Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 23:25 -0700, Kyle Brantley wrote:
On 1/21/2013 9:14 PM, Kyle Brantley wrote:
On 1/21/2013 8:46 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
Hello --
I'm trying to run a samba4 server (note: Fedora packaged version,
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
This is a summation of the config that I'm using (works under
samba 3.6):
security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab
However, whenever I try to access the samba server, the client
fails to
connect. I can see that a ticket has been issued for
cifs/hostn...@myrealm.com, but in /var/log/messages I get this:
Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Well, no kidding there is no PAC available, it's an MIT kerberos
realm! :)
Does anyone know what I need to be doing to get this working again?
It is probably a bug in the reworked krb5 code. The code paths to
support this are still there, but clearly something doesn't trigger
correctly.
The first thing to do would be to turn up the log level, to see
what the
real failure is (the mentioned message shouldn't actually be fatal).
Then, once we rule out it being something else, it probably just
needs a
new test environment to be created in our 'make test' that tells
our AD
server to not send the PAC. This will allow this code path to be
covered, and prevent regressions.
Andrew Bartlett
As far as I can tell, prior to accepting a connection:
Full logs:
http://averageurl.com/samba/samba-log.gz
http://averageurl.com/samba/samba-strace-log.gz
I've already changed the keys out, so I'm not too worried about what
key
data is actually in those logs.
The logs were very helpful. The attached patch should fix it, or at
least move the failure to somewhere else :-). Please file the bug, so
we can get this into 4.0.2
Andrew Bartlett
Thanks. I've filed the bug
(https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently
rebuilding samba with the patch applied. I'll let you know how it goes...
--Kyle
That worked great. I've been able to enumerate the shares and connect to
them now. I validated with wireshark that the kerberos authentication
was occurring, and it looks like everything functions now thanks to your
previously attached patch.
Metze, Can you get this into master? I'll try and follow-up with a
testcase (setting the UF_NO_AUTH_DATA_REQUIRED on an account and doing a
kerberos login) soon, but this much needs to get to 4.0.2
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Tue, 22 Jan 2013 14:45:14 +1100
Subject: [PATCH] gensec: Allow login without a PAC by default
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
---
auth/gensec/gensec_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d732213..64952b1 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) {
+ if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) {
DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n,
principal_string));
[Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
Hello --
I'm trying to run a samba4 server (note: Fedora packaged version,
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
This is a summation of the config that I'm using (works under samba 3.6):
security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab
However, whenever I try to access the samba server, the client fails to
connect. I can see that a ticket has been issued for
cifs/hostn...@myrealm.com, but in /var/log/messages I get this:
Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
Does anyone know what I need to be doing to get this working again?
It is probably a bug in the reworked krb5 code. The code paths to
support this are still there, but clearly something doesn't trigger
correctly.
The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal).
Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC. This will allow this code path to be
covered, and prevent regressions.
Andrew Bartlett
As far as I can tell, prior to accepting a connection:
Full logs:
http://averageurl.com/samba/samba-log.gz
http://averageurl.com/samba/samba-strace-log.gz
I've already changed the keys out, so I'm not too worried about what key
data is actually in those logs.
The logs were very helpful. The attached patch should fix it, or at
least move the failure to somewhere else :-). Please file the bug, so
we can get this into 4.0.2
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Tue, 22 Jan 2013 14:45:14 +1100
Subject: [PATCH] gensec: Allow login without a PAC by default
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
---
auth/gensec/gensec_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d732213..64952b1 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) {
+ if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) {
DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n,
principal_string));
return NT_STATUS_ACCESS_DENIED;
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Thanks much! --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
