Opensolaris-ish joins but does not seem to be valid

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
We have a product that is similar to Opensolaris. It joins to the domain (Samba
version 4.7.0) without error and I can verify that a computer object is created
in the domain for it.

However, the command "getent passwd" which I would expect to return a list of
all domain users, only returns a list of local users.

I am confident I do not have a misconfigured file because if I get a kerberos
ticket as the Administrator (i.e. kinit -UAdministrator) and then issue "getent
passwd", the list returns as I would expect.

The host is populated with a keytab after joining to the domain and it appears
to have good entries: "host/[hidden email]", etc. And when I
do a "klist" with no prior kinit, it says it says the default principal is
"host/[hidden email]" which is listed in the keytab.

Since I am on 4.7.0, I've also turned on the authentication auditing and I can
see the authentication attempt when I issue "getent passwd". But instead of
being host specific, it registers the user as [NT AUTHORITY]\[ANONYMOUS LOGON].

There is an additional setup we have to run for this host, setting up directory
based mappings for idmap to resolve UIDs
(http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
That command registers as the host authority in the DC logs, i.e.
"[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the process returns
as "sasl/GSSAPI bind" error. As above, if I do a kinit as Administrator
beforehand, the command succeeds successfully.

It seems like something is wrong with the computer account, but it's not like I
can set the computer accounts password and manually trying kiniting as it. Any
suggestions about what might be wrong or how to further troubleshoot?

Mike Ray

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
Mike Ray via samba <[hidden email]> wrote:

> We have a product that is similar to Opensolaris. It joins to the
> domain (Samba version 4.7.0) without error and I can verify that a
> computer object is created in the domain for it.
>
> However, the command "getent passwd" which I would expect to return a
> list of all domain users, only returns a list of local users.
>
> I am confident I do not have a misconfigured file because if I get a
> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
> then issue "getent passwd", the list returns as I would expect.
>
> The host is populated with a keytab after joining to the domain and
> it appears to have good entries:
> "host/[hidden email]", etc. And when I do a "klist"
> with no prior kinit, it says it says the default principal is
> "host/[hidden email]" which is listed in the keytab.
>
> Since I am on 4.7.0, I've also turned on the authentication auditing
> and I can see the authentication attempt when I issue "getent
> passwd". But instead of being host specific, it registers the user as
> [NT AUTHORITY]\[ANONYMOUS LOGON].
>
> There is an additional setup we have to run for this host, setting up
> directory based mappings for idmap to resolve UIDs
> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
> That command registers as the host authority in the DC logs, i.e.
> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
> process returns as "sasl/GSSAPI bind" error. As above, if I do a
> kinit as Administrator beforehand, the command succeeds successfully.
>
> It seems like something is wrong with the computer account, but it's
> not like I can set the computer accounts password and manually trying
> kiniting as it. Any suggestions about what might be wrong or how to
> further troubleshoot?
>
> Mike Ray
>

Can you post your smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
----- Original Message -----
> From: "samba" <[hidden email]>
> To: "samba" <[hidden email]>
> Sent: Tuesday, October 10, 2017 2:23:02 AM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid

> On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
> Mike Ray via samba <[hidden email]> wrote:
>
>> We have a product that is similar to Opensolaris. It joins to the
>> domain (Samba version 4.7.0) without error and I can verify that a
>> computer object is created in the domain for it.
>>
>> However, the command "getent passwd" which I would expect to return a
>> list of all domain users, only returns a list of local users.
>>
>> I am confident I do not have a misconfigured file because if I get a
>> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
>> then issue "getent passwd", the list returns as I would expect.
>>
>> The host is populated with a keytab after joining to the domain and
>> it appears to have good entries:
>> "host/[hidden email]", etc. And when I do a "klist"
>> with no prior kinit, it says it says the default principal is
>> "host/[hidden email]" which is listed in the keytab.
>>
>> Since I am on 4.7.0, I've also turned on the authentication auditing
>> and I can see the authentication attempt when I issue "getent
>> passwd". But instead of being host specific, it registers the user as
>> [NT AUTHORITY]\[ANONYMOUS LOGON].
>>
>> There is an additional setup we have to run for this host, setting up
>> directory based mappings for idmap to resolve UIDs
>> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
>> That command registers as the host authority in the DC logs, i.e.
>> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
>> process returns as "sasl/GSSAPI bind" error. As above, if I do a
>> kinit as Administrator beforehand, the command succeeds successfully.
>>
>> It seems like something is wrong with the computer account, but it's
>> not like I can set the computer accounts password and manually trying
>> kiniting as it. Any suggestions about what might be wrong or how to
>> further troubleshoot?
>>
>> Mike Ray
>>
>
> Can you post your smb.conf
>
> Rowland
>

Rowland,

Here's the smb.conf for one of the DCs (I'm working with Mike on this):
[global]
        netbios name = DC3
        realm = EXAMPLE.COM
        workgroup = EXAMPLE
        server role = active directory domain controller
        allow dns updates = nonsecure
        dns forwarder = 192.168.0.2
        idmap_ldb:use rfc2307 = Yes
        printcap name = /dev/null
        load printers = no
        printing = bsd
        ntp signd socket directory = /var/run/samba/ntp_signd
        #acl:search = no
        ldap server require strong auth = no
        winbind sealed pipes = false
        client signing = off
        require strong key = false
        client ldap sasl wrapping = plain
        log level = 1 auth_audit:10

