Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 23:25 -0700, Kyle Brantley wrote: On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Metze, Can you get this into master? I'll try and follow-up with a testcase (setting the UF_NO_AUTH_DATA_REQUIRED on an account and doing a kerberos login) soon, but this much needs to get to 4.0.2 -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { + if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n, principal_string));
[Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { + if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n, principal_string)); return NT_STATUS_ACCESS_DENIED; -- 1.7.11.7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Thanks much! --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba