Incorrect IDL for supplementalCredentialsBlob (was: Re: [Samba] Samba4 KDC - no such entry found in hdb)

Andrew Bartlett abartlet at samba.org
Mon Oct 1 15:08:52 MDT 2012 

On Mon, 2012-10-01 at 11:48 +0400, Dmitry Khromov wrote:
> On Mon, 1 Oct 2012 10:43:59 +0400
> Dmitry Khromov <icechrome at gmail.com> wrote:
> 
> > Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. At least 6 accounts behave like this:
> > Kerberos: AS-REQ techgroup at KLIN.KIFATO-MK.COM from ipv4:192.168.1.31:33822 for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM
> ...
> > Kerberos: UNKNOWN -- techgroup at KLIN.KIFATO-MK.COM: no such entry found in hdb
> 
> This disappears once you reset the password on Windows DC, however not on Samba DC:
> $ bin/samba-tool user setpassword dummyuser --newpassword=password --URL=ldap://sambadc -U someadminuser%someadminpassword # We hadn't reset password on Windows DC yet
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> ERROR: Failed to set password for user 'dummyuser': (1, 'LDAP error 1 LDAP_OPERATION
> S_ERROR -  <00002020: setup_supplemental_field: failed to pull old supplementalCr
> edentialsBlob: NT_STATUS_BUFFER_TOO_SMALL> <>')
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/user.py", lin
> e 547, in run
>     username=username)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 459,
>  in setpassword
>     self.modify_ldif(setpw)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 2
> 35, in modify_ldif
>     self.modify(msg, controls)
> 
> Resetting password on Windows DC enables samba-tool to reset password for this account on Samba DC, too.
> Somewhat broken DB on Windows? Any suggestions on how to fix such accounts in order to be able to reset passwords when Windows DC will be demoted?

Do you have any hints on how the password on these accounts was set in
the first place?

What is clearly happening here is that we cannot parse the
supplementalCredentials attribute, which holds the users password (in
various forms needed for Kerberos).  That in turn gives this error, and
is almost certainly why the KDC is also failing. 

The challenge is that without a copy of this attribute, or a way to
reproduce it, we cannot easily fix the IDL.  If you could send us this
attribute for a user who's password isn't sensitive (ie, who has changed
it and not used it elsewhere), it would be very helpful. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list