[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Thanks,

Andrew

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
On Tue, 10 Oct 2017 09:39:43 -0500 (CDT)
Andrew Martin <[hidden email]> wrote:

> ----- Original Message -----
> > From: "samba" <[hidden email]>
> > To: "samba" <[hidden email]>
> > Sent: Tuesday, October 10, 2017 2:23:02 AM
> > Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be
> > valid
>
> > On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
> > Mike Ray via samba <[hidden email]> wrote:
> >
> >> We have a product that is similar to Opensolaris. It joins to the
> >> domain (Samba version 4.7.0) without error and I can verify that a
> >> computer object is created in the domain for it.
> >>
> >> However, the command "getent passwd" which I would expect to
> >> return a list of all domain users, only returns a list of local
> >> users.
> >>
> >> I am confident I do not have a misconfigured file because if I get
> >> a kerberos ticket as the Administrator (i.e. kinit
> >> -UAdministrator) and then issue "getent passwd", the list returns
> >> as I would expect.
> >>
> >> The host is populated with a keytab after joining to the domain and
> >> it appears to have good entries:
> >> "host/[hidden email]", etc. And when I do a
> >> "klist" with no prior kinit, it says it says the default principal
> >> is "host/[hidden email]" which is listed in the keytab.
> >>
> >> Since I am on 4.7.0, I've also turned on the authentication
> >> auditing and I can see the authentication attempt when I issue
> >> "getent passwd". But instead of being host specific, it registers
> >> the user as [NT AUTHORITY]\[ANONYMOUS LOGON].
> >>
> >> There is an additional setup we have to run for this host, setting
> >> up directory based mappings for idmap to resolve UIDs
> >> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
> >> That command registers as the host authority in the DC logs, i.e.
> >> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
> >> process returns as "sasl/GSSAPI bind" error. As above, if I do a
> >> kinit as Administrator beforehand, the command succeeds
> >> successfully.
> >>
> >> It seems like something is wrong with the computer account, but
> >> it's not like I can set the computer accounts password and
> >> manually trying kiniting as it. Any suggestions about what might
> >> be wrong or how to further troubleshoot?
> >>
> >> Mike Ray
> >>
> >
> > Can you post your smb.conf
> >
> > Rowland
> >
>
> Rowland,
>
> Here's the smb.conf for one of the DCs (I'm working with Mike on
> this): [global]
>         netbios name = DC3
>         realm = EXAMPLE.COM
>         workgroup = EXAMPLE
>         server role = active directory domain controller
>         allow dns updates = nonsecure
>         dns forwarder = 192.168.0.2
>         idmap_ldb:use rfc2307 = Yes
>         printcap name = /dev/null
>         load printers = no
>         printing = bsd
>         ntp signd socket directory = /var/run/samba/ntp_signd
>         #acl:search = no
>         ldap server require strong auth = no
>         winbind sealed pipes = false
>         client signing = off
>         require strong key = false
>         client ldap sasl wrapping = plain
>         log level = 1 auth_audit:10
>
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> Thanks,
>
> Andrew

Is this from the Opensolaris-ish machine ?

I expected to see a smb.conf file from a Unix domain member.

If it is from the machine where you are getting '[NT
AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
username'. By default winbind doesn't enumerate users and groups.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
----- Original Message -----
> From: "samba" <[hidden email]>
> To: "samba" <[hidden email]>
> Sent: Tuesday, October 10, 2017 10:19:29 AM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid

> On Tue, 10 Oct 2017 09:39:43 -0500 (CDT)
> Andrew Martin <[hidden email]> wrote:
>
>> ----- Original Message -----
>> > From: "samba" <[hidden email]>
>> > To: "samba" <[hidden email]>
>> > Sent: Tuesday, October 10, 2017 2:23:02 AM
>> > Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be
>> > valid
>>
>> > On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
>> > Mike Ray via samba <[hidden email]> wrote:
>> >
>> >> We have a product that is similar to Opensolaris. It joins to the
>> >> domain (Samba version 4.7.0) without error and I can verify that a
>> >> computer object is created in the domain for it.
>> >>
>> >> However, the command "getent passwd" which I would expect to
>> >> return a list of all domain users, only returns a list of local
>> >> users.
>> >>
>> >> I am confident I do not have a misconfigured file because if I get
>> >> a kerberos ticket as the Administrator (i.e. kinit
>> >> -UAdministrator) and then issue "getent passwd", the list returns
>> >> as I would expect.
>> >>
>> >> The host is populated with a keytab after joining to the domain and
>> >> it appears to have good entries:
>> >> "host/[hidden email]", etc. And when I do a
>> >> "klist" with no prior kinit, it says it says the default principal
>> >> is "host/[hidden email]" which is listed in the keytab.
>> >>
>> >> Since I am on 4.7.0, I've also turned on the authentication
>> >> auditing and I can see the authentication attempt when I issue
>> >> "getent passwd". But instead of being host specific, it registers
>> >> the user as [NT AUTHORITY]\[ANONYMOUS LOGON].
>> >>
>> >> There is an additional setup we have to run for this host, setting
>> >> up directory based mappings for idmap to resolve UIDs
>> >> (http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
>> >> That command registers as the host authority in the DC logs, i.e.
>> >> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
>> >> process returns as "sasl/GSSAPI bind" error. As above, if I do a
>> >> kinit as Administrator beforehand, the command succeeds
>> >> successfully.
>> >>
>> >> It seems like something is wrong with the computer account, but
>> >> it's not like I can set the computer accounts password and
>> >> manually trying kiniting as it. Any suggestions about what might
>> >> be wrong or how to further troubleshoot?
>> >>
>> >> Mike Ray
>> >>
>> >
>> > Can you post your smb.conf
>> >
>> > Rowland
>> >
>>
>> Rowland,
>>
>> Here's the smb.conf for one of the DCs (I'm working with Mike on
>> this): [global]
>>         netbios name = DC3
>>         realm = EXAMPLE.COM
>>         workgroup = EXAMPLE
>>         server role = active directory domain controller
>>         allow dns updates = nonsecure
>>         dns forwarder = 192.168.0.2
>>         idmap_ldb:use rfc2307 = Yes
>>         printcap name = /dev/null
>>         load printers = no
>>         printing = bsd
>>         ntp signd socket directory = /var/run/samba/ntp_signd
>>         #acl:search = no
>>         ldap server require strong auth = no
>>         winbind sealed pipes = false
>>         client signing = off
>>         require strong key = false
>>         client ldap sasl wrapping = plain
>>         log level = 1 auth_audit:10
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/example.com/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> Thanks,
>>
>> Andrew
>
> Is this from the Opensolaris-ish machine ?
>
> I expected to see a smb.conf file from a Unix domain member.
>
> If it is from the machine where you are getting '[NT
> AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
> username'. By default winbind doesn't enumerate users and groups.

Running "getent passwd username" does not return anything on the
client machine.


The smb.conf I sent is from the DC; the OpenSolaris-based machine
is not using Samba but is using the Solaris CIFS Service instead:
http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html


The Solaris CIFS service, aka smb/server, is joined to the domain
with "smbadm join -u Administrator example.com" and once joined you
can query AD users using "idmap show -cV [hidden email]". By
default, idmapd uses "Ephemeral mapping", so AD users are represented
locally by a randomly-chosen, high-numbered uid rather than their
actual uid as stored in uidNumber or elsewhere in AD. This is
undesirable, so we have reconfigured idmap to use
"directory-based mapping" instead:
http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html


This allows us to set some properties in idmap to tell it which AD
attribute (CN) to query to find out how to map AD users to local users:
svccfg -s svc:/system/idmap setprop config/ad_unixgroup_attr=astring: cn
svccfg -s svc:/system/idmap setprop config/ad_unixuser_attr=astring: cn
svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: name
svcadm refresh idmap


At this point smb/server and idmap should be able to look up AD users and
map them to a local user whose username is the same as the user's CN field
in AD. We then populate all of the AD users in the local nsswitch database
by running "ldapclient" and telling it which AD attributes to map to each
property in the nsswitch database:
https://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html


We have two problems, both of which I think may be related to the same
underlying issue of not being able to communicate with the Samba DC:
* idmap cannot query user's CN values for "directory-based mapping"
* ldapclient cannot query users to populate the nsswitch database


I think both of these are related to the "sasl/GSSAPI bind" error that
Mike mentioned; previously on Samba 4.0.6, this client was able to
make these queries successfully, but now on Samba 4.7.0 these queries
require that we manually kinit on the client before the GSSAPI
authentication is allowed. Has something changed with how GSSAPI
authentication or host Kerberos tickets are issued? Can we still allow
the old behavior with a smb.conf config option?


Thanks,


Andrew


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
Andrew Martin <[hidden email]> wrote:


> >
> > Is this from the Opensolaris-ish machine ?
> >
> > I expected to see a smb.conf file from a Unix domain member.
> >
> > If it is from the machine where you are getting '[NT
> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
> > username'. By default winbind doesn't enumerate users and groups.
>
> Running "getent passwd username" does not return anything on the
> client machine.

Then you have a problem, your users and groups seem to be unknown to
the underlying OS.
 

> The Solaris CIFS service, aka smb/server, is joined to the domain
> with "smbadm join -u Administrator example.com" and once joined you
> can query AD users using "idmap show -cV [hidden email]". By
> default, idmapd uses "Ephemeral mapping", so AD users are represented
> locally by a randomly-chosen, high-numbered uid rather than their
> actual uid as stored in uidNumber or elsewhere in AD. This is
> undesirable, so we have reconfigured idmap to use
> "directory-based mapping" instead:
> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
>

If you provisioned the Samba AD DC with --use-rfc2307, then I think you
should have gone with the IDMU mapping, what we call around here
'RFC2307'. By using this, you will doing something very similar to
using the winbind 'ad' backend and will be able to use RSAT on a WIN 7
or 8.1 to admin it.
 

