AS-REQ using SPN

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

AS-REQ using SPN

Samba - samba-technical mailing list
Hi,

I noticed that this behaviour of AS-REQ with a SPN was introduced a
little while ago. It asserted that this is in line with Windows, but I
have been making some attempts and have yet to see any Windows KDC
manage to accept such a request (so something is not quite right, or I'm
missing something). I've tried it against a 2008R2 and 2012R2 machine.

I have also seen a Kerberos client attempt such a connection, but it
fails to do any useful work as the TGS request will fail due to
HDB_F_GET_ANY not being supplied (currently still HDB_F_GET_CLIENT) in
subsequent database fetch calls. Is there a particular use case I don't
really understand here? The client seemed to work previously, so I can
only assume that when it used to fail, it triggered a fallback instead.
The only way to make it proceed is adding an addition host/XXXX@REALM in
the userPrincipalName, which refuses to be set across LDAP in the
Windows versions I've tried (but works on Samba).


Patch made to Heimdal to allow this behaviour:

Commit ID: 20dc68050df7b1b0c9d06f8251183a0a6283fcaf

     s4/heimdal: allow SPNs in AS-REQ

     This allows testing keytabs with service tickets. Windows KDCs allow
     this as well.

     Signed-off-by: Ralph Boehme <[hidden email]>
     Reviewed-by: Andreas Schneider <[hidden email]>


Cheers,

Garming

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
Hi Garming,

On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> I noticed that this behaviour of AS-REQ with a SPN was introduced a little
> while ago. It asserted that this is in line with Windows, but I have been
> making some attempts and have yet to see any Windows KDC manage to accept
> such a request (so something is not quite right, or I'm missing something).
> I've tried it against a 2008R2 and 2012R2 machine.

works here against Windows 2016:

[slow@kazak scratch]$ cat /etc/krb5.conf
[libdefaults]
        default_realm = RIVERSIDE.SITE
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        RIVERSIDE.SITE = {
                 kdc = 10.10.11.14
        }

[slow@kazak scratch]$ bin/samba4ktutil foo.keytab
foo/[hidden email] (des-cbc-crc)
foo/[hidden email] (des-cbc-md5)
foo/[hidden email] (arcfour-hmac-md5)
foo/[hidden email] (aes256-cts-hmac-sha1-96)
foo/[hidden email] (aes128-cts-hmac-sha1-96)

[slow@kazak scratch]$ bin/samba4kinit -k -t foo.keytab foo/win2016.riverside.site

[slow@kazak scratch]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: foo/[hidden email]

Valid starting       Expires              Service principal
11/15/2017 10:51:12  11/15/2017 20:48:38  krbtgt/[hidden email]

> I have also seen a Kerberos client attempt such a connection, but it fails
> to do any useful work as the TGS request will fail due to HDB_F_GET_ANY not
> being supplied (currently still HDB_F_GET_CLIENT) in subsequent database
> fetch calls. Is there a particular use case I don't really understand here?

Iirc I somehow noticed the difference in behaviour.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, 15 Nov 2017 10:53:36 +0100
Ralph Böhme via samba-technical <[hidden email]> wrote:

> Hi Garming,
>
> On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > I noticed that this behaviour of AS-REQ with a SPN was introduced a
> > little while ago. It asserted that this is in line with Windows,
> > but I have been making some attempts and have yet to see any
> > Windows KDC manage to accept such a request (so something is not
> > quite right, or I'm missing something). I've tried it against a
> > 2008R2 and 2012R2 machine.
>
> works here against Windows 2016:
>
> [slow@kazak scratch]$ cat /etc/krb5.conf
> [libdefaults]
>         default_realm = RIVERSIDE.SITE
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
>
> [realms]
>         RIVERSIDE.SITE = {
>                  kdc = 10.10.11.14
>         }
>

Hi Ralph, would you like to try that again with the Samba recommended
krb5.conf ?

