Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: Yup. That's what I meant. I'll try to repro your results on Monday (if all goes well). Thanks. I started up a machine that was on the shelf. This one had been joined as rc4. I edited krb5.conf and userAccountControl for des only My DHCP registers machines in dyn.ldxnet.com and in-addr.arpa which are dynamically updatable on linux. Then the workstations register an A record in nt.ldxnet.com which is DNS managed by windows 2003 server. I've been adding the dyn.ldxnet.com names to servicePrincipalName because it seems I get best results in mixed DNS domains. Like Mark Twain said After a cat's been burnt on a hot stove, won't sit on a cold one either. Windows 2003 is Capitalizing the first letter in kerbtray and klist, but the salt listed by ethereal is lowercase. Browsing from windows domain machines work and smbclient -k works after kinit. This combination runs des only. Not that old either. Maybe you could back trace the changes. Check out the keytab listing below. Let me know if there is a stress test for this you'd like me to run. Thats all for tonight - Doug Linux lex 2.6.12-1.1381_FC3 Samba version 3.0.21pre3-SVN-build-11739 krb5-workstation-1.3.6-7 openldap-2.2.29-1.FC3 /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = NT.LDXNET.COM default_keytab_name = FILE:/etc/krb5.keytab default_tgs_enctypes = des-cbc-md5 des-cbc-crc default_tkt_enctypes = des-cbc-md5 des-cbc-crc permitted_enctypes = des-cbc-md5 des-cbc-crc [EMAIL PROTECTED] ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 3 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) (Yes, I edited out all but one entry. At first glance it looks like you're right) [EMAIL PROTECTED] ~]# kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] ~]# smbclient -k -Llex OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739] Sharename Type Comment - --- print$ Disk Printer Drivers testDisk Temporary file space tempDisk Temporary file space IPC$IPC IPC Service (lex) ADMIN$ IPC IPC Service (lex) rootDisk Home Directories OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739] Server Comment ---- WorkgroupMaster ---- FOREST RANGER1 ldp.exe on domain controller, entry for des-only lex workstation Getting 1 entries: Dn: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com 5 objectClass: top; person; organizationalPerson; user; computer; 1 cn: lex; 1 distinguishedName: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com; 1 instanceType: 0x4 = ( IT_WRITE ); 1 whenCreated: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time; 1 whenChanged: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time; 1 uSNCreated: 931987; 1 uSNChanged: 1128498; 1 name: lex; 1 objectGUID: fa853706-780c-46ac-aaf8-deffbdd4cc20; 1 userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY ); 1 badPwdCount: 0; 1 codePage: 0; 1 countryCode: 0; 1 badPasswordTime: 01/01/1601 00:00:00 UNC ; 1 lastLogoff: 01/01/1601 00:00:00 UNC ; 1 lastLogon: 07/25/2006 02:45:36 Pacific Standard Time Pacific Daylight Time; 1 localPolicyFlags: 0; 1 pwdLastSet: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time; 1 primaryGroupID: 515; 1 objectSid: S-1-5-21-484763869-746137067-1343024091-1234; 1 accountExpires: 09/14/30828 02:48:05 UNC ; 1 logonCount: 30; 1 sAMAccountName: lex$; 1 sAMAccountType: 805306369; 1 operatingSystem: Samba; 1 operatingSystemVersion: 3.0.21pre3-SVN-build-11739; 1 dNSHostName: lex.dyn.ldxnet.com; 1 userPrincipalName: HOST/[EMAIL PROTECTED]; 6 servicePrincipalName: HOST/lex.dyn.ldxnet.com; CIFS/lex.dyn.ldxnet.com; CIFS/lex.nt.ldxnet.com; CIFS/lex; HOST/lex.nt.ldxnet.com; HOST/lex; 1 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=nt,DC=ldxnet,DC=com; 1 isCriticalSystemObject: FALSE; 1 lastLogonTimestamp: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time; --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Do you mean KdcUseRequestedEtypesForTickets = 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ? If so, since 2004, plus the then hotfix. Yup. That's what I meant. I'll try to repro your results on Monday (if all goes well). Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwfLGIR7qMdg1EfYRAl2eAKCu0dTqACGBEbhKyaeOeFDAkrnXUgCgqWly gh57uzfGJRY6yoPYF2rAigU= =okQ+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. Jerry, 2003 Enterprise server security = ADS idmap backend = ad winbind nss info = template sfu I joined an FC3 using rc4 all is smooth and browsable. I then removed support for rc4 in enctypes in /etc/krb5.conf. Edited the machine acct and added the flag for des_only. The domain controller can't browse the samba server. Get the pasword dialog box. This method used to work. I'll get an older version of samba and verify that with the current 2003 including current SP and security patches. I then commented out the defines in /usr/include/krb5.h for ENCTYPE_ARCFOUR. Then configure make to have a version of samba where the ifdefs would trigger for des-only code. This version won't join the domain. I can try net keytab add on permutations, but don't have the time until this weekend. Des only may be a dinosaur for most modern kerberos, but it might be important to eliminate dependency on rc4. I've been told longhorn will include encryption types that use salts and depending on the admin environment they may want to run non-rc4. There may also be legacy consideration where the kerberos server is unix based. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, Thanks for testing this. 2003 Enterprise server security = ADS idmap backend = ad winbind nss info = template sfu I joined an FC3 using rc4 all is smooth and browsable. I then removed support for rc4 in enctypes in /etc/krb5.conf. Edited the machine acct and added the flag for des_only. The domain controller can't browse the samba server. Get the password dialog box. This method used to work. I'll get an older version of samba and verify that with the current 2003 including current SP and security patches. Did you enable the DES trick in the Windows 2003 registry ? Otherwise Windows 2003 will always use RC4-HMAC regardless of the DES_ONLY flag. That's what I've found at least. I then commented out the defines in /usr/include/krb5.h for ENCTYPE_ARCFOUR. Then configure make to have a version of samba where the ifdefs would trigger for des-only code. This version won't join the domain. Yes. There is a problem with DES session keys in CIFS sessions. That's a know issue on RHEL3 at least. I'm still trying to track it down. I can try net keytab add on permutations, but don't have the time until this weekend. Thanks. I'll be around this weekend as well :-) Des only may be a dinosaur for most modern kerberos, but it might be important to eliminate dependency on rc4. I've been told longhorn will include encryption types that use salts and depending on the admin environment they may want to run non-rc4. There may also be legacy consideration where the kerberos server is unix based. DES session keys are an issue for RHEL3 so I will get that fixed but it will require more investigation. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwVhMIR7qMdg1EfYRAgo4AJsG7086qBdyp/XeYkEWplmPlwlimwCfevXq G/zpXCCOt56SrM21zJT6EaU= =M8AK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, Thanks for testing this. OK. I then removed support for rc4 in enctypes in /etc/krb5.conf. Edited the machine acct and added the flag for des_only. The domain controller can't browse the samba server. Get the password dialog box. This method used to work. I'll get an older version of samba and verify that with the current 2003 including current SP and security patches. Did you enable the DES trick in the Windows 2003 registry ? Otherwise Windows 2003 will always use RC4-HMAC regardless of the DES_ONLY flag. That's what I've found at least. Do you mean KdcUseRequestedEtypesForTickets = 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ? If so, since 2004, plus the then hotfix. If not, then you'll have to let me know what the trick is :-) Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. Yes, it works with rc4-hmac. But it's been coming back to me. It didn't work with des-cbc-md5 until the permutations were added. How soon we forget. It's really difficult to test des-only now. Have to join with rc4, then hand edit with adsi.exe in the AD, then remove the rc4 from krb5.conf and reboot the machine to purge the caches, because samba set's the des-only on a compile time flag. I'll go back and retest but I'm still not convinced (until I can reproduce it myself). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8xTIR7qMdg1EfYRAmjxAJwN0i1/kOlvoCittCd+HwDd/BzL1ACgviXe I84w7wN7ptp0OMJMCb9rfgI= =ayvR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2 qoute: You were right. ( as usual.. ) I had the wrong FQDN on the samba server. After reconfiguring my network and I got the FQDN back from 'hostname' the join worked as planned. For the record, this is what WinXP does as well. You cannot join a WinXP box to a domain using a non-admin account if the client's FQDN is outside the AD domain. I agree this is a change from previous Samba version, but then previous Samba releases always required domain admin creds to join. endquote Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2 ... Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. No problem. I spent a couple of days just staring at traces and reading to try to track down the corner cases. It's pretty confusing. The best thing to do is to read here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp and then use ADSIedit to view the default security descriptor on a machine account object. A non-admin (and the machine itself) only has validated-write access to the dNSHostName and servicePrincipalName attributes. This means that the dNSHostName value has to be with the AD realm and the SPN has to match the dNSHostName. Try to join a WinXP box to a domain using a non-admin account with the dns suffix outside of the AD realm and you will see what I mean. It fails to joins and tells you to contact the administrator to relax the rules (or something similar). If you are a domain admin, the you have full control to these attributes and can do whatever you like. Samba 3.0.22 did all the ads join operations using LDAP requests which required you to be a Domain Admins. As part of the join, the machine SID was given full control over the object in AD so again you could do whatever you liked with 'net ads keytab add -P'. The code in 3.0.23 uses a mixture of RPC and LDAP just like Windows 2000/XP. The advantage is that a non-admin can now join a Samba box to a domain given the same privileges as required by Windows. The disadvantage is that we can no longer assume we have admin rights to set any property we like. This is why for example, we no longer try to create a UPN by default (although I added a new option to net ads join in 3.0.23a that will do that) or set the operatingSystem attribute value. Hope this helps clear up some of the confusion. Note that I've added in a fair amount of new code in 3.0.23a for (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp 8h+xhVsePFFBKvjfXYisoXQ= =540H -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] Your tickets where? From kerbtray.exe? Or on a Unix box? kerbtray klist I just an not seeing this case permutation you claim. NT40 sidhistory migration to 2000 AD then standard 2000 AD upgraded to 2003 standard AD then 2003 standard upgraded to 2003 enterprise. What is the list of SPNs for that Samba account in AD? samba 3.0.23, created account in AD SPN's CIFS/stor CIFS/stor.nt.ldxnet.com HOST/STOR HOST/stor.nt.ldxnet.com klist on 2003 server Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 Can you tell what applications are generating these requests so I can reproduce it? Domain controller browsing to stor's shares. PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. Yes, it works with rc4-hmac. But it's been coming back to me. It didn't work with des-cbc-md5 until the permutations were added. How soon we forget. It's really difficult to test des-only now. Have to join with rc4, then hand edit with adsi.exe in the AD, then remove the rc4 from krb5.conf and reboot the machine to purge the caches, because samba set's the des-only on a compile time flag. For information, here's the list of tickets on the domain controller after browsing an older, running samba server joined years ago, and a win2000 workstation: Cached Tickets: (6) Server: krbtgt/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (win2000 workstation) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (FC3 - krb5 1.3.6) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (Domain controller) Server: ldap/ranger1.nt.ldxnet.com/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (FC4 - long running samba currently at 3.0.23pre2-SVN-build-15985) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (Domain controller) Server: host/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos Keytab Code Update in 3.0.23
Jerry, I'll have to check on the semantic checking for the UPN attribute. I'd rather (for safety's sake) just give it a value: host/${dNSHostName} attribute. That way we know we are consistent. The previous behavior was: host/[EMAIL PROTECTED] although I disagreed with that format. I believe you've got the right value: host/[EMAIL PROTECTED] Yeah but the previous default required you to have more rights that Windows client required so we got slammed for that. Unfortunately there are many cases where DC Group Policies are cranked down such that only Domain Admins can add/remove machines anyway. Here's a thought; why not split the two functions? Adding the machine to the domain (net ads join) handles just what is necessary for that. Creating the keytab (net ads keytab create) handles