[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14

Andrew Bartlett abartlet at samba.org
Wed Nov 17 09:27:51 UTC 2021 

On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote:
> 16.11.2021 18:36, Andrew Bartlett пишет:
> > On Tue, 2021-11-16 at 12:18 +0100, Nikita Druba via samba wrote:
> > > Hi!
> > > 
> > > I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many
> > > years,
> > > but after update to version 4.13.14, I have some troubles with
> > > issuing
> > > kerberos tickets for ldap service at my DC. When I downgrades
> > > samba
> > > back, all work fine again.
> > > 
> > > Some strings from log.samba:
> > > 
> > >     Kerberos: samba_kdc_fetch: message2entry failed
> > > [2021/11/16 09:22:47.367864,  3]
> > >     Kerberos: Server not found in database:
> > > LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry
> > > found
> > > in hdb
> > > 
> > > When I check SPNs for my DC:
> > > 
> > > # samba-tool spn list dc$
> > > dc$
> > > User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the
> > > following
> > > servicePrincipalName:
> > >            HOST/DC
> > >            HOST/dc.samdom.local
> > >            GC/dc.samdom.local/samdom.local
> > > E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f-
> > > 6e838dc29369/samdom.local
> > >            HOST/dc.samdom.local/SAMDOM
> > >            ldap/dc.samdom.local/SAMDOM
> > >            ldap/dc.samdom.local
> > >            HOST/dc.samdom.local/samdom.local
> > >            ldap/dc.samdom.local/samdom.local
> > > ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local
> > >            ldap/DC
> > >            RestrictedKrbHost/DC
> > >            RestrictedKrbHost/dc.samdom.local
> > >            ldap/dc.samdom.local/DomainDnsZones.samdom.local
> > >            ldap/dc.samdom.local/ForestDnsZones.samdom.local
> > > 
> > > What is wrong in my case?
> > Thanks for your mail and I'm sorry for this regression.  I should
> > have
> > called out this behaviour change more strongly in our release
> > notes, or
> > at least put a better DEBUG message on it.
> > 
> > In this commit:
> >   
> > commit 4888e198110a811a1815e2fdffc7562fe979f477
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date:   Mon Oct 4 15:18:34 2021 +1300
> > 
> >      CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN
> > (ending in our domain/realm) unless a DC
> >      
> >      BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
> >      
> >      Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> >      Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
> > 
> > We restricted 3-part SPNs to DCs.  This is what the rule was always
> > meant to be, but there are codepaths were this wasn't
> > enforced.  For
> > various reasons it was simplest to enforce the rule at read time on
> > the
> > KDC.
> > 
> > Can you check:
> >   - the userAccountControl on your DC
> >   - your compiler.  I'm wondering if this is some FreeBSD-only
> > thing
> > given that the tests passed on linux, perhaps around that boolean
> > logic
> > or 'bool' variable type?
> > 
> > If you do a full developer build, does make test
> > TESTS="samba.tests.krb5.spn_tests" fail?
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> > 
> Ok.
> 
> I checked ldap base and for my DC$ account
> 
> userAccountControl=69632

This is your issue.  Have you perhaps joined a FreeNAS server to your
DC at some point?  It had a very confusing GUI that encouraged you to
wipe out the DC account.

This userAccountControl is
UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore not
a real Domain Controller.

> After update I dont seen any changes here.
> 
> I use samba, builded from sources at my server and use the last
> versions 
> of any other software from FreeBSD ports tree.
> I see, that for samba 4.13.14 I have builded spn_tests.py file. How
> I 
> should to run this script?

./configure.developer
make -j
make test TESTS="samba.tests.krb5.spn_tests"

> I don not tried decision from other reply about "min domain uid"
> this 
> time, but I can do it at the next.

This isn't relevant.  This is a totally different part of the codebase.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list