Which is:

[libdefaults]
        default_realm = RIVERSIDE.SITE
        dns_lookup_realm = false
        dns_lookup_kdc = true

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 10:03:58AM +0000, Rowland Penny wrote:

> On Wed, 15 Nov 2017 10:53:36 +0100
> Ralph Böhme via samba-technical <[hidden email]> wrote:
>
> > Hi Garming,
> >
> > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > I noticed that this behaviour of AS-REQ with a SPN was introduced a
> > > little while ago. It asserted that this is in line with Windows,
> > > but I have been making some attempts and have yet to see any
> > > Windows KDC manage to accept such a request (so something is not
> > > quite right, or I'm missing something). I've tried it against a
> > > 2008R2 and 2012R2 machine.
> >
> > works here against Windows 2016:
> >
> > [slow@kazak scratch]$ cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = RIVERSIDE.SITE
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = false
> >
> > [realms]
> >         RIVERSIDE.SITE = {
> >                  kdc = 10.10.11.14
> >         }
> >
>
> Hi Ralph, would you like to try that again with the Samba recommended
> krb5.conf ?
>
> Which is:
>
> [libdefaults]
>         default_realm = RIVERSIDE.SITE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true

no, won't work. :)

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, 15 Nov 2017 11:07:30 +0100
Ralph Böhme <[hidden email]> wrote:

> On Wed, Nov 15, 2017 at 10:03:58AM +0000, Rowland Penny wrote:
> > On Wed, 15 Nov 2017 10:53:36 +0100
> > Ralph Böhme via samba-technical <[hidden email]>
> > wrote:
> >
> > > Hi Garming,
> > >
> > > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > > I noticed that this behaviour of AS-REQ with a SPN was
> > > > introduced a little while ago. It asserted that this is in line
> > > > with Windows, but I have been making some attempts and have yet
> > > > to see any Windows KDC manage to accept such a request (so
> > > > something is not quite right, or I'm missing something). I've
> > > > tried it against a 2008R2 and 2012R2 machine.
> > >
> > > works here against Windows 2016:
> > >
> > > [slow@kazak scratch]$ cat /etc/krb5.conf
> > > [libdefaults]
> > >         default_realm = RIVERSIDE.SITE
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = false
> > >
> > > [realms]
> > >         RIVERSIDE.SITE = {
> > >                  kdc = 10.10.11.14
> > >         }
> > >
> >
> > Hi Ralph, would you like to try that again with the Samba
> > recommended krb5.conf ?
> >
> > Which is:
> >
> > [libdefaults]
> >         default_realm = RIVERSIDE.SITE
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
>
> no, won't work. :)
>
> -slow
>

Which means that either something is wrong or Samba is recommending the
wrong krb5.conf ;-)

Rowland

Reply | Threaded
Open this post in threaded view
|

RE: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Well.

If you test, and you hostname is : " kazak scratch "
See the cat /etc/krb5.conf line

Spaces in hostname are not allowed and i think this make your kerberos fail.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:[hidden email]] Namens Ralph
> Böhme via samba-technical
> Verzonden: woensdag 15 november 2017 11:07
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: AS-REQ using SPN
>
> On Wed, Nov 15, 2017 at 10:03:58AM +0000, Rowland Penny wrote:
> > On Wed, 15 Nov 2017 10:53:36 +0100
> > Ralph Böhme via samba-technical
> <[hidden email]> wrote:
> >
> > > Hi Garming,
> > >
> > > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > > I noticed that this behaviour of AS-REQ with a SPN was
> introduced a
> > > > little while ago. It asserted that this is in line with Windows,
> > > > but I have been making some attempts and have yet to see any
> > > > Windows KDC manage to accept such a request (so something is not
> > > > quite right, or I'm missing something). I've tried it against a
> > > > 2008R2 and 2012R2 machine.
> > >
> > > works here against Windows 2016:
> > >
> > > [slow@kazak scratch]$ cat /etc/krb5.conf
> > > [libdefaults]
> > >         default_realm = RIVERSIDE.SITE
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = false
> > >
> > > [realms]
> > >         RIVERSIDE.SITE = {
> > >                  kdc = 10.10.11.14
> > >         }
> > >
> >
> > Hi Ralph, would you like to try that again with the Samba
> recommended
> > krb5.conf ?
> >
> > Which is:
> >
> > [libdefaults]
> >         default_realm = RIVERSIDE.SITE
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
>
> no, won't work. :)
>
> -slow
>
> --
> Ralph Boehme, Samba Team       https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
>
>


Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 10:13:09AM +0000, Rowland Penny wrote:

