[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14

Andrew Bartlett abartlet at samba.org
Tue Nov 16 17:36:35 UTC 2021 

On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:
> Hi!
> 
> I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many
> years, 
> but after update to version 4.13.14, I have some troubles with
> issuing 
> kerberos tickets for ldap service at my DC. When I downgrades samba 
> back, all work fine again.
> 
> Some strings from log.samba:
> 
>    Kerberos: samba_kdc_fetch: message2entry failed
> [2021/11/16 09:22:47.367864,  3] 
>    Kerberos: Server not found in database: 
> LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found
> in hdb
> 
> When I check SPNs for my DC:
> 
> # samba-tool spn list dc$
> dc$
> User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the
> following 
> servicePrincipalName:
>           HOST/DC
>           HOST/dc.samdom.local
>           GC/dc.samdom.local/samdom.local
> E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f-
> 6e838dc29369/samdom.local
>           HOST/dc.samdom.local/SAMDOM
>           ldap/dc.samdom.local/SAMDOM
>           ldap/dc.samdom.local
>           HOST/dc.samdom.local/samdom.local
>           ldap/dc.samdom.local/samdom.local
> ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local
>           ldap/DC
>           RestrictedKrbHost/DC
>           RestrictedKrbHost/dc.samdom.local
>           ldap/dc.samdom.local/DomainDnsZones.samdom.local
>           ldap/dc.samdom.local/ForestDnsZones.samdom.local
> 
> What is wrong in my case?

Thanks for your mail and I'm sorry for this regression.  I should have
called out this behaviour change more strongly in our release notes, or
at least put a better DEBUG message on it.

In this commit:
 
commit 4888e198110a811a1815e2fdffc7562fe979f477
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Oct 4 15:18:34 2021 +1300

    CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN
(ending in our domain/realm) unless a DC
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

We restricted 3-part SPNs to DCs.  This is what the rule was always
meant to be, but there are codepaths were this wasn't enforced.  For
various reasons it was simplest to enforce the rule at read time on the
KDC.

Can you check:
 - the userAccountControl on your DC
 - your compiler.  I'm wondering if this is some FreeBSD-only thing
given that the tests passed on linux, perhaps around that boolean logic
or 'bool' variable type?

If you do a full developer build, does make test
TESTS="samba.tests.krb5.spn_tests" fail?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list