would be file a bug report.

> I finally dug a bit into the code and found the line in which the
> unsuccessful query is performed:
>
> If in the samba_kdc_lookup_server function of the db-glue.c change the
> following piece of code:
> ----------------------------------------------
>
> 		lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
> 				       *realm_dn, LDB_SCOPE_SUBTREE,
> 				       attrs,
> 				       DSDB_SEARCH_SHOW_EXTENDED_DN |
> DSDB_SEARCH_NO_GLOBAL_CATALOG,
> 				       "(&(objectClass=user)
> (samAccountName=%s))",
> 				       ldb_binary_encode_string(mem_ctx,
> short_princ));
> ----------------------------------------------
> by
> ----------------------------------------------
> 		lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
> 				       *realm_dn, LDB_SCOPE_SUBTREE,
> 				       attrs,
> 				       DSDB_SEARCH_SHOW_EXTENDED_DN |
> DSDB_SEARCH_NO_GLOBAL_CATALOG,
> 				       "(&(objectClass=user)
> (samAccountName=%s$))",
> 				       ldb_binary_encode_string(mem_ctx,
> short_princ));
> ----------------------------------------------
> Note the dollar sign. Recompiled and get it working as expected.
>
> Problem here: I don't know how it will impact the normal functioning of
> kerberos. However, so far, I have not been able to notice any error. In
> any case I am not willing to trust this hack for a production
> environment and I need some help of people with understanding of why
> that line of code is written in that way and not the other.

I personally would have changed the search filter to this:

"(&(objectClass=user)(|(samAccountName=%s)(cn=%s)))",

With this filter, you would get the same result as previously, but it 
would also find machines if 'cn' is matched.

However, I am no expert in kerberos and there are probably valid reasons 
why the search filter is the way it is, so I would urge you to file a 
bug report on this.

Rowland

> I hope we can reach a solution. Thank you for your time,
>
> \\Izan

More information about the samba mailing list