> On Wed, 15 Nov 2017 11:07:30 +0100
> Ralph Böhme <[hidden email]> wrote:
>
> > On Wed, Nov 15, 2017 at 10:03:58AM +0000, Rowland Penny wrote:
> > > On Wed, 15 Nov 2017 10:53:36 +0100
> > > Ralph Böhme via samba-technical <[hidden email]>
> > > wrote:
> > >
> > > > Hi Garming,
> > > >
> > > > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > > > I noticed that this behaviour of AS-REQ with a SPN was
> > > > > introduced a little while ago. It asserted that this is in line
> > > > > with Windows, but I have been making some attempts and have yet
> > > > > to see any Windows KDC manage to accept such a request (so
> > > > > something is not quite right, or I'm missing something). I've
> > > > > tried it against a 2008R2 and 2012R2 machine.
> > > >
> > > > works here against Windows 2016:
> > > >
> > > > [slow@kazak scratch]$ cat /etc/krb5.conf
> > > > [libdefaults]
> > > >         default_realm = RIVERSIDE.SITE
> > > >         dns_lookup_realm = false
> > > >         dns_lookup_kdc = false
> > > >
> > > > [realms]
> > > >         RIVERSIDE.SITE = {
> > > >                  kdc = 10.10.11.14
> > > >         }
> > > >
> > >
> > > Hi Ralph, would you like to try that again with the Samba
> > > recommended krb5.conf ?
> > >
> > > Which is:
> > >
> > > [libdefaults]
> > >         default_realm = RIVERSIDE.SITE
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = true
> >
> > no, won't work. :)
> >
> > -slow
> >
>
> Which means that either something is wrong or Samba is recommending the
> wrong krb5.conf ;-)

Everything is all right and Samba is recommending the right default krb5.conf
for a member server. kazak is not a member server.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 11:15:40AM +0100, L.P.H. van Belle via samba-technical wrote:
> If you test, and you hostname is : " kazak scratch "

[slow@kazak scratch]$ pwd
/home/slow/git/samba/scratch

Now guess the hostname. :)

> See the cat /etc/krb5.conf line
>
> Spaces in hostname are not allowed and i think this make your kerberos fail.

Kerberos is working just fine.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

RE: AS-REQ using SPN

Samba - samba-technical mailing list
Ah, that make things more clear.
Now, im atm also working with some kerberos things here.

Maybe this helps maybe not, but if i look in AD, with windows tools, and i look at the spn.
I see
HOST/HOSTNAME and  
HOST/hostname.dns.dom.tld

While im debugging some kerberos NFSv4 things, i noticed that some hostname lookups are done to
host/hostname$ and not HOSTNAME$

The keytab shows.  all +@REALM
HOSTNAME$
host/hostname
host/hostname.dns.dom.tld

There are some, maybe older, left overs in my case, this setup runs since 2015.
But thats something i noticed.

Again maybe it bring you to new ideas..


Greetz,

Louis






> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:[hidden email]] Namens Ralph
> Böhme via samba-technical
> Verzonden: woensdag 15 november 2017 11:33
> Aan: L.P.H. van Belle
> CC: [hidden email]
> Onderwerp: Re: AS-REQ using SPN
>
> On Wed, Nov 15, 2017 at 11:15:40AM +0100, L.P.H. van Belle
> via samba-technical wrote:
> > If you test, and you hostname is : " kazak scratch "
>
> [slow@kazak scratch]$ pwd
> /home/slow/git/samba/scratch
>
> Now guess the hostname. :)
>
> > See the cat /etc/krb5.conf line
> >
> > Spaces in hostname are not allowed and i think this make
> your kerberos fail.
>
> Kerberos is working just fine.
>
> -slow
>
> --
> Ralph Boehme, Samba Team       https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
>
>


Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-11-15 at 10:53 +0100, Ralph Böhme via samba-technical
wrote:

> Hi Garming,
>
> On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > I noticed that this behaviour of AS-REQ with a SPN was introduced a little
> > while ago. It asserted that this is in line with Windows, but I have been
> > making some attempts and have yet to see any Windows KDC manage to accept
> > such a request (so something is not quite right, or I'm missing something).
> > I've tried it against a 2008R2 and 2012R2 machine.
>
> works here against Windows 2016:
>
> [slow@kazak scratch]$ cat /etc/krb5.conf
> [libdefaults]
>         default_realm = RIVERSIDE.SITE
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
>
> [realms]
>         RIVERSIDE.SITE = {
>                  kdc = 10.10.11.14
>         }
>
> [slow@kazak scratch]$ bin/samba4ktutil foo.keytab
> foo/[hidden email] (des-cbc-crc)
> foo/[hidden email] (des-cbc-md5)
> foo/[hidden email] (arcfour-hmac-md5)
> foo/[hidden email] (aes256-cts-hmac-sha1-96)
> foo/[hidden email] (aes128-cts-hmac-sha1-96)
>
> [slow@kazak scratch]$ bin/samba4kinit -k -t foo.keytab foo/win2016.riverside.site
>
> [slow@kazak scratch]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: foo/[hidden email]
>
> Valid starting       Expires              Service principal
> 11/15/2017 10:51:12  11/15/2017 20:48:38  krbtgt/[hidden email]
>
> > I have also seen a Kerberos client attempt such a connection, but it fails
> > to do any useful work as the TGS request will fail due to HDB_F_GET_ANY not
> > being supplied (currently still HDB_F_GET_CLIENT) in subsequent database
> > fetch calls. Is there a particular use case I don't really understand here?
>
> Iirc I somehow noticed the difference in behaviour.