>
> This allows us to set some properties in idmap to tell it which AD
> attribute (CN) to query to find out how to map AD users to local
> users: svccfg -s svc:/system/idmap setprop
> config/ad_unixgroup_attr=astring: cn svccfg -s svc:/system/idmap
> setprop config/ad_unixuser_attr=astring: cn svccfg -s
> svc:/system/idmap setprop config/directory_based_mapping=astring:
> name svcadm refresh idmap
>
>
> At this point smb/server and idmap should be able to look up AD users
> and map them to a local user whose username is the same as the user's
> CN field in AD. We then populate all of the AD users in the local
> nsswitch database by running "ldapclient" and telling it which AD
> attributes to map to each property in the nsswitch database:
> https://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html

If Opensolaris is like Linux, you will not need local users, as your
windows users can be made to be Unix users as well.
 

>
>
> We have two problems, both of which I think may be related to the same
> underlying issue of not being able to communicate with the Samba DC:
> * idmap cannot query user's CN values for "directory-based mapping"
> * ldapclient cannot query users to populate the nsswitch database
>
>
> I think both of these are related to the "sasl/GSSAPI bind" error that
> Mike mentioned; previously on Samba 4.0.6, this client was able to
> make these queries successfully, but now on Samba 4.7.0 these queries
> require that we manually kinit on the client before the GSSAPI
> authentication is allowed. Has something changed with how GSSAPI
> authentication or host Kerberos tickets are issued? Can we still allow
> the old behavior with a smb.conf config option?

There have been a lot of changes between 4.0.6 and 4.7.0, to many to
mention, have a look here:

https://wiki.samba.org/index.php/Samba_Features_added/changed_%28by_release%29

If this was Samba running on Opensolaris, I could talk you through
setting up very easily, but I don't have an Opensolaris machine and have
never used it, so I can only advise you on what I would try.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
----- Original Message -----
> From: "samba" <[hidden email]>
> To: "samba" <[hidden email]>
> Sent: Tuesday, October 10, 2017 12:02:11 PM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid

> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> Andrew Martin <[hidden email]> wrote:
>
>
>> >
>> > Is this from the Opensolaris-ish machine ?
>> >
>> > I expected to see a smb.conf file from a Unix domain member.
>> >
>> > If it is from the machine where you are getting '[NT
>> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
>> > username'. By default winbind doesn't enumerate users and groups.
>>
>> Running "getent passwd username" does not return anything on the
>> client machine.
>
> Then you have a problem, your users and groups seem to be unknown to
> the underlying OS.
>
>> The Solaris CIFS service, aka smb/server, is joined to the domain
>> with "smbadm join -u Administrator example.com" and once joined you
>> can query AD users using "idmap show -cV [hidden email]". By
>> default, idmapd uses "Ephemeral mapping", so AD users are represented
>> locally by a randomly-chosen, high-numbered uid rather than their
>> actual uid as stored in uidNumber or elsewhere in AD. This is
>> undesirable, so we have reconfigured idmap to use
>> "directory-based mapping" instead:
>> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
>> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
>>
>
> If you provisioned the Samba AD DC with --use-rfc2307, then I think you
> should have gone with the IDMU mapping, what we call around here
> 'RFC2307'. By using this, you will doing something very similar to
> using the winbind 'ad' backend and will be able to use RSAT on a WIN 7
> or 8.1 to admin it.
>

It has been awhile, but the last time I looked into IDMU mode I thought
Samba didn't support it. I thought Windows AD required a separate
installer to be run to add IDMU mode and then some extra fields in AD
needed to be created and proactively synced on a regular basis (e.g.
syncing from the normal userPassword field to unixUserPassword). Are
there any guides or information on how to setup IDMU mode on a Samba DC?

At least on Solaris, it sounds like IDMU is not 100% identical to RFC2307:
http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> IDMU adds a "UNIX Attributes" panel to the Active Directory Users and
> Computers user interface that lets the administrator specify a number
> of UNIX-related parameters: UID, GID, login shell, home directory, and
> similar for groups. These parameters are made available through AD
> through a schema similar to (but not the same as) RFC2307, and through
> the NIS service.


Thanks,

Andrew

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
On Tue, 10 Oct 2017 15:19:06 -0500 (CDT)
Andrew Martin <[hidden email]> wrote:

