Thanks for your help Alexander! Turns out my exact problem was this <https://narkive.com/rCnXSfSy.6>.
> Anyway, the scenario you are running is not supported by FreeIPA team. Could you please educate me which scenario is supported? Or is it not supported only because of RHEL 7 / CentOS 7? Happy New Year! :) чт, 30 дек. 2021 г. в 20:03, Alexander Bokovoy <[email protected]>: > On to, 30 joulu 2021, Konstantin M. Khankin via FreeIPA-users wrote: > >Hello! > > > >I have several SMB shares served by Samba using Kerberos accounts managed > >by FreeIPA. I have no AD integrations and no AD itself. Windows clients > are > >configured using this > ><https://www.freeipa.org/page/Windows_authentication_against_FreeIPA> > >guide, linux clients use ipa-client and "smbclient -k". Servers and linux > >clients use CentOS 7. > > This method is not supported, as stated multiple times on this very > least for the past several years. > > > > >Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from > >4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from > >4.10.16-*15*.el7_9) > >packages and authentication broke, no clients can connect to shares > >anymore. Here are logs from linux client: > > > >$ klist > >Ticket cache: KEYRING:persistent:1696200001:1696200001 > >Default principal: [email protected] > > > >Valid starting Expires Service principal > >12/30/2021 18:04:03 12/31/2021 18:03:46 > > cifs/[email protected] > >12/30/2021 18:04:02 12/31/2021 18:03:46 > > nfs/[email protected] > >12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/[email protected] > > > >$ smbclient -k -L //samba.server.mydomain.loc > >session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > > >Server logs: > > > >*log.smbd:* > >[2021/12/30 19:03:23.597495, 2] > >../../source3/lib/smbldap.c:847(smbldap_open_connection) > > smbldap_open_connection: connection opened > >[2021/12/30 19:03:23.695598, 3] > >../../source3/lib/smbldap.c:1069(smbldap_connect_system) > > ldap_connect_system: successful connection to the LDAP server > >[2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam) > > pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain > >mydomain.loc > >[2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access) > > Allowed connection from 192.168.10.1 (192.168.10.1) > > > >*log.192.168.10.1:* > >... > >[2021/12/30 19:05:22.458992, 3] > >../../source3/smbd/negprot.c:776(reply_negprot) > > Selected protocol SMB 2.??? > >[2021/12/30 19:05:22.459495, 3] > >../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) > > Selected protocol SMB3_11 > >[2021/12/30 19:05:22.524677, 3] > >../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob) > > gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute > >failed: The operation or option is not available or unsupported: No such > >file or directory > >[2021/12/30 19:05:22.524750, 1] > >../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) > > gensec_generate_session_info_pac: Unable to find PAC in ticket from > >[email protected], failing to allow access > >[2021/12/30 19:05:22.524784, 3] > >../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at > >../../source3/smbd/smb2_sesssetup.c:146 > >[2021/12/30 19:05:22.525565, 3] > >../../source3/smbd/server_exit.c:236(exit_server_common) > > Server exit (NT_STATUS_END_OF_FILE) > > > >Googling, source-digging and "log level = 5" were not helpful. However, I > >find changelogs somewhat interesting: > > > >$ rpm -q --changelog ipa-server | head > >* Thu Dec 16 2021 CentOS Sources <[email protected]> - > 4.6.8-5.el7.centos.10 > >- Roll in CentOS Branding > > > >* Thu Dec 02 2021 Florence Blanc-Renaud <[email protected]> - > >4.6.8-5.el7_9.10 > >- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT > setup > >against a RHEL 7.9 IPA server > > - Fix cert_request for KDC cert > >- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not > >always rely on the SID and PAC in Kerberos tickets* > > - SMB: switch IPA domain controller role > > > >$ rpm -q --changelog samba | head > >* Mon Nov 15 2021 Andreas Schneider <[email protected]> - 4.10.16-17 > >- related: #2019673 - *Add missing checks for IPA DC server role* > > > >* Mon Nov 08 2021 Andreas Schneider <[email protected]> - 4.10.16-16 > >- resolves: #2019661 - Fix CVE-2016-2124 > >- resolves: #2019673 - Fix CVE-2020-25717 > >- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl* > > > >I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe > >someone knows if I need