[Samba] Domain trust and browsing users and groups problem
Tino Müller
tmu at spreadshirt.net
Fri Jun 22 09:00:37 UTC 2018
Hi list,
we have a forest trust of two domains. One domain in US (us.root.prv)
running exclusively on Windows 2012 R2 and one in EU
(spreadshirt.private) running exclusively Sernet Samba 4.8.2-11. Both
domains run functional level "2008 R2". The trust validates successful
using "samba-tool domain trust validate" and in "Domains and trusts".
My problem is: I can't browse users and groups of the EU domain on a
domain member of the US domain, when I try to give EU users permissions
on resources in the US domain. The other way does work.
For example:
At a server in the US domain (actually the DC with all FSMO roles of the
US domain), I right-click a folder on disk -> Properties -> Security ->
"Add..." -> "Locations..." -> select forest "spreadshirt.private" -> OK
-> "Advanced..." -> "Find now".
Search results below show "Searching..." for a short time and then the
message: "The following error prevented the display of any items: The
system cannot contact a domain controller to service the authentication
request. Please try again later."
Doing the same in the EU domain to find users and groups in the US
domain, lists all users and groups as expected.
To track down, what happens, I do a tcpdump at one of the DCs in EU
(ad07), which get the requests from the US server. This is, what I find
(as I think the relevant part):
The krb5 req packet:
US -> EU - KRB5 TGS-REQ
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
req-body
kdc-options: 40810000 (forwardable, renewable, canonicalize)
realm: SPREADSHIRT.PRIVATE
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 3 items
SNameString: ldap
SNameString: ad07.spreadshirt.private
SNameString: spreadshirt.private
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
enc-authorization-data
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: f1cab9899b2402be5267e58829e2573f875f03e4fc1fc04b...
The answer:
EU -> US - KRB5 KRB Error: KRB5KRB_ERR_GENERIC
Kerberos
krb-error
pvno: 5
msg-type: krb-error (30)
ctime: 2018-06-22 07:49:57 (UTC)
cusec: 4986
stime: 2018-06-22 07:49:57 (UTC)
susec: 828326
error-code: eRR-GENERIC (60)
realm: <unspecified realm>
sname
name-type: kRB5-NT-UNKNOWN (0)
sname-string: 0 items
e-text: No next enctype 18 for hdb-entry
This "No next enctype 18 for hdb-entry" seems to be the problem. AFAIK
is enctype 18 the encryption type AES256-CTS-HMAC-SHA1-96 as seen in the
request packet. After this packet, the connection is ended by the US server.
What does this error mean and how do I solve this?
Without this, we can't add permissions to EU users in US domain.
---
Additional info:
ad07 is the DC with all FSMO roles in EU. It was used to establish the
trust to the US domain by "samba-tool domain trust create" command.
Exactly:
# kinit -c ./cache administrator at US.ROOT.PRV
# samba-tool domain trust create US.ROOT.PRV --type=forest
--direction=both -k yes --krb5-ccache=./cache --create-location=both
smb.conf of ad07:
# Global parameters
[global]
netbios name = AD07
realm = SPREADSHIRT.PRIVATE
server role = active directory domain controller
workgroup = SPREADSHIRT
log level = 2 auth_audit:2 auth_json_audit:2
idmap_ldb:use rfc2307 = yes
ntlm auth = yes
ldap server require strong auth = allow_sasl_over_tls
[netlogon]
path = /var/lib/samba/sysvol/spreadshirt.private/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
"ntlm auth = yes" and "ldap server require strong auth =
allow_sasl_over_tls" are needed for freeradius and third-party software.
Removing them and restarting samba services didn't help.
secrets.keytab entries at ad07:
# ktutil -k /var/lib/samba/private/secrets.keytab list
/var/lib/samba/private/secrets.keytab:
Vno Type Principal
2 des-cbc-crc HOST/ad07 at SPREADSHIRT.PRIVATE
2 des-cbc-crc
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
2 des-cbc-crc AD07$@SPREADSHIRT.PRIVATE
2 des-cbc-md5 HOST/ad07 at SPREADSHIRT.PRIVATE
2 des-cbc-md5
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
2 des-cbc-md5 AD07$@SPREADSHIRT.PRIVATE
2 arcfour-hmac-md5 HOST/ad07 at SPREADSHIRT.PRIVATE
2 arcfour-hmac-md5
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
2 arcfour-hmac-md5 AD07$@SPREADSHIRT.PRIVATE
2 aes128-cts-hmac-sha1-96 HOST/ad07 at SPREADSHIRT.PRIVATE
2 aes128-cts-hmac-sha1-96
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
2 aes128-cts-hmac-sha1-96 AD07$@SPREADSHIRT.PRIVATE
2 aes256-cts-hmac-sha1-96 HOST/ad07 at SPREADSHIRT.PRIVATE
2 aes256-cts-hmac-sha1-96
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
2 aes256-cts-hmac-sha1-96 AD07$@SPREADSHIRT.PRIVATE
Ticket cache at US server (rosen):
C:\Windows\system32>klist
Current LogonId is 0:0x607f290
Cached Tickets: (2)
#0> Client: atmueller @ US.ROOT.PRV
Server: krbtgt/SPREADSHIRT.PRIVATE @ US.ROOT.PRV
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent
ok_as_delegate name_canonicalize
Start Time: 6/22/2018 3:46:44 (local)
End Time: 6/22/2018 13:35:57 (local)
Renew Time: 6/29/2018 3:35:57 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: ROSEN
#1> Client: atmueller @ US.ROOT.PRV
Server: krbtgt/US.ROOT.PRV @ US.ROOT.PRV
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial
pre_authent name_canonicalize
Start Time: 6/22/2018 3:35:57 (local)
End Time: 6/22/2018 13:35:57 (local)
Renew Time: 6/29/2018 3:35:57 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: ROSEN
The whole communication is done for this connection between rosen and
ad07. Full tcpdump trace is available.
In short (US server requests, answered by EU server):
- DNS requests for GC
- CLDAP search for DC capabilities
- LDAP search base <ROOT> at GC port 3268
- Kerberos request as above
- unbind from GC
Any help is appreciated. Thank you.
Tino
More information about the samba
mailing list