> ----- Original Message -----
> > From: "samba" <[hidden email]>
> > To: "samba" <[hidden email]>
> > Sent: Tuesday, October 10, 2017 12:02:11 PM
> > Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be
> > valid
>
> > On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> > Andrew Martin <[hidden email]> wrote:
> >
> >
> >> >
> >> > Is this from the Opensolaris-ish machine ?
> >> >
> >> > I expected to see a smb.conf file from a Unix domain member.
> >> >
> >> > If it is from the machine where you are getting '[NT
> >> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
> >> > username'. By default winbind doesn't enumerate users and groups.
> >>
> >> Running "getent passwd username" does not return anything on the
> >> client machine.
> >
> > Then you have a problem, your users and groups seem to be unknown to
> > the underlying OS.
> >
> >> The Solaris CIFS service, aka smb/server, is joined to the domain
> >> with "smbadm join -u Administrator example.com" and once joined you
> >> can query AD users using "idmap show -cV [hidden email]". By
> >> default, idmapd uses "Ephemeral mapping", so AD users are
> >> represented locally by a randomly-chosen, high-numbered uid rather
> >> than their actual uid as stored in uidNumber or elsewhere in AD.
> >> This is undesirable, so we have reconfigured idmap to use
> >> "directory-based mapping" instead:
> >> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> >> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
> >>
> >
> > If you provisioned the Samba AD DC with --use-rfc2307, then I think
> > you should have gone with the IDMU mapping, what we call around here
> > 'RFC2307'. By using this, you will doing something very similar to
> > using the winbind 'ad' backend and will be able to use RSAT on a
> > WIN 7 or 8.1 to admin it.
> >
>
> It has been awhile, but the last time I looked into IDMU mode I
> thought Samba didn't support it. I thought Windows AD required a
> separate installer to be run to add IDMU mode and then some extra
> fields in AD needed to be created and proactively synced on a regular
> basis (e.g. syncing from the normal userPassword field to
> unixUserPassword). Are there any guides or information on how to
> setup IDMU mode on a Samba DC?

When you provision a Samba AD DC, there is an option '--use-rfc2307'

This adds the same schema extension that IDMU on windows adds, if you
didn't provision with this, you can easily add it, see here:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

>
> At least on Solaris, it sounds like IDMU is not 100% identical to
> RFC2307:

Cannot argue with that, it isn't fully 100% identical on Linux either,
but it works ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
In reply to this post by Samba - General mailing list
----- On Oct 10, 2017, at 12:02 PM, samba [hidden email] wrote:

> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> Andrew Martin <[hidden email]> wrote:
>
>

Rowland-

I've been poking at this more and think the root of the problem is a Kerberos
problem.

After joining this machine to the domain, it goes through a process that it
calls "AD/Kerberos Setup". Comparing to the working counterpart on the old
domain, this process appears to set the domain name, a DN search base (sets to
Schema) and then lists the GC servers.

What follows is a tcpdump of port 88 during that "AD/Kerberos Setup":




No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    192.168.0.115           192.168.6.6             KRB5     241    AS-REQ

Frame 1: 241 bytes on wire (1928 bits), 241 bytes captured (1928 bits)
User Datagram Protocol, Src Port: 55231 (55231), Dst Port: kerberos (88)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 00000010 (Renewable OK)
        Client Name (Service and Host): root/host.example.com
            Name-type: Service and Host (3)
            Name: root
            Name: host.example.com
        Realm: EXAMPLE.COM
        Server Name (Principal): krbtgt/EXAMPLE.COM
            Name-type: Principal (1)
            Name: krbtgt
            Name: EXAMPLE.COM
        from: 2017-10-11 22:30:52 (UTC)
        till: 2017-10-12 08:30:52 (UTC)
        Nonce: 1507761052
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac rc4-hmac-exp des-cbc-md5 des-cbc-crc
        HostAddresses: 192.168.0.115

No.     Time        Source                Destination           Protocol Length Info
      2 0.002177    192.168.6.6             192.168.0.115           KRB5     303    KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

Frame 2: 303 bytes on wire (2424 bits), 303 bytes captured (2424 bits)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 55231 (55231)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2017-10-11 22:30:57 (UTC)
    susec: 26559
    error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
    Client Realm: EXAMPLE.COM
    Client Name (Service and Host): root/host.example.com
        Name-type: Service and Host (3)
        Name: root
        Name: host.example.com
    Realm: EXAMPLE.COM
    Server Name (Principal): krbtgt/EXAMPLE.COM
        Name-type: Principal (1)
        Name: krbtgt
        Name: EXAMPLE.COM
    e-text: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
    e-data
        padata: PA-ENC-TIMESTAMP PA-DASS PA-PK-AS-REP PA-ENCTYPE-INFO PA-ENCTYPE-INFO2
            Type: PA-ENC-TIMESTAMP (2)
                Value: <MISSING>
            Type: PA-DASS (16)
                Value: <MISSING>
            Type: PA-PK-AS-REP (15)
                Value: <MISSING>
            Type: PA-ENCTYPE-INFO (11)
                Value: 30073005a003020117 rc4-hmac
                    Encryption type: rc4-hmac (23)
            Type: PA-ENCTYPE-INFO2 (19)
                Value: 30073005a003020117 rc4-hmac
                    Encryption type: rc4-hmac (23)

No.     Time        Source                Destination           Protocol Length Info
      3 0.003199    192.168.0.115           192.168.6.6             KRB5     321    AS-REQ