to do something after upgrading these packages? > > You need to make sure IPA has issued proper SIDs to all your users. > This can be achieved with 'ipa-adtrust-install --add-sids' ran on IPA > server owning Trust Controller role. Once SID is present in the user's > entry, its presence will force IPA KDC to issue PAC as a part of a TGT > and it will be copied to a service ticket requested by a client which > presented this TGT, unless the target service object in IPA forbids that > (only NFS so far). > > IPA update on RHEL 7.9 does not have additional logic which went into > security updates IPA on RHEL 8.4+ and Fedora to issue SIDs at install > time (and additional tools to make up for missing SIDs). It also does > not have the code to enforce some of new buffers in PACs as backporting > them was not feasible. > > Regarding what this is all about, I have a blog in works about it but > now is holidays' time. Below I'd give you few references to read to get a > glimpse of what we dealt with: > > --------------------------------------------------------- > On November 9th 2021 Microsoft did their traditional monthly security > update. Four issues among the published security fixes were in the area > of Active Directory and were attributed to Samba Team and its members: > > - CVE-2021-42291: Active Directory Domain Services Elevation of > Privilege Vulnerability, Active Directory permissions updates, > > https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291 > > - CVE-2021-42287: Active Directory Domain Services Elevation of > Privilege Vulnerability, Authentication updates, > > https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287 > > - CVE-2021-42282: Active Directory Domain Services Elevation of > Privilege Vulnerability, Verification of uniqueness for user > principal name, service principal name, and the service principal > name alias, > > https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42282 > > - CVE-2021-42278: Active Directory Domain Services Elevation of > Privilege Vulnerability, Active Directory Security Accounts Manager > hardening changes, > > https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42278 > > A coordinated security release of Samba 4.15.2 by the Samba Team fixes > eight security issues, some of them around the same theme as Microsoft's > ones: > > - CVE-2016-2124: SMB1 client connections can be downgraded to > plaintext authentication, > https://www.samba.org/samba/security/CVE-2016-2124.html (Something > left from the Badlock bugs) > > - CVE-2020-25717: A user on the domain can become root on domain > members, https://www.samba.org/samba/security/CVE-2020-25717.html, > (PLEASE READ! There are important behaviour changes described) > > - CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos > tickets issued by an RODC, > https://www.samba.org/samba/security/CVE-2020-25718.html > > - CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in > Kerberos > tickets,https://www.samba.org/samba/security/CVE-2020-25719.html > > - CVE-2020-25721: Kerberos acceptors need easy access to stable AD > identifiers (eg objectSid), > https://www.samba.org/samba/security/CVE-2020-25721.html > > - CVE-2020-25722: Samba AD DC did not do sufficient access and > conformance checking of data stored, > https://www.samba.org/samba/security/CVE-2020-25722.html > > - CVE-2021-3738: Use after free in Samba AD DC RPC server, > https://www.samba.org/samba/security/CVE-2021-3738.html > > - CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability, > https://www.samba.org/samba/security/CVE-2021-23192.html > > The scope of changes is enormous. Just on the Samba side there are 220 > patches between 4.15.2 and the previous minor release, 4.15.1. However, > Samba 4.15.1 release was a preparation -- it also merged some 3000 > patches, establishing a ground for testing Kerberos protocol behavior. > These tests helped to reduce behavior differences between Samba AD and > Windows-based Active Directory deployments and made the security release > possible at all. > > --------------------------------------------------------- > > > Anyway, the scenario you are running is not supported by FreeIPA team. > > > > >Rolling back samba packages is unwanted given that Samba sources mention > >this is unsafe. > > > >Thanks! > > > >-- > >Konstantin Khankin > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- Konstantin Khankin
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
