Wanted to verify if my users have PAC and seems like they don't: # net ads kerberos pac dump --option='realm = MYDOMAIN.LOC' --option='kerberos method = system keytab' -s /dev/null local_service=host/[email protected] -U me Enter me's password: ../../source3/libads/authdata.c:300: Type mismatch: name[NULL] expected[struct PAC_DATA_CTR] PANIC (pid 27062): ../../source3/libads/authdata.c:300: Type mismatch: name[NULL] expected[struct PAC_DATA_CTR]
I ran ipa-adtrust-install in the past so I expected SIDs (and PAC) to be present. Seems like that's not true? # grep ipa-adtrust-install /var/log/ipaserver-install.log | grep success 2019-02-08T15:09:08Z INFO The ipa-adtrust-install command was successful чт, 30 дек. 2021 г. в 16:11, Konstantin M. Khankin < [email protected]>: > Hello! > > I have several SMB shares served by Samba using Kerberos accounts managed > by FreeIPA. I have no AD integrations and no AD itself. Windows clients are > configured using this > <https://www.freeipa.org/page/Windows_authentication_against_FreeIPA> > guide, linux clients use ipa-client and "smbclient -k". Servers and linux > clients use CentOS 7. > > Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from > 4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from 4.10.16- > *15*.el7_9) packages and authentication broke, no clients can connect to > shares anymore. Here are logs from linux client: > > $ klist > Ticket cache: KEYRING:persistent:1696200001:1696200001 > Default principal: [email protected] > > Valid starting Expires Service principal > 12/30/2021 18:04:03 12/31/2021 18:03:46 > cifs/[email protected] > 12/30/2021 18:04:02 12/31/2021 18:03:46 > nfs/[email protected] > 12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/[email protected] > > $ smbclient -k -L //samba.server.mydomain.loc > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Server logs: > > *log.smbd:* > [2021/12/30 19:03:23.597495, 2] > ../../source3/lib/smbldap.c:847(smbldap_open_connection) > smbldap_open_connection: connection opened > [2021/12/30 19:03:23.695598, 3] > ../../source3/lib/smbldap.c:1069(smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > [2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam) > pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain > mydomain.loc > [2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access) > Allowed connection from 192.168.10.1 (192.168.10.1) > > *log.192.168.10.1:* > ... > [2021/12/30 19:05:22.458992, 3] > ../../source3/smbd/negprot.c:776(reply_negprot) > Selected protocol SMB 2.??? > [2021/12/30 19:05:22.459495, 3] > ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) > Selected protocol SMB3_11 > [2021/12/30 19:05:22.524677, 3] > ../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob) > gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute > failed: The operation or option is not available or unsupported: No such > file or directory > [2021/12/30 19:05:22.524750, 1] > ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) > gensec_generate_session_info_pac: Unable to find PAC in ticket from > [email protected], failing to allow access > [2021/12/30 19:05:22.524784, 3] > ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at > ../../source3/smbd/smb2_sesssetup.c:146 > [2021/12/30 19:05:22.525565, 3] > ../../source3/smbd/server_exit.c:236(exit_server_common) > Server exit (NT_STATUS_END_OF_FILE) > > Googling, source-digging and "log level = 5" were not helpful. However, I > find changelogs somewhat interesting: > > $ rpm -q --changelog ipa-server | head > * Thu Dec 16 2021 CentOS Sources <[email protected]> - 4.6.8-5.el7.centos.10 > - Roll in CentOS Branding > > * Thu Dec 02 2021 Florence Blanc-Renaud <[email protected]> - > 4.6.8-5.el7_9.10 > - Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT > setup against a RHEL 7.9 IPA server > - Fix cert_request for KDC cert > - Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not > always rely on the SID and PAC in Kerberos tickets* > - SMB: switch IPA domain controller role > > $ rpm -q --changelog samba | head > * Mon Nov 15 2021 Andreas Schneider <[email protected]> - 4.10.16-17 > - related: #2019673 - *Add missing checks for IPA DC server role* > > * Mon Nov 08 2021 Andreas Schneider <[email protected]> - 4.10.16-16 > - resolves: #2019661 - Fix CVE-2016-2124 > - resolves: #2019673 - Fix CVE-2020-25717 > - resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl* > > I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe > someone knows if I need to do something after upgrading these packages? > > Rolling back samba packages is unwanted given that Samba sources mention > this is unsafe. > > Thanks! > > -- > Konstantin Khankin > -- Konstantin Khankin
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