those specific functions. Adding additional service principals (net ads keytab add princ1 princ2 ...) places these principals in other keytabs so the admin can move them to the appropriate location and set permissions. An example of how this might work would be that the service principal for http is placed in apache's home with appropriate permissions so mod_auth_kerb functions using client auth. Another might be to create a service principal for ldap and place it in /etc with ownership ldap:nscd so nss_ldap can be configured with sasl gssapi and proxy auth while maintaining nscd functionality. If Samba needs some off-the-wall formats for its Kerberos principals in order to respond to requests for \\HoStNaMe.DOMAIN\Share then create them in memory on-the-fly as before the keytab management functions were added. The only other issue that you may have addressed before - why waste the effort of creating principals using all the encryption types that the client supports when the only ones that will succeed are those that the server supports? Of course it would be nice if all the distributions of Linux, Solaris, AIX, etc. had versions of kerberos that support rc4-hmac... Thanks, Scott -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 5:35 PM To: Scott Armstrong Cc: 'Doug VanLeuven'; samba@lists.samba.org Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Armstrong wrote: Or I could add a switch to 'net ads join' that said create the UPN. I don't really want to make it default behavior. Would that be acceptable? That would be fine although if you can allow the format of the hostname to be controllable that would be a bonus. I think allowing as much as possible to be done at the time the machine account is created is best. I'll have to check on the semantic checking for the UPN attribute. I'd rather (for safety's sake) just give it a value: host/${dNSHostName} attribute. That way we know we are consistent. It's pretty labor intensive to have to log onto the Windows DC afterward and run ADSIEdit in order to achieve the same result that was the default before the code rewrite. Yeah but the previous default required you to have more rights that Windows client required so we got slammed for that. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtrxtIR7qMdg1EfYRAvi4AJ0VrM6Y1GstFg9eN4z9F1I04ChC5ACg3AyS y8sHkxCVnMo9FyFDFDqACH8= =Etdm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Scott Armstrong wrote: First thing - I'd like to say a big THANK YOU to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have seen a reference to it in the release notes. Since having the user principal in the keytab and a cron job to renew the ticket are critical for me to use pam_krb5, I'm going to attempt to figure out what code needs to be added back from 3.0.22. In the defense of the authors, examining a Win2k3 server does not show the userPrincipal value being set, although I sort of considered this functionality to be the primary aim in using Samba for the keytab management. File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. While I'm on my soap box, would it be possible to hear some clarification on the value of some of the principals created in the keytab (MIT Kerberos)? When I look at Active Directory using ADSI Edit, I see 4 servicePrincipal values created as a result of net ads join - host/host, host/fqdn, cifs/host, cifs/fqdn. When I use ktutil to view the keys in the table, I'm confronted with output that doesn't make any sense to me. Note that I've substituted generic host/domain/realm info and I've forcibly constrained the encryption types to rc4-hmac and des-cbc-md5 slot KVNO Principal - 12 host/[EMAIL PROTECTED] 22 host/[EMAIL PROTECTED] 32 cifs/[EMAIL PROTECTED] 42 cifs/[EMAIL PROTECTED] 52 [EMAIL PROTECTED] 62 [EMAIL PROTECTED] 72 [EMAIL PROTECTED] 82 [EMAIL PROTECTED] 92 host/[EMAIL PROTECTED] 102 host/[EMAIL PROTECTED] 112 host/[EMAIL PROTECTED] 122 host/[EMAIL PROTECTED] 132 host/[EMAIL PROTECTED] 142 host/[EMAIL PROTECTED] 152 HOST/[EMAIL PROTECTED] 162 HOST/[EMAIL PROTECTED] 172 HOST/[EMAIL PROTECTED] 182 HOST/[EMAIL PROTECTED] 192 HOST/[EMAIL PROTECTED] 202 HOST/[EMAIL PROTECTED] 212 HOST/[EMAIL PROTECTED] 222 HOST/[EMAIL PROTECTED] 232 cifs/[EMAIL PROTECTED] 242 cifs/[EMAIL PROTECTED] 252 cifs/[EMAIL PROTECTED] 262 cifs/[EMAIL PROTECTED] 272 cifs/[EMAIL PROTECTED] 282 cifs/[EMAIL PROTECTED] 292 CIFS/[EMAIL PROTECTED] 302 CIFS/[EMAIL PROTECTED] 312 CIFS/[EMAIL PROTECTED] 322 CIFS/[EMAIL PROTECTED] 332 CIFS/[EMAIL PROTECTED] 342 CIFS/[EMAIL PROTECTED] 352 CIFS/[EMAIL PROTECTED] 362 CIFS/[EMAIL PROTECTED] 372 cifs/[EMAIL PROTECTED] 382 cifs/[EMAIL PROTECTED] 392 CIFS/[EMAIL PROTECTED] 402 CIFS/[EMAIL PROTECTED] 412 host/[EMAIL PROTECTED] 422 host/[EMAIL PROTECTED] 432 HOST/[EMAIL PROTECTED] 442 HOST/[EMAIL PROTECTED] No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] I rarely see any cifs tickets. Notice the uppercase machine name and lower case domain name combo. One ticket has the lowercase host and the rest are uppercase HOST. I'm also seeing Foo (first letter uppercase) generated by a 2003 enterprise server for a samba A/D member. I have a personally patched version of samba to help accomodate this machine. Consider yourself lucky to only have the two variations. When samba manages the keytab, it has to generate enough combinations to cover the majority of know variations for a worldwide installed base of windows machines. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] Your tickets where? From kerbtray.exe? Or on a Unix box? I just an not seeing this case permutation you claim. What is the list of SPNs for that Samba account in AD? Can you tell what applications are generating these requests so I can reproduce it? PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. chers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu 3SzBl9P3VkVi/P2rxzUMn58= =zrFO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Armstrong wrote: I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. I'm still working on the keytab code. There will be more updates. Sorry I couldn't get everything done for 3.0.23. You are correct. I'm going to see if we can slip my keytab fixes into 3.0.23a. Here's what has happened. 'net ads join' was rewritten to be like WinXP using ms-rpc rather than doing ldap modify requests. The end result is that non-admins can now join Samba boxes to a domain just like they can a Windows client (if the admin has granted the normal privileges). But now we are no longer guaranteed to be able to create the UPN. You can however always run 'kinit -k machine$'.] In Windows 2000 domains the UPN affects the DES salting principal. I can add code to attempt to add the UPN if you like but since 'kinit -k machine$' always works, that seems like a better solution. Whether this is an issue for others or not, it would be nice to have seen a reference to it in the release notes. Since having the user principal in the keytab and a cron job to renew the ticket are critical for me to use pam_krb5, I'm going to attempt to figure out what code needs to be added back from 3.0.22. In the defense of the authors, examining a Win2k3 server does not show the userPrincipal value being set, although I sort of considered this functionality to be the primary aim in using Samba for the keytab management. I'm attaching a patch against 3.0.23. It does two things: * Removes the guesswork from deriving the DES salting principal * Cleans up the keytab generation and restricts keys to the single DES and RC4-HMAC keys. The resulting keytab looks like (i've removed the realm names in the message for better formatting): ktutil: list -e slot KVNO Principal - --- 16 host/suse10.plainjoe.org (DES cbc mode with CRC-32) 26 host/suse10.plainjoe.org (DES cbc mode with RSA-MD5) 36 host/suse10.plainjoe.org (ArcFour with HMAC/md5) 46 host/suse10 (DES cbc mode with CRC-32) 56 host/suse10 (DES cbc mode with RSA-MD5) 66 host/suse10 (ArcFour with HMAC/md5) 76 suse10$ (DES cbc mode with CRC-32) 86 suse10$ (DES cbc mode with RSA-MD5) 96 suse10$ (ArcFour with HMAC/md5) If the machine has a UPN, that will be added as well. So if you precreate the machine account with a UPN and join the domain you would see it ni the list above. While I'm on my soap box, would it be possible to hear some clarification on the value of some of the principals created in the keytab (MIT Kerberos)? When I look at Active Directory using ADSI Edit, I see 4 servicePrincipal values created as a result of net ads join - host/host, host/fqdn, cifs/host, cifs/fqdn. I had the same reaction when I started looking at the code. There should only be two. There are now (with my latest changes). Here's the deal. Windows will think principals such as cifs/ to the host/... SPN. See this URL: http://support.microsoft.com/kb/326985/en-us Now Windows doesn't actually store a keytab per say. It just generates the keys on the fly. See this URL: http://mailman.mit.edu/pipermail/kerberos/2005-July/008167.html I feel that the current keytab generation is broken. It is trying to entries to handles mutliple case permutations. No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? Too much guessing IMO. When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? My experience has been that the principals in the service ticket match the SPN values in AD. I don't see all of this case permutation people are claiming. The patch is a work in progress so any feedback would be appreciated. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEto6AIR7qMdg1EfYRAsYAAKC07PLnFv3PSFk1v1UrZdSlCj/L1gCgjjmY hploWv3pzVjytOndavHaCeI= =aht3 -END PGP SIGNATURE- === modified file 'source/include/rpc_ds.h' --- source/include/rpc_ds.h +++ source/include/rpc_ds.h @@ -48,6 +48,13 @@ #define DSROLE_DOMAIN_MEMBER_SRV 3 #define DSROLE_BDC