Frame 3: 321 bytes on wire (2568 bits), 321 bytes captured (2568 bits)
User Datagram Protocol, Src Port: 60405 (60405), Dst Port: kerberos (88)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: PA-ENC-TIMESTAMP
        Type: PA-ENC-TIMESTAMP (2)
            Value: 303da003020117a23604341f02bfb4cefe9338f229dd3b57... rc4-hmac
                Encryption type: rc4-hmac (23)
                enc PA_ENC_TIMESTAMP: 1f02bfb4cefe9338f229dd3b578ab9b6e6b65709a5c50761...
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 00000010 (Renewable OK)
        Client Name (Service and Host): root/host.example.com
            Name-type: Service and Host (3)
            Name: root
            Name: host.example.com
        Realm: EXAMPLE.COM
        Server Name (Principal): krbtgt/EXAMPLE.COM
            Name-type: Principal (1)
            Name: krbtgt
            Name: EXAMPLE.COM
        from: 2017-10-11 22:30:52 (UTC)
        till: 2017-10-12 08:30:52 (UTC)
        Nonce: 1507761052
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac rc4-hmac-exp des-cbc-md5 des-cbc-crc
        HostAddresses: 192.168.0.115

No.     Time        Source                Destination           Protocol Length Info
      4 0.014971    192.168.6.6             192.168.0.115           KRB5     1381   AS-REP

Frame 4: 1381 bytes on wire (11048 bits), 1381 bytes captured (11048 bits)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 60405 (60405)
Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    Client Realm: EXAMPLE.COM
    Client Name (Service and Host): root/host.example.com
        Name-type: Service and Host (3)
        Name: root
        Name: host.example.com
    Ticket
        Tkt-vno: 5
        Realm: EXAMPLE.COM
        Server Name (Principal): krbtgt/EXAMPLE.COM
            Name-type: Principal (1)
            Name: krbtgt
            Name: EXAMPLE.COM
        enc-part rc4-hmac
    enc-part rc4-hmac

No.     Time        Source                Destination           Protocol Length Info
      5 0.015978    192.168.0.115           192.168.6.6             KRB5     1438   TGS-REQ

Frame 5: 1438 bytes on wire (11504 bits), 1438 bytes captured (11504 bits)
User Datagram Protocol, Src Port: 64049 (64049), Dst Port: kerberos (88)
Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6e8204c4308204c0a003020105a10302010ea20703050000... AP-REQ
                Pvno: 5
                MSG Type: AP-REQ (14)
                Padding: 0
                APOptions: 00000000
                Ticket
                    Tkt-vno: 5
                    Realm: EXAMPLE.COM
                    Server Name (Principal): krbtgt/EXAMPLE.COM
                        Name-type: Principal (1)
                        Name: krbtgt
                        Name: EXAMPLE.COM
                    enc-part rc4-hmac
                Authenticator rc4-hmac
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 00010000 (Canonicalize)
        Realm: EXAMPLE.COM
        Server Name (Service and Host): ldap/dc9.example.com
            Name-type: Service and Host (3)
            Name: ldap
            Name: dc9.example.com
        till: 2017-10-12 08:30:52 (UTC)
        Nonce: 1507761057
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac rc4-hmac-exp des-cbc-md5 des-cbc-crc
        HostAddresses: 192.168.0.115

No.     Time        Source                Destination           Protocol Length Info
      6 0.018414    192.168.6.6             192.168.0.115           KRB5     148    KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

Frame 6: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 64049 (64049)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 2017-10-11 22:30:57 (UTC)
    cusec: 234
    stime: 2017-10-11 22:30:57 (UTC)
    susec: 42801
    error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    Realm: <unspecified realm>
    Server Name (Unknown):
        Name-type: Unknown (0)





As you can see, the machine makes an AS-REQ to the DC, which returns an AS-REP
indicating everything is OK. Then to get the ticket-granting ticket (TGT), the
machine makes a TGS-REQ to the same DC. However, instead of receiving the
TGS-REP, the machine receives an error from the DC stating that the principal
could not be found. How is that happening? Isn't the principal just
"root/host.example.com"? I can verify that the "servicePrincipalName" attribute
for that computer object has "root/host.example.com" listed. Isn't the TGS-REQ
authenticated by the ticket response (AS-REP)? What could make the ticket
included in the AS-REP instantly invalid?

Any insights would be appreciated.

Thanks,

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
----- On Oct 11, 2017, at 5:56 PM, samba [hidden email] wrote:

> ----- On Oct 10, 2017, at 12:02 PM, samba [hidden email] wrote:
>
>> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
>> Andrew Martin <[hidden email]> wrote:
>>
>>
>
> Rowland-
>
> I've been poking at this more and think the root of the problem is a Kerberos
> problem.
>


I threw the log level up to 10 in /etc/smb.conf on the domain controller and
poked around more.

