subject:"\[Samba\] Using samba4 with kerberos outside of an AD realm"

[Samba] Using samba4 with kerberos outside of an AD realm

2013-01-21 Thread Kyle Brantley


Hello --

I'm trying to run a samba4 server (note: Fedora packaged version, 
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.


This is a summation of the config that I'm using (works under samba 3.6):

security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab

However, whenever I try to access the samba server, the client fails to 
connect. I can see that a ticket has been issued for 
cifs/hostn...@myrealm.com, but in /var/log/messages I get this:


Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory


Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)

Does anyone know what I need to be doing to get this working again?

--Kyle
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Using samba4 with kerberos outside of an AD realm

2013-01-21 Thread Andrew Bartlett

On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
 Hello --
 
 I'm trying to run a samba4 server (note: Fedora packaged version, 
 samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
 
 This is a summation of the config that I'm using (works under samba 3.6):
 
  security = ADS
  passdb backend = tdbsam
  restrict anonymous = yes
  server signing = auto
  client signing = auto
  smb encrypt = auto
  realm = MYREALM.COM
  kerberos method = system keytab
 
 However, whenever I try to access the samba server, the client fails to 
 connect. I can see that a ticket has been issued for 
 cifs/hostn...@myrealm.com, but in /var/log/messages I get this:
 
 Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0] 
 ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
 Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI 
 gss_get_name_attribute failed: The operation or option is not available 
 or unsupported: No such file or directory
 Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0] 
 ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
 Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI 
 gss_get_name_attribute failed: The operation or option is not available 
 or unsupported: No such file or directory
 Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0] 
 ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
 Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI 
 gss_get_name_attribute failed: The operation or option is not available 
 or unsupported: No such file or directory
 
 Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
 
 Does anyone know what I need to be doing to get this working again?

It is probably a bug in the reworked krb5 code.  The code paths to
support this are still there, but clearly something doesn't trigger
correctly.

The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal). 

Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC.  This will allow this code path to be
covered, and prevent regressions. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Using samba4 with kerberos outside of an AD realm

2013-01-21 Thread Kyle Brantley


On 1/21/2013 3:15 PM, Andrew Bartlett wrote:

On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:

Hello --

I'm trying to run a samba4 server (note: Fedora packaged version,
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.

This is a summation of the config that I'm using (works under samba 3.6):

  security = ADS
  passdb backend = tdbsam
  restrict anonymous = yes
  server signing = auto
  client signing = auto
  smb encrypt = auto
  realm = MYREALM.COM
  kerberos method = system keytab

However, whenever I try to access the samba server, the client fails to
connect. I can see that a ticket has been issued for
cifs/hostn...@myrealm.com, but in /var/log/messages I get this:

Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory

Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)

Does anyone know what I need to be doing to get this working again?

It is probably a bug in the reworked krb5 code.  The code paths to
support this are still there, but clearly something doesn't trigger
correctly.

The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal).

Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC.  This will allow this code path to be
covered, and prevent regressions.

Andrew Bartlett


As far as I can tell, prior to accepting a connection:

dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.AVERAGEURL.COM 
(Success)

ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[ ... ]
Could not look up dc's for domain AVERAGEURL.COM
ads_connect: leaving with: No logon servers

Those records (*._msdcs.) don't exist all right...

And while the socket is connected:

Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
name_to_fqdn: lookup for ELASTIC failed. /* Reverse DNS and forward DNS 
IS resolving properly here... one thing to note: this is an IPv6 only 
host */

Security token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or 
option is not available or unsupported: No such file or directory
Unable to find PAC in ticket from k...@averageurl.com, failing to allow 
access


Checking the process with strace isn't really useful either, unfortunately:

open(/etc/krb5.keytab, O_RDONLY)  = 33
[ ... ]
open(/dev/urandom, O_RDONLY)  = 33
open(/dev/urandom, O_RDONLY)  = 33
open(/dev/urandom, O_RDONLY)  = 33
open(/usr/share/locale/locale.alias, O_RDONLY|O_CLOEXEC) = 33
open(/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo, O_RDONLY) = -1 
ENOENT (No such file or directory)

[ ... ]
open(/usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo, O_RDONLY) = 33
[ ... ]
open(/var/tmp/cifs_0, O_RDWR) = 33
open(/usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so, 
O_RDONLY|O_CLOEXEC) = 35

open(/dev/urandom, O_RDONLY)  = 34
open(/dev/urandom, O_RDONLY)  = 34
open(/dev/urandom, O_RDONLY)  = 34
obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or 
option is not available or unsupported: No such file or directory

open(/etc/krb5.conf, O_RDONLY)= 33
open(/dev/urandom, O_RDONLY)  = 33
open(/etc/krb5.conf, O_RDONLY)= 33
open(/dev/urandom, O_RDONLY)  = 33
--- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=958, si_uid=0} ---
+++ killed by SIGTERM +++


Full logs:
http://averageurl.com/samba/samba-log.gz
http://averageurl.com/samba/samba-strace-log.gz

I've already changed the keys out, so I'm not too worried about what key 
data is actually in those logs.


--Kyle
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Using samba4 with kerberos outside of an AD realm

Re: [Samba] Using samba4 with kerberos outside of an AD realm

Re: [Samba] Using samba4 with kerberos outside of an AD realm

3 matches

Site Navigation

Mail list logo

Footer information