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Armstrong wrote: Things still worked fine for existing domain members. I only noticed it because I added a new system to the domain. Lines 962-964 of utils/net_ads.c have comments about the upn but it's never being added. I rarely program in C so this may not be the best way to do it but I modified line 977 to if (!(host_upn = talloc_asprintf(ctx, host/[EMAIL PROTECTED], my_fqdn, ads_s-config.realm))) and added the following ads_mod_str(ctx, mods, userPrincipalName, host_upn); following line 988. Yeah. That would achieve what you want. I used the convention which I'm accustomed to which is that the host should be added in fqdn form since I was modifying the code myself. i.e. host/[EMAIL PROTECTED] Help me understand how you use 'kinit -k' What kind of cron jobs are these? And why can't you use 'kinit - -k machine$'? ciao, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtpUTIR7qMdg1EfYRAqmbAJ9RC0tzh9N5b/MO4KxJzExbhHoQNACeM8E3 syExJwHSYfXwwM8ROL/O2uY= =t1iJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Armstrong wrote: And why can't you use 'kinit -k machine$'? I probably could do that but I had been trying to keep things as close to the way I had been creating machine principals when using an MIT KDC - host/[EMAIL PROTECTED] The kinit command I'm using is kinit -p -k host/[EMAIL PROTECTED] I also have a weekly cron job to automatically change the machine trust password since I believe I read in one of the mailings that it wasn't handled automatically yet. If the only reason for the UPN is so its more like MIT, then I'm inclined to push back and say just precreate the machine account with a UPN before joining the domain. Or I could add a switch to 'net ads join' that said create the UPN. I don't really want to make it default behavior. Would that be acceptable? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtrQNIR7qMdg1EfYRAgieAKDfY/WJd35qexWCErikuJCoQ527+wCgkdHc 1/fWbn44a0JiMsnJnfIXlyc= =tMTf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Armstrong wrote: Or I could add a switch to 'net ads join' that said create the UPN. I don't really want to make it default behavior. Would that be acceptable? That would be fine although if you can allow the format of the hostname to be controllable that would be a bonus. I think allowing as much as possible to be done at the time the machine account is created is best. I'll have to check on the semantic checking for the UPN attribute. I'd rather (for safety's sake) just give it a value: host/${dNSHostName} attribute. That way we know we are consistent. It's pretty labor intensive to have to log onto the Windows DC afterward and run ADSIEdit in order to achieve the same result that was the default before the code rewrite. Yeah but the previous default required you to have more rights that Windows client required so we got slammed for that. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtrxtIR7qMdg1EfYRAvi4AJ0VrM6Y1GstFg9eN4z9F1I04ChC5ACg3AyS y8sHkxCVnMo9FyFDFDqACH8= =Etdm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? Too much guessing IMO. True. Very true. But I'll chime in with we got there after numerous authentication failures at different sites. It always seemed there had to be a different way, because the MS writeup of creating a user account, generating a keytab, and exporting to the target system prior to the join worked with only 1 entry. A UPN. I tried real hard, but was unable to ever generate a keytab UPN on a machine account. I argued it was overkill at the time, but Redhat's enterprise issues went away. It was one of their people did the basic patch with Jeremy heavily editing. When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? My experience has been that the principals in the service ticket match the SPN values in AD. I don't see all of this case permutation people are claiming. The patch is a work in progress so any feedback would be appreciated. Jerry, Give me a couple days to get samba current across multiple servers, then