Can you show me the full LDIF for that account, and if at all possible
a network capture?  

I know this seems overkill for something that 'just works', but I'm
writing tests to lock this down and am also having trouble reproducing
this.  (I'm aiming at Windows 2012R2 so far).

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
wrote:

> On Wed, 15 Nov 2017 10:53:36 +0100
> Ralph Böhme via samba-technical <[hidden email]> wrote:
>
> > Hi Garming,
> >
> > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > I noticed that this behaviour of AS-REQ with a SPN was introduced a
> > > little while ago. It asserted that this is in line with Windows,
> > > but I have been making some attempts and have yet to see any
> > > Windows KDC manage to accept such a request (so something is not
> > > quite right, or I'm missing something). I've tried it against a
> > > 2008R2 and 2012R2 machine.
> >
> > works here against Windows 2016:
> >
> > [slow@kazak scratch]$ cat /etc/krb5.conf
> > [libdefaults]
> >         default_realm = RIVERSIDE.SITE
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = false
> >
> > [realms]
> >         RIVERSIDE.SITE = {
> >                  kdc = 10.10.11.14
> >         }
> >
>
> Hi Ralph, would you like to try that again with the Samba recommended
> krb5.conf ?
>
> Which is:
>
> [libdefaults]
>         default_realm = RIVERSIDE.SITE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>

Rowland,

For Ralph's purposes his krb5.conf is perfectly OK, and is typical for
most developer configurations.  It is very similar to what I'm using
and has no impact on the tests he is doing for me.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Thu, 16 Nov 2017 06:54:01 +1300
Andrew Bartlett <[hidden email]> wrote:

> On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> wrote:
> > On Wed, 15 Nov 2017 10:53:36 +0100
> > Ralph Böhme via samba-technical <[hidden email]>
> > wrote:
> >
> > > Hi Garming,
> > >
> > > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > > I noticed that this behaviour of AS-REQ with a SPN was
> > > > introduced a little while ago. It asserted that this is in line
> > > > with Windows, but I have been making some attempts and have yet
> > > > to see any Windows KDC manage to accept such a request (so
> > > > something is not quite right, or I'm missing something). I've
> > > > tried it against a 2008R2 and 2012R2 machine.
> > >
> > > works here against Windows 2016:
> > >
> > > [slow@kazak scratch]$ cat /etc/krb5.conf
> > > [libdefaults]
> > >         default_realm = RIVERSIDE.SITE
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = false
> > >
> > > [realms]
> > >         RIVERSIDE.SITE = {
> > >                  kdc = 10.10.11.14
> > >         }
> > >
> >
> > Hi Ralph, would you like to try that again with the Samba
> > recommended krb5.conf ?
> >
> > Which is:
> >
> > [libdefaults]
> >         default_realm = RIVERSIDE.SITE
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
>
> Rowland,
>
> For Ralph's purposes his krb5.conf is perfectly OK, and is typical for
> most developer configurations.  It is very similar to what I'm using
> and has no impact on the tests he is doing for me.
>
> Thanks,
>
> Andrew Bartlett
>

Excuse me, but aren't you the person that bangs on about tests for
Samba ?
If so, shouldn't you be testing and using Samba in the way that Samba
recommends ?
That includes what your krb5.conf contains, if, as you say, developers
are using a different krb5.conf, then shouldn't the default krb5.conf
be the same as the developers ?

Rowland
 

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
<[hidden email]> wrote:
> On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> wrote:
[deletia]

>> Hi Ralph, would you like to try that again with the Samba recommended
>> krb5.conf ?
>>
>> Which is:
>>
>> [libdefaults]
>>         default_realm = RIVERSIDE.SITE
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>

Wait. Is this recommended just for Samba as an AD DC or for Samba as a
member server or both?

