[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
Nikita Druba
admin at npo-lencor.ru
Wed Nov 17 07:36:35 UTC 2021
16.11.2021 18:36, Andrew Bartlett пишет:
> On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:
>> Hi!
>>
>> I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many
>> years,
>> but after update to version 4.13.14, I have some troubles with
>> issuing
>> kerberos tickets for ldap service at my DC. When I downgrades samba
>> back, all work fine again.
>>
>> Some strings from log.samba:
>>
>> Kerberos: samba_kdc_fetch: message2entry failed
>> [2021/11/16 09:22:47.367864, 3]
>> Kerberos: Server not found in database:
>> LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found
>> in hdb
>>
>> When I check SPNs for my DC:
>>
>> # samba-tool spn list dc$
>> dc$
>> User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the
>> following
>> servicePrincipalName:
>> HOST/DC
>> HOST/dc.samdom.local
>> GC/dc.samdom.local/samdom.local
>> E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f-
>> 6e838dc29369/samdom.local
>> HOST/dc.samdom.local/SAMDOM
>> ldap/dc.samdom.local/SAMDOM
>> ldap/dc.samdom.local
>> HOST/dc.samdom.local/samdom.local
>> ldap/dc.samdom.local/samdom.local
>> ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local
>> ldap/DC
>> RestrictedKrbHost/DC
>> RestrictedKrbHost/dc.samdom.local
>> ldap/dc.samdom.local/DomainDnsZones.samdom.local
>> ldap/dc.samdom.local/ForestDnsZones.samdom.local
>>
>> What is wrong in my case?
> Thanks for your mail and I'm sorry for this regression. I should have
> called out this behaviour change more strongly in our release notes, or
> at least put a better DEBUG message on it.
>
> In this commit:
>
> commit 4888e198110a811a1815e2fdffc7562fe979f477
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Oct 4 15:18:34 2021 +1300
>
> CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN
> (ending in our domain/realm) unless a DC
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
>
> We restricted 3-part SPNs to DCs. This is what the rule was always
> meant to be, but there are codepaths were this wasn't enforced. For
> various reasons it was simplest to enforce the rule at read time on the
> KDC.
>
> Can you check:
> - the userAccountControl on your DC
> - your compiler. I'm wondering if this is some FreeBSD-only thing
> given that the tests passed on linux, perhaps around that boolean logic
> or 'bool' variable type?
>
> If you do a full developer build, does make test
> TESTS="samba.tests.krb5.spn_tests" fail?
>
> Thanks,
>
> Andrew Bartlett
>
Ok.
I checked ldap base and for my DC$ account
userAccountControl=69632
After update I dont seen any changes here.
I use samba, builded from sources at my server and use the last versions
of any other software from FreeBSD ports tree.
I see, that for samba 4.13.14 I have builded spn_tests.py file. How I
should to run this script?
I don not tried decision from other reply about "min domain uid" this
time, but I can do it at the next.
Also I have full building log and some working logs of samba 4.13.14.
Thanks,
Nikita Druba
More information about the samba
mailing list