I'll remove and re-add one of the old problem servers and diagnose what I get. I may even go so far as to create a brand new server in vm and join it and access it from various unix and windows A/D platforms. Am I right in understanding the rewrite will require the in-addr.arpa to resolve to the same dns domain as the realm? Ticket case variations are what show up when clients access the samba servers using klist or kerbtray. It could be a case of because they exist, they get used. Except for the first letter upcase, all others downcase. I traced that using ethereal, patched samba to generate it in the keytab, and things started working. I remember distinctly. Unless Jeremy did something behind the scenes at the same time that I downloaded using svn. As in private/secrets.tdb. Magic there. FWIW - my experience with windows is that it was written with a certain amount of heuristics, in that a learned behavior will continue to be used until it fails at which time the code falls into a different procedure that, if successful, will be used until it fails, etc. This is why users document different behaviors in what appears on the surface the same environment. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos Keytab Code Update in 3.0.23
Jerry, Things still worked fine for existing domain members. I only noticed it because I added a new system to the domain. Lines 962-964 of utils/net_ads.c have comments about the upn but it's never being added. I rarely program in C so this may not be the best way to do it but I modified line 977 to if (!(host_upn = talloc_asprintf(ctx, host/[EMAIL PROTECTED], my_fqdn, ads_s-config.realm))) and added the following ads_mod_str(ctx, mods, userPrincipalName, host_upn); following line 988. I used the convention which I'm accustomed to which is that the host should be added in fqdn form since I was modifying the code myself. i.e. host/[EMAIL PROTECTED] If you want to mimic the previous behavior you would use the short, lowercase host name instead of the fqdn. I've also been adding permitted_enctypes = rc4-hmac des-cbc-md5 to /etc/krb5.conf because it makes no sense to me to add encryption types to the keytab that the server doesn't support. I've also performed a little pruning of the service principals in libads/kerberos_keytab.c to eliminate all the case variations as I believe this should be handled dynamically if it's needed. Thanks, Scott -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 1:47 PM To: Doug VanLeuven Cc: Scott Armstrong; samba@lists.samba.org Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] Your tickets where? From kerbtray.exe? Or on a Unix box? I just an not seeing this case permutation you claim. What is the list of SPNs for that Samba account in AD? Can you tell what applications are generating these requests so I can reproduce it? PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. chers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu 3SzBl9P3VkVi/P2rxzUMn58= =zrFO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos Keytab Code Update in 3.0.23
Jerry, I used the convention which I'm accustomed to which is that the host should be added in fqdn form since I was modifying the code myself. i.e. host/[EMAIL PROTECTED] Help me understand how you use 'kinit -k' What kind of cron jobs are these? And why can't you use 'kinit -k machine$'? I probably could do that but I had been trying to keep things as close to the way I had been creating machine principals when using an MIT KDC - host/[EMAIL PROTECTED] The kinit command I'm using is kinit -p -k host/[EMAIL PROTECTED] I also have a weekly cron job to automatically change the machine trust password since I believe I read in one of the mailings that it wasn't handled automatically yet. Thanks, Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos Keytab Code Update in 3.0.23
If the only reason for the UPN is so its more like MIT, then I'm inclined to push back and say just precreate the machine account with a UPN before joining the domain. Or I could add a switch to 'net ads join' that said create the UPN. I don't really want to make it default behavior. Would that be acceptable? That would be fine although if you can allow the format of the hostname to be controllable that would be a bonus. I think allowing as much as possible to be done at the time the machine account is created is best. It's pretty labor intensive to have to log onto the Windows DC afterward and run ADSIEdit in order to achieve the same result that was the default before the code rewrite. Thanks, Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba