Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed
Stefan Metzmacher
metze at samba.org
Wed Apr 20 20:43:31 UTC 2016
Hi Thomas,
can you please file a bug report?
I need level 10 log together with a network capture,
See https://wiki.samba.org/index.php/Capture_Packets
(we need all traffic from all ports)
Thanks!
metze
Am 20.04.2016 um 19:36 schrieb Thomas Schulz:
>> I wonder if the fillowing indicates a reduction in security with
>> Samba 4.4.2, or is it just an unimportant warning.
>>
>>> Testing Samba 4.4.2 as a file server running on Solaris 10 i386
>>> with a Windows Server 2000 computer as the DC.
>>>
>>> Upon startup the smb.log contains the following:
>>>
>>> [2016/04/15 10:08:09.738117, 0] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
>>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
>>> [2016/04/15 10:08:09.738732, 0] ../source3/printing/nt_printing.c:187(nt_printing_init)
>>> nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
>>>
>>>
>>> These messages do not show up with 4.4.0.
>
> A section of a debug level 10 log:
>
> [2016/04/20 13:13:56.743529, 3, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:907(gensec_register)
> GENSEC backend 'fake_gssapi_krb5' registered
> [2016/04/20 13:13:56.743943, 5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
> Starting GENSEC mechanism spnego
> [2016/04/20 13:13:56.744019, 5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
> Starting GENSEC submechanism gse_krb5
> [2016/04/20 13:13:56.779593, 5, pid=27195, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:265(gse_init_client)
> gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
> [2016/04/20 13:13:56.779738, 4, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:687(gensec_start_mech)
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
> [2016/04/20 13:13:56.780824, 1, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> [2016/04/20 13:13:56.780925, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:752(ads_sasl_spnego_bind)
> ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit
> [2016/04/20 13:13:56.788411, 10, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/kerberos.c:217(kerberos_kinit_password_ext)
> kerberos_kinit_password: as MACKEREL$@ADI.COM using [MEMORY:prtpub_cache] as ccache and config [/var/samba/locks/%h/smb_krb5/krb5.conf.ADI]
> [2016/04/20 13:13:56.796453, 5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
> Starting GENSEC mechanism spnego
> [2016/04/20 13:13:56.796506, 5, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
> Starting GENSEC submechanism gse_krb5
> [2016/04/20 13:13:56.806980, 2, pid=27195, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:1179(gensec_spnego_update)
> GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_INVALID_PARAMETER
> [2016/04/20 13:13:56.807283, 0, pid=27195, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind)
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
> [2016/04/20 13:13:56.811445, 3, pid=27195, effective(0, 0), real(0, 0)] ../source3/printing/nt_printing_ads.c:648(check_published_printers)
> ads_connect failed: Unexpected information received
>
>
>>> The output to testparm is:
>>>
>>> # Global parameters
>>> [global]
>>> realm = ADI.COM
>>> server string =
>>> workgroup = ADI
>>> client ldap sasl wrapping = plain
>>> log file = /opt/local/samba4/var/logs/%h/log.%m
>>> max log size = 1500
>>> lock directory = /var/samba/locks/%h
>>> pid directory = /var/samba/locks/%h
>>> load printers = No
>>> printcap name = /etc/printers.samba
>>> name resolve order = bcast host
>>> unix extensions = No
>>> client NTLMv2 auth = No
>>> client signing = if_required
>>> guest account = nobody2
>>> security = ADS
>>> require strong key = No
>>> winbind sealed pipes = No
>>> dns proxy = No
>>> idmap config * : backend = tdb
>>> delete readonly = Yes
>>> dos filemode = Yes
>>> include = /opt/local/samba4/etc/smb.conf.mackerel
>>> wide links = Yes
>>> printing = sysv
>>> msdfs root = Yes
>>
>> Just for testing I added the following parameters to see if they had
>> any effect on the above messages. There was no change.
>>
>> ldap server require strong auth = No
>> client use spnego = No
>> use spnego = No
>> client ipc signing = No
>> client lanman auth = Yes
>> lanman auth = Yes
>> raw NTLMv2 auth = Yes
>> server signing = if_required
>> tls verify peer = no_check
>
>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160420/5b3b3ceb/signature.sig>
More information about the samba-technical
mailing list