Below are some pieces of the log:





  Kerberos: AS-REQ root/[hidden email] from ipv4:192.168.0.115:41751 for krbtgt/[hidden email]
   expr: (&(objectClass=user)(userPrincipalName=root/[hidden email]))
   expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
   expr: (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
  userPrincipalName: host/[hidden email]
  servicePrincipalName: host/hostname.example.com
  servicePrincipalName: nfs/hostname.example.com
  servicePrincipalName: HTTP/hostname.example.com
  servicePrincipalName: root/hostname.example.com
  servicePrincipalName: cifs/hostname.example.com
  servicePrincipalName: host/hostname
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- root/[hidden email]
  Kerberos: AS-REQ root/[hidden email] from ipv4:192.168.0.115:40299 for krbtgt/[hidden email]
   expr: (&(objectClass=user)(userPrincipalName=root/[hidden email]))
   expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
   expr: (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
  userPrincipalName: host/[hidden email]
  servicePrincipalName: host/hostname.example.com
  servicePrincipalName: nfs/hostname.example.com
  servicePrincipalName: HTTP/hostname.example.com
  servicePrincipalName: root/hostname.example.com
  servicePrincipalName: cifs/hostname.example.com
  servicePrincipalName: host/hostname
  Kerberos: Looking for PKINIT pa-data -- root/[hidden email]
  Kerberos: Looking for ENC-TS pa-data -- root/[hidden email]
  Kerberos: ENC-TS Pre-authentication succeeded -- root/[hidden email] using arcfour-hmac-md5
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[root/[hidden email]] at [Thu, 12 Oct 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$] [S-1-5-21-3036147387
-4093410917-1991690103-378605]. local host [NULL]
  authsam_account_ok: Checking SMB password for user root/[hidden email]
  logon_hours_ok: No hours restrictions for user root/[hidden email]
  Kerberos: TGS-REQ root/[hidden email] from ipv4:192.168.0.115:47146 for ldap/[hidden email] [canonicalize]
   expr: (&(objectClass=user)(userPrincipalName=root/[hidden email]))
   expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
  Kerberos: Client no longer in database: root/[hidden email]






As you can see, during the AS-REQ, the DC makes 3 queries for specific SPNs and
returns positively after finding that last SPN. However, on the TGS-REQ, it
only searches for 2 of those SPNs. It is a mystery to me why "expr:
(&(objectClass=user)(userPrincipalName=root/[hidden email]))"
does not return -- it is not explicitly listed in the "servicePrinicipalName"
attribute, but since "root/hostname.example.com" is and "@EXAMPLE.COM" is the
realm, I would think it could figure it out. I'll keep looking into that;
however, the lack of the last SPN search seems to me to be a bug.

Any thoughts?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
Mike Ray <[hidden email]> wrote:

> ----- On Oct 11, 2017, at 5:56 PM, samba [hidden email] wrote:
>
> > ----- On Oct 10, 2017, at 12:02 PM, samba [hidden email]
> > wrote:
> >
> >> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> >> Andrew Martin <[hidden email]> wrote:
> >>
> >>
> >
> > Rowland-
> >
> > I've been poking at this more and think the root of the problem is
> > a Kerberos problem.
> >
>
>
> I threw the log level up to 10 in /etc/smb.conf on the domain
> controller and poked around more.
>
> Below are some pieces of the log:
>
>
>
>
>
>   Kerberos: AS-REQ root/[hidden email] from
> ipv4:192.168.0.115:41751 for krbtgt/[hidden email] expr:
> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> expr:
> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
> userPrincipalName: host/[hidden email]
> servicePrincipalName: host/hostname.example.com servicePrincipalName:
> nfs/hostname.example.com servicePrincipalName:
> HTTP/hostname.example.com servicePrincipalName:
> root/hostname.example.com servicePrincipalName:
> cifs/hostname.example.com servicePrincipalName: host/hostname
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> root/[hidden email] Kerberos: AS-REQ
> root/[hidden email] from ipv4:192.168.0.115:40299
> for krbtgt/[hidden email] expr:
> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> expr:
> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
> userPrincipalName: host/[hidden email]
> servicePrincipalName: host/hostname.example.com servicePrincipalName:
> nfs/hostname.example.com servicePrincipalName:
> HTTP/hostname.example.com servicePrincipalName:
> root/hostname.example.com servicePrincipalName:
> cifs/hostname.example.com servicePrincipalName: host/hostname
> Kerberos: Looking for PKINIT pa-data --
> root/[hidden email] Kerberos: Looking for ENC-TS
> pa-data -- root/[hidden email] Kerberos: ENC-TS
> Pre-authentication succeeded -- root/[hidden email]
> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS Pre-authentication]
> user [(null)]\[root/[hidden email]] at [Thu, 12 Oct
> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
> [NT_STATUS_OK] workstation [(null)] remote host
> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
> [NULL] authsam_account_ok: Checking SMB password for user
> root/[hidden email] logon_hours_ok: No hours
> restrictions for user root/[hidden email] Kerberos:
> TGS-REQ root/[hidden email] from
> ipv4:192.168.0.115:47146 for ldap/[hidden email]
> [canonicalize] expr:
> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
> Kerberos: Client no longer in database:
> root/[hidden email]
>
>
>
>
>
>
> As you can see, during the AS-REQ, the DC makes 3 queries for
> specific SPNs and returns positively after finding that last SPN.
> However, on the TGS-REQ, it only searches for 2 of those SPNs. It is
> a mystery to me why "expr:
> (&(objectClass=user)(userPrincipalName=root/[hidden email]))"
> does not return -- it is not explicitly listed in the
> "servicePrinicipalName" attribute, but since
> "root/hostname.example.com" is and "@EXAMPLE.COM" is the realm, I
> would think it could figure it out. I'll keep looking into that;
> however, the lack of the last SPN search seems to me to be a bug.
>
> Any thoughts?

