[Bug 553342] [NEW] spnego references incorrect realm via winbind when joined to AD and spnego is enabled

Aaron J. Zirbes ajz at umn.edu
Thu Apr 1 15:27:17 BST 2010


Public bug reported:

Binary package hint: samba

After successfully joined to Windows 2008 AD domain, spnego via winbind passes incorrect principal to 
    libsmb/clikrb5.c:852: ads_krb5_mk_req()

This happens immediately on startup.

The principal should be based the REALM, not the WORKGROUP.

I think the fix involves cli_session_setup_spnego() guessing a little
better at the realm name that it gets back from the
spnego_parse_negTokenInit() function, by checking if the principal
returned is @DOMAIN, and then replacing the principal as @REALM?

Thoughts?

Principal Passed: dc$@AD
Expected Principal: dc$@AD.UMN.EDU

smb.conf:
[global]

   # Name
   netbios name = enhs-samba-test

   # AD Membership pointers
   workgroup = AD
   security = ADS
   realm = AD.UMN.EDU
   preferred master = no

   # Security options
   encrypt passwords = true
   guest account = nobody
   client plaintext auth = no
   client lanman auth = no
   client ntlmv2 auth = yes
   client signing = yes
   client schannel = yes
   client use spnego = yes
   ntlm auth = no
   lanman auth = no

   # Active Directory user mapping options
   idmap uid = 1000000-1999999
   idmap gid = 1000000-1999999

   winbind use default domain = yes
   winbind offline logon = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind refresh tickets = yes

log.winbindd log when running at log level = 1 :

[2010/04/01 08:50:11,  1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_get_credentials failed for dcstp2$@AD (Cannot resolve network address for KDC in requested realm)
[2010/04/01 08:50:11,  1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm

log.winbindd log when running at log level = 99 :

[2010/04/01 09:10:35, 10] libads/kerberos.c:187(kerberos_kinit_password_ext)
  kerberos_kinit_password: as ENHS-SAMBA-TEST$@AD.UMN.EDU using [MEMORY:cliconnect] as ccache and config [(null)]
[2010/04/01 09:10:35,  3] libsmb/cliconnect.c:1018(cli_session_setup_spnego)
  cli_session_setup_spnego: got a bad server principal, trying to guess ...
[2010/04/01 09:10:35,  3] libsmb/cliconnect.c:1047(cli_session_setup_spnego)
  cli_session_setup_spnego: guessed server principal=dcwb2$@AD
[2010/04/01 09:10:35,  2] libsmb/cliconnect.c:738(cli_session_setup_kerberos)
  Doing kerberos session setup
[2010/04/01 09:10:35,  1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_get_credentials failed for dcwb2$@AD (Cannot resolve network address for KDC in requested realm)
[2010/04/01 09:10:35,  1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm


... for now I'll just turn spenego off, but this could be fixed.

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
spnego references incorrect realm via winbind when joined to AD and spnego is enabled
https://bugs.launchpad.net/bugs/553342
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.



More information about the Ubuntu-server-bugs mailing list