AFAIK, you really do not want dns_lookup_realm = false for Samba as a
member server, but if I am wrong it would be good to know why.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, 15 Nov 2017 10:42:52 -0800
Richard Sharpe <[hidden email]> wrote:

> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
> <[hidden email]> wrote:
> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> > wrote:
> [deletia]
> >> Hi Ralph, would you like to try that again with the Samba
> >> recommended krb5.conf ?
> >>
> >> Which is:
> >>
> >> [libdefaults]
> >>         default_realm = RIVERSIDE.SITE
> >>         dns_lookup_realm = false
> >>         dns_lookup_kdc = true
> >>
>
> Wait. Is this recommended just for Samba as an AD DC or for Samba as a
> member server or both?
>
> AFAIK, you really do not want dns_lookup_realm = false for Samba as a
> member server, but if I am wrong it would be good to know why.
>

This is one reason why I am asking questions about this, Samba seems to
have been recommending the above format for the last 5 years. I
personally have been using it for all that time and it has always
worked.

If it is wrong, why is it wrong ?
Why (If AB is to be believed) do the developers use a different one ?

What should we be using and recommending ?

Rowland

Reply | Threaded
Open this post in threaded view
|

dns_lookup_realm

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-11-15 at 10:42 -0800, Richard Sharpe wrote:

> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
> <[hidden email]> wrote:
> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> > wrote:
>
> [deletia]
> > > Hi Ralph, would you like to try that again with the Samba recommended
> > > krb5.conf ?
> > >
> > > Which is:
> > >
> > > [libdefaults]
> > >         default_realm = RIVERSIDE.SITE
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = true
> > >
>
> Wait. Is this recommended just for Samba as an AD DC or for Samba as a
> member server or both?
>
> AFAIK, you really do not want dns_lookup_realm = false for Samba as a
> member server, but if I am wrong it would be good to know why.

dns_lookup_realm refers to an interesting hack where Heimdal (only?)
will do a lookup for a magic TXT DNS record (_kerberos) hoping to find
the kerberos realm for the DNS domain.  

AD does this differently (referrals on the DC side), and doesn't have
the realm record.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 10:53 AM, Rowland Penny via samba-technical <
[hidden email]> wrote:

> On Wed, 15 Nov 2017 10:42:52 -0800
> Richard Sharpe <[hidden email]> wrote:
>
>> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
>> <[hidden email]> wrote:
>> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
>> > wrote:
>> [deletia]
>> >> Hi Ralph, would you like to try that again with the Samba
>> >> recommended krb5.conf ?
>> >>
>> >> Which is:
>> >>
>> >> [libdefaults]
>> >> default_realm = RIVERSIDE.SITE
>> >> dns_lookup_realm = false
>> >> dns_lookup_kdc = true
>> >>
>>
>> Wait. Is this recommended just for Samba as an AD DC or for Samba as a
>> member server or both?
>>
>> AFAIK, you really do not want dns_lookup_realm = false for Samba as a
>> member server, but if I am wrong it would be good to know why.
>>
>
> This is one reason why I am asking questions about this, Samba seems to
> have been recommending the above format for the last 5 years. I
> personally have been using it for all that time and it has always
> worked.
>
> If it is wrong, why is it wrong ?
> Why (If AB is to be believed) do the developers use a different one ?
>
> What should we be using and recommending ?

My only thought at this stage is that since you specify the realm in the
smb.conf perhaps the dns_lookup_realm setting in krb5.conf is simply
irrelevant.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, 15 Nov 2017 12:29:18 -0800
Richard Sharpe <[hidden email]> wrote:

> On Wed, Nov 15, 2017 at 10:53 AM, Rowland Penny via samba-technical <
> [hidden email]> wrote:
> > On Wed, 15 Nov 2017 10:42:52 -0800
> > Richard Sharpe <[hidden email]> wrote:
> >
> >> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via
> >> samba-technical <[hidden email]> wrote:
> >> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via
> >> > samba-technical wrote:
> >> [deletia]
> >> >> Hi Ralph, would you like to try that again with the Samba
> >> >> recommended krb5.conf ?
> >> >>
> >> >> Which is:
> >> >>
> >> >> [libdefaults]
> >> >> default_realm = RIVERSIDE.SITE
> >> >> dns_lookup_realm = false
> >> >> dns_lookup_kdc = true
> >> >>
> >>
> >> Wait. Is this recommended just for Samba as an AD DC or for Samba
> >> as a member server or both?
> >>
> >> AFAIK, you really do not want dns_lookup_realm = false for Samba
> >> as a member server, but if I am wrong it would be good to know why.
> >>
> >
> > This is one reason why I am asking questions about this, Samba
> > seems to have been recommending the above format for the last 5
> > years. I personally have been using it for all that time and it has
> > always worked.
> >
> > If it is wrong, why is it wrong ?
> > Why (If AB is to be believed) do the developers use a different
> > one ?
> >
> > What should we be using and recommending ?
>
> My only thought at this stage is that since you specify the realm in
> the smb.conf perhaps the dns_lookup_realm setting in krb5.conf is
> simply irrelevant.
>