Yes, you shouldn't have a user called 'root' in AD.
'root' is a Unix user and the AD user 'Administrator' should be mapped
to 'root'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Opensolaris-ish joins but does not seem to be valid

Samba - General mailing list
----- On Oct 12, 2017, at 1:52 PM, samba [hidden email] wrote:

> On Thu, 12 Oct 2017 13:28:40 -0500 (CDT)
> Mike Ray <[hidden email]> wrote:
>
>> ----- On Oct 11, 2017, at 5:56 PM, samba [hidden email] wrote:
>>
>> > ----- On Oct 10, 2017, at 12:02 PM, samba [hidden email]
>> > wrote:
>> >
>> >> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
>> >> Andrew Martin <[hidden email]> wrote:
>> >>
>> >>
>> >
>> > Rowland-
>> >
>> > I've been poking at this more and think the root of the problem is
>> > a Kerberos problem.
>> >
>>
>>
>> I threw the log level up to 10 in /etc/smb.conf on the domain
>> controller and poked around more.
>>
>> Below are some pieces of the log:
>>
>>
>>
>>
>>
>>   Kerberos: AS-REQ root/[hidden email] from
>> ipv4:192.168.0.115:41751 for krbtgt/[hidden email] expr:
>> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
>> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
>> expr:
>> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>> userPrincipalName: host/[hidden email]
>> servicePrincipalName: host/hostname.example.com servicePrincipalName:
>> nfs/hostname.example.com servicePrincipalName:
>> HTTP/hostname.example.com servicePrincipalName:
>> root/hostname.example.com servicePrincipalName:
>> cifs/hostname.example.com servicePrincipalName: host/hostname
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> root/[hidden email] Kerberos: AS-REQ
>> root/[hidden email] from ipv4:192.168.0.115:40299
>> for krbtgt/[hidden email] expr:
>> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
>> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
>> expr:
>> (&(servicePrincipalName=root/hostname.example.com)(objectClass=user))
>> userPrincipalName: host/[hidden email]
>> servicePrincipalName: host/hostname.example.com servicePrincipalName:
>> nfs/hostname.example.com servicePrincipalName:
>> HTTP/hostname.example.com servicePrincipalName:
>> root/hostname.example.com servicePrincipalName:
>> cifs/hostname.example.com servicePrincipalName: host/hostname
>> Kerberos: Looking for PKINIT pa-data --
>> root/[hidden email] Kerberos: Looking for ENC-TS
>> pa-data -- root/[hidden email] Kerberos: ENC-TS
>> Pre-authentication succeeded -- root/[hidden email]
>> using arcfour-hmac-md5 Auth: [Kerberos KDC,ENC-TS Pre-authentication]
>> user [(null)]\[root/[hidden email]] at [Thu, 12 Oct
>> 2017 12:49:54.074861 CDT] with [arcfour-hmac-md5] status
>> [NT_STATUS_OK] workstation [(null)] remote host
>> [ipv4:192.168.0.115:40299] became [EXAMPLE]\[HOSTNAME$]
>> [S-1-5-21-3036147387 -4093410917-1991690103-378605]. local host
>> [NULL] authsam_account_ok: Checking SMB password for user
>> root/[hidden email] logon_hours_ok: No hours
>> restrictions for user root/[hidden email] Kerberos:
>> TGS-REQ root/[hidden email] from
>> ipv4:192.168.0.115:47146 for ldap/[hidden email]
>> [canonicalize] expr:
>> (&(objectClass=user)(userPrincipalName=root/[hidden email]))
>> expr: (&(objectClass=user)(samAccountName=root/hostname.example.com))
>> Kerberos: Client no longer in database:
>> root/[hidden email]
>>
>>
>>
>>
>>
>>
>> As you can see, during the AS-REQ, the DC makes 3 queries for
>> specific SPNs and returns positively after finding that last SPN.
>> However, on the TGS-REQ, it only searches for 2 of those SPNs. It is
>> a mystery to me why "expr:
>> (&(objectClass=user)(userPrincipalName=root/[hidden email]))"
>> does not return -- it is not explicitly listed in the
>> "servicePrinicipalName" attribute, but since
>> "root/hostname.example.com" is and "@EXAMPLE.COM" is the realm, I
>> would think it could figure it out. I'll keep looking into that;
>> however, the lack of the last SPN search seems to me to be a bug.
>>
>> Any thoughts?
>
> Yes, you shouldn't have a user called 'root' in AD.
> 'root' is a Unix user and the AD user 'Administrator' should be mapped
> to 'root'


That makes sense. When I posted earlier, I overlooked that it was searching for
that as a userPrinicpalName, not a servicePrincipalName. I do not have a "root"
account in AD.


What I don't understand is why that last SPN isn't getting checked in TGS-REQ
but is in the AS-REQ.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba