[Sorry, lengthy post]
I ran a few tests, and I think I can at least partially confirm this bug.
In order to get things working at all, I had to remove the 'server'
option from the command John Kristensen shows. Our AD servers are four,
and not all may be running all services at all times. So I let msktutil
figure out which server to contact.
And I have to add the 'base' option, or msktutil will complain I'm
trying to change entries that don't exist, or that I have no permission.
All this makes sense to me.
Well then, there are two machines:
1. 'testbox' runs Debian Sid, upgraded through Wheezy from Squeeze.
I just set it up for this test.
2. 'adbox' runs Debian Squeeze. It's joined to the AD domain using
msktutil. Its msktutil doesn't have the hardening patch applied that
Tony Mancill created for Sid, because that won't compile on Squeeze.
First I figured out that on adbox, the following command works, either
with or without the verbose flag:
jurjen@adbox:~$ sudo msktutil --create --computer-name $(hostname)
--base "<base>" --user-creds-only --verbose
-- init_password: Wiping the computer password structure
-- get_dc_host: Attempting to find a Domain Controller to use
-- get_dc_host: Found Domain Controller: add04.subdomain.mydomain.com
-- get_default_keytab: Obtaining the default keytab name:
FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-49oUKt
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: adbox$
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server:
add04.subdomain.mydomain.com try_tls=YES
-- ldap_connect: Connecting to LDAP server:
add04.subdomain.mydomain.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: <JOINER>@<MYDOMAIN.COM>
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base:
dc=SUBDOMAIN,dc=MYDOMAIN,dc=COM
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 82
-- ldap_check_account: Checking that a computer account for adbox$ exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = adbox.mydomain.com
-- ldap_check_account: Found Principal: host/adbox.mydomain.com
-- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 129984079622639054
-- set_password: Successfully set password, waiting for it to be
reflected in LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 129984086392282638
-- set_password: Successfully reset computer's password
-- execute: Updating all entries for adbox.mydomain.com in the keytab
WRFILE:/etc/krb5.keytab
-- update_keytab: Updating all entires for adbox$
-- ldap_get_kvno: KVNO is 9
-- add_principal_keytab: Adding principal to keytab: adbox$
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab:
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
MYDOMAIN.COMhostadbox.mydomain.com
-- add_principal_keytab: Adding entry of enctype 0x12
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
jurjen@adbox:~$ sudo klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: <JOINER>@<MYDOMAIN.COM>
Issued Expires Principal
Nov 26 11:25:06 Nov 26 21:25:06 krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Nov 26 11:25:09 Nov 26 21:25:06
ldap/add04.subdomain.mydomain....@mydomain.com
However, on 'testbox', the same command fails:
root@testbox:/home/jurjen# msktutil --create --computer-name $(hostname)
--base "<base>" --user-creds-only --verbose
<snip identical output>
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server:
add04.subdomain.mydomain.com try_tls=YES
-- ldap_connect: Connecting to LDAP server:
add04.subdomain.mydomain.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: <JOINER>@<MYDOMAIN.COM>
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
Then without the verbose flag, it shows no output, and an exit status of
0. (Pre- and post-command credential lists are as expected and identical
in all tests (whether failed or not): just the JOINER credential before,
and the add04 account apparently added during.)
So I guess Kristensen is right: --verbose induces an exit status of 1
where leaving the flag off would give 0.
I did some more testing...
Copied the msktutil binary from adbox(Squeeze,non-hardened) to
testbox(Sid, hardened): It runs succesfully, with or without verbose.
Copied the msktutil binary the other way, to adbox: it fails with
--verbose, succeeds without.
The problem is likely to be in the binary, then.
Next step is probably to build without the hardening to see whether that
indeed causes the problem. But it may be some time before I find time
for that, so I'm posting now.
'gards
Jurjen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