No, funnily enough I tested this once and the only two lines you
actually must have in the /etc/krb5.conf are:

[libdefaults]
   default_realm = SAMDOM.EXAMPLE.COM

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, Nov 16, 2017 at 06:51:54AM +1300, Andrew Bartlett wrote:
> Can you show me the full LDIF for that account, and if at all possible
> a network capture?  

sure.

dn: CN=Foo Foo,CN=Users,DC=riverside,DC=site
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Foo Foo
sn: Foo
givenName: Foo
distinguishedName: CN=Foo Foo,CN=Users,DC=riverside,DC=site
instanceType: 4
whenCreated: 20170707101907.0Z
whenChanged: 20171115095033.0Z
displayName: Foo Foo
uSNCreated: 25190
uSNChanged: 61535
name: Foo Foo
objectGUID: fe31000a-0c3e-4b16-bf46-b21e7d97404c
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131552130727131730
pwdLastSet: 131552129424158782
primaryGroupID: 513
objectSid: S-1-5-21-4238821236-1081798198-886986080-1106
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: foo
sAMAccountType: 805306368
userPrincipalName: foo/[hidden email]
lockoutTime: 0
servicePrincipalName: foo/win2016.riverside.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=riverside,DC=site
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131552130336033649

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

as-req-with-spn.pcapng (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
On Wed, 2017-11-15 at 22:18 +0100, Ralph Böhme via samba-technical
wrote:
> On Thu, Nov 16, 2017 at 06:51:54AM +1300, Andrew Bartlett wrote:
> > Can you show me the full LDIF for that account, and if at all possible
> > a network capture?  
>
> sure.
>
> dn: CN=Foo Foo,CN=Users,DC=riverside,DC=site
...
> sAMAccountName: foo
> sAMAccountType: 805306368

> userPrincipalName: foo/[hidden email]

> lockoutTime: 0

> servicePrincipalName: foo/win2016.riverside.site

> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=riverside,DC=site
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 131552130336033649

Thanks!  

So that looks to me like it is using the userPrincipalName, not the
servicePrincipalName.  I've not seen this work unless the UPN is set
(and even then there appear to be restrictions based on the principal
type).

I'll lock this down with some more tests, so far they indicate that the
userPrincipalName is the only reason it works, and only for name type
KRB5_NT_PRINCIPAL_NAME.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: AS-REQ using SPN

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Nov 15, 2017 at 06:53:08PM +0000, Rowland Penny via samba-technical wrote:

> On Wed, 15 Nov 2017 10:42:52 -0800
> Richard Sharpe <[hidden email]> wrote:
>
> > On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
> > <[hidden email]> wrote:
> > > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> > > wrote:
> > [deletia]
> > >> Hi Ralph, would you like to try that again with the Samba
> > >> recommended krb5.conf ?
> > >>
> > >> Which is:
> > >>
> > >> [libdefaults]
> > >>         default_realm = RIVERSIDE.SITE
> > >>         dns_lookup_realm = false
> > >>         dns_lookup_kdc = true
> > >>
> >
> > Wait. Is this recommended just for Samba as an AD DC or for Samba as a
> > member server or both?
> >
> > AFAIK, you really do not want dns_lookup_realm = false for Samba as a
> > member server, but if I am wrong it would be good to know why.
> >
>
> This is one reason why I am asking questions about this, Samba seems to
> have been recommending the above format for the last 5 years. I
> personally have been using it for all that time and it has always
> worked.
>
> If it is wrong, why is it wrong ?

It is correct in most cases.

> Why (If AB is to be believed) do the developers use a different one ?

I use a different one as my DNS server doesn't know about the KDC.

> What should we be using and recommending ?

the above.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

12