Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
This is a discussion on Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong? within the Samba forums, part of the Networking and Network Related category; On Wed, 12 Nov 2008, Paul Sobey wrote: > On Wed, 5 Nov 2008, Paul Sobey wrote: > >> ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-14-2008
|
|||
|
|||
Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
On Wed, 12 Nov 2008, Paul Sobey wrote: > On Wed, 5 Nov 2008, Paul Sobey wrote: > >> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to >> a Windows 2008 domain works perfectly, having pre-created the servername in >> the appropriate OU. >> >> In my winbind logs, I see the following (domain name obfuscated): >> [2008/11/05 11:28:06, 2] >> libsmb/cliconnect.c:cli_session_setup_kerberos(619) >> Doing kerberos session setup >> >> [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) >> ads_krb5_mk_req: krb5_get_credentials failed for server$@FOO (Cannot >> resolve network address for KDC in requested realm) >> >> [2008/11/05 11:28:06, 1] >> libsmb/cliconnect.c:cli_session_setup_kerberos(626) >> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve >> network address for KDC in requested realm >> >> The realm is guessed wrongly - only the short name of the domain, rather >> than the fully qualified realm name, as specified in krb5.conf. >> >> My AD full name is foo.bar.com, short name FOO. My question is - when >> guessing the principal for the target DC, why does Samba guess 'FOO', >> rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain >> running 3.0.28 which correctly guesses the realm. > > Not sure whether this helps diagnose, but I just upgraded my Linux desktop to > Samba 3.2.4 and now get exactly the same error - winbind is refusing to > authenticate me at all. In my pam.conf I have krb5_auth set to try and make > winbind authenticate my via kerberos. > > How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm > wrong when authenticating against Windows 2008. I thought it was a Solaris > issue before but it seems to be OS independent. Is anybody else seeing it? Not sure whether this helps anybody, but by patching the source of libsmb/cliconnect.c with the following, ie hard coding the proper name of the Kerberos realm, the error goes away. 893a894 > DEBUG(3,("cli_session_setup_spnego: dest_realm is %s\n", dest_realm)); 895a897,900 > DEBUG(3,("cli_session_setup_spnego: hacking realm!\n", dest_realm)); > realm = SMB_STRDUP("FOO.BAR.COM"); > strupper_m(realm); > DEBUG(3,("cli_session_setup_spnego: realm is now %s\n", realm)); 896a902 > DEBUG(3,("cli_session_setup_spnego: getting realm from cache\n", realm)); To reiterate - under 3.2.4 code, 'realm' gets set to 'FOO', rather than 'FOO.BAR.COM'. Difference in winbind logs: Bad version: [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(839) got principal=not_defined_in_RFC4178@please_ignore [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess .... [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(908) cli_session_setup_spnego: guessed server principal=domaincontroller$@FOO [2008/11/12 15:49:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/12 15:49:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for domaincontroller$@FOO (Cannot resolve network address for KDC in requested realm) [2008/11/12 15:49:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm [2008/11/12 15:49:17, 4] winbindd/winbindd_cm.c:cm_prepare_connection(843) failed kerberos session setup with Cannot resolve network address for KDC in requested realm [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(804) Doing spnego session setup (blob length=124) Hacked version: [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(839) got principal=not_defined_in_RFC4178@please_ignore [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess .... [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(894) cli_session_setup_spnego: dest_realm is FOO [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(897) cli_session_setup_spnego: hacking realm! [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(900) cli_session_setup_spnego: realm is now FOO.BAR.COM [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(914) cli_session_setup_spnego: guessed server principal=domaincontroller$@FOO.BAR.COM [2008/11/12 18:23:55, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 13 Nov 2008 04:23:55 GMT [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT [2008/11/12 18:23:55, 5] libsmb/smb_signing.c:set_smb_signing_real_common(144) SMB signing enabled! Hope this is useful for somebody. Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
