Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Paul, I just wanted to state that I am seeing this issue as well. Haven't tried your hack yet but I plan to if a better solution won't be provided. Thanks for reporting this to the list! Jelmer Jaarsma Paul Sobey wrote: > > On Wed, 12 Nov 2008, Paul Sobey wrote: > >> On Wed, 5 Nov 2008, Paul Sobey wrote: >> >>> I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to >>> a Windows 2008 domain works perfectly, having pre-created the servername in >>> the appropriate OU. >>> >>> In my winbind logs, I see the following (domain name obfuscated): >>> [2008/11/05 11:28:06, 2] >>> libsmb/cliconnect.c:cli_session_setup_kerberos(619) >>> Doing kerberos session setup >>> >>> [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) >>> ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot >>> resolve network address for KDC in requested realm) >>> >>> [2008/11/05 11:28:06, 1] >>> libsmb/cliconnect.c:cli_session_setup_kerberos(626) >>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve >>> network address for KDC in requested realm >>> >>> The realm is guessed wrongly - only the short name of the domain, rather >>> than the fully qualified realm name, as specified in krb5.conf. >>> >>> My AD full name is foo.bar.com, short name FOO. My question is - when >>> guessing the principal for the target DC, why does Samba guess 'FOO', >>> rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain >>> running 3.0.28 which correctly guesses the realm. >> Not sure whether this helps diagnose, but I just upgraded my Linux desktop to >> Samba 3.2.4 and now get exactly the same error - winbind is refusing to >> authenticate me at all. In my pam.conf I have krb5_auth set to try and make >> winbind authenticate my via kerberos. >> >> How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm >> wrong when authenticating against Windows 2008. I thought it was a Solaris >> issue before but it seems to be OS independent. Is anybody else seeing it? > > Not sure whether this helps anybody, but by patching the source of > libsmb/cliconnect.c with the following, ie hard coding the proper name of > the Kerberos realm, the error goes away. > > 893a894 >> DEBUG(3,("cli_session_setup_spnego: > dest_realm is %s\n", dest_realm)); > 895a897,900 >> DEBUG(3,("cli_session_setup_spnego: > hacking realm!\n", dest_realm)); >> realm = SMB_STRDUP("FOO.BAR.COM"); >> strupper_m(realm); >> DEBUG(3,("cli_session_setup_spnego: realm > is now %s\n", realm)); > 896a902 >> DEBUG(3,("cli_session_setup_spnego: > getting realm from cache\n", realm)); > > To reiterate - under 3.2.4 code, 'realm' gets set to 'FOO', rather than > 'FOO.BAR.COM'. > > Difference in winbind logs: > > Bad version: > > [2008/11/12 15:49:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(839) >got [EMAIL PROTECTED] > > [2008/11/12 15:49:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(880) >cli_session_setup_spnego: got a bad server principal, trying to guess > ... > > [2008/11/12 15:49:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(908) >cli_session_setup_spnego: guessed server > [EMAIL PROTECTED] > > [2008/11/12 15:49:17, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(619) >Doing kerberos session setup > > [2008/11/12 15:49:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) >ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] >(Cannot resolve network address for KDC in requested realm) > > [2008/11/12 15:49:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) >cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > resolve network address for KDC in requested realm > > [2008/11/12 15:49:17, 4] winbindd/winbindd_cm.c:cm_prepare_connection(843) >failed kerberos session setup with Cannot resolve network address for > KDC in requested realm > > [2008/11/12 15:49:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(804) >Doing spnego session setup (blob length=124) > > Hacked version: > > [2008/11/12 18:23:55, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(839) >got [EMAIL PROTECTED] > [2008/11/12 18:23:55, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(880) >cli_session_setup_spnego: got a bad server principal, trying to guess > ... > [2008/11/12 18:23:55, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(894) >cli_session_setup_spnego: dest_realm is FOO > [2008/11/12 18:23:55, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(897) >cli_session_setup_spnego: hacking realm! > [2008/11/12 18:23:55, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(900) >cli_session_setup_spnego: realm is now FOO.BAR.COM > [2008/11/12 18:23:55
Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
On Wed, 12 Nov 2008, Paul Sobey wrote: On Wed, 5 Nov 2008, Paul Sobey wrote: I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to a Windows 2008 domain works perfectly, having pre-created the servername in the appropriate OU. In my winbind logs, I see the following (domain name obfuscated): [2008/11/05 11:28:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot resolve network address for KDC in requested realm) [2008/11/05 11:28:06, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm The realm is guessed wrongly - only the short name of the domain, rather than the fully qualified realm name, as specified in krb5.conf. My AD full name is foo.bar.com, short name FOO. My question is - when guessing the principal for the target DC, why does Samba guess 'FOO', rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain running 3.0.28 which correctly guesses the realm. Not sure whether this helps diagnose, but I just upgraded my Linux desktop to Samba 3.2.4 and now get exactly the same error - winbind is refusing to authenticate me at all. In my pam.conf I have krb5_auth set to try and make winbind authenticate my via kerberos. How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm wrong when authenticating against Windows 2008. I thought it was a Solaris issue before but it seems to be OS independent. Is anybody else seeing it? Not sure whether this helps anybody, but by patching the source of libsmb/cliconnect.c with the following, ie hard coding the proper name of the Kerberos realm, the error goes away. 893a894 DEBUG(3,("cli_session_setup_spnego: dest_realm is %s\n", dest_realm)); 895a897,900 DEBUG(3,("cli_session_setup_spnego: hacking realm!\n", dest_realm)); realm = SMB_STRDUP("FOO.BAR.COM"); strupper_m(realm); DEBUG(3,("cli_session_setup_spnego: realm is now %s\n", realm)); 896a902 DEBUG(3,("cli_session_setup_spnego: getting realm from cache\n", realm)); To reiterate - under 3.2.4 code, 'realm' gets set to 'FOO', rather than 'FOO.BAR.COM'. Difference in winbind logs: Bad version: [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(839) got [EMAIL PROTECTED] [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess ... [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(908) cli_session_setup_spnego: guessed server [EMAIL PROTECTED] [2008/11/12 15:49:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/12 15:49:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot resolve network address for KDC in requested realm) [2008/11/12 15:49:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm [2008/11/12 15:49:17, 4] winbindd/winbindd_cm.c:cm_prepare_connection(843) failed kerberos session setup with Cannot resolve network address for KDC in requested realm [2008/11/12 15:49:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(804) Doing spnego session setup (blob length=124) Hacked version: [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(839) got [EMAIL PROTECTED] [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess ... [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(894) cli_session_setup_spnego: dest_realm is FOO [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(897) cli_session_setup_spnego: hacking realm! [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(900) cli_session_setup_spnego: realm is now FOO.BAR.COM [2008/11/12 18:23:55, 3] libsmb/cliconnect.c:cli_session_setup_spnego(914) cli_session_setup_spnego: guessed server [EMAIL PROTECTED] [2008/11/12 18:23:55, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 13 Nov 2008 04:23:55 GMT [2008/11/12 18:23:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713) ads_krb5_mk_req: server marked as O
Re: [Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
On Wed, 5 Nov 2008, Paul Sobey wrote: I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to a Windows 2008 domain works perfectly, having pre-created the servername in the appropriate OU. In my winbind logs, I see the following (domain name obfuscated): [2008/11/05 11:28:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot resolve network address for KDC in requested realm) [2008/11/05 11:28:06, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm The realm is guessed wrongly - only the short name of the domain, rather than the fully qualified realm name, as specified in krb5.conf. My AD full name is foo.bar.com, short name FOO. My question is - when guessing the principal for the target DC, why does Samba guess 'FOO', rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain running 3.0.28 which correctly guesses the realm. Not sure whether this helps diagnose, but I just upgraded my Linux desktop to Samba 3.2.4 and now get exactly the same error - winbind is refusing to authenticate me at all. In my pam.conf I have krb5_auth set to try and make winbind authenticate my via kerberos. How can I troubleshoot this? It seems Samba 3.2.4 gets the Kerberos realm wrong when authenticating against Windows 2008. I thought it was a Solaris issue before but it seems to be OS independent. Is anybody else seeing it? Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, Solaris, Windows 2008 - Kerberos Guess Realm Wrong?
I've just built Samba 3.2.4 on Solaris 10, with ADS support. Domain join to a Windows 2008 domain works perfectly, having pre-created the servername in the appropriate OU. In my winbind logs, I see the following (domain name obfuscated): [2008/11/05 11:28:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(839) got [EMAIL PROTECTED] [2008/11/05 11:28:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess ... [2008/11/05 11:28:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(908) cli_session_setup_spnego: guessed server [EMAIL PROTECTED] [2008/11/05 11:28:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2008/11/05 11:28:06, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot resolve network address for KDC in requested realm) [2008/11/05 11:28:06, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm The realm is guessed wrongly - only the short name of the domain, rather than the fully qualified realm name, as specified in krb5.conf. My AD full name is foo.bar.com, short name FOO. My question is - when guessing the principal for the target DC, why does Samba guess 'FOO', rather than 'FOO.BAR.COM'? I have a Linux machine joined to the same domain running 3.0.28 which correctly guesses the realm. [2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828) got [EMAIL PROTECTED] [2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(880) cli_session_setup_spnego: got a bad server principal, trying to guess ... [2008/11/05 08:48:44, 3] libsmb/cliconnect.c:cli_session_setup_spnego(903) cli_session_setup_spnego: guessed server [EMAIL PROTECTED] Relevant pieces from smb.conf: realm = FOO.BAR.COM workgroup = FOO winbind separator = + winbind use default domain = yes idmap backend = ad winbind nss info = rfc2307 use kerberos keytab = yes client lanman auth = no client ntlmv2 auth = yes idmap uid = 1-15000 idmap gid = 5000-6000 winbind refresh tickets = yes As far as I can tell, name resolution etc. is correct on both machines. Net ads status returns proper (fqdn) names, and klist -k shows fully qualified principals populated into the keytab file by net ads join. I should add that wbinfo -u returns the correct users, as does getent passwd (with uids, gids, etc. as expected). My concern is that because Kerberos negotiation is apprently failing, winbind is failing back to ntlm methods of authentication, which I'd rather avoid. If the error message I'm seeing is benign and I should ignore, let me know. Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba