Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

Samba - General mailing list
Hi everyone,

I'm new to this list and I already have quite a long question. Please bear with me.

We have a samba 4.6 active directory domain which was recently upgraded from a samba 3 NT-Style domain.

The name of the domain is something like ad.foo.bar. Domain Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.

We have a large number of linux servers (RHEL 7 & 6) joined to the domain (using sssd for authentication).

Our goal is to be able to log into a linux server from a linux client (or windows client) using a kerberos ticket.

This works for most linux servers but not all of them.

The problem seems to be related to the dns subdomains we are using.

E.g. we have two servers named "servera.foo.bar" and "servera.test.foo.bar" they reside in the same class B network, the subdomain is just an organizational thing (Our team does not have controle over DNS).

To be able to join both servers to the domain we change the netbios name of the server from the test.foo.bar domain and append "_T" to it (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do this, the "netbios name" parameter in smb.conf and the ldap_sasl_authid parameter in sssd.conf.

By this both servers can be joined to the domain and users can authenticate on both servers locally.

But they can not access servera.test.foo.bar via ssh using a kerberos ticket (it works for servera.foo.bar). The error message is "Server not found in Kerberos database".

Doing "kvno host/servera.test.foo.bar" results in the same error.

But "samba-tool spn list "SERVERA_T$" shows that the spn "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab" on servera.test.foo.bar also shows an entry for "host/servera.test.foo.bar".

I did not get any further with debugging this but I found something that seems to be related:

When trying to export a keytab for servera.test.foo.bar via "samba-tool domain exportkeytab" on dc1, I noticed that it is not possible to export the principal "host/servera.test.foo.bar". The tool simply does nothing and does not return an error.

Doing the exportkeytab with debug level 255 shows an ldb query with the following expression:

(|(&(servicePrincipalName=host/servera.test.foo.bar)(objectClass=user))(&(cn=servera)(objectClass=computer)))

This results in two dns being returned: CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression includes "cn=servera" which matches servera.foo.bar and "servicePrincipalName=host/servera.test.foo.bar" which matches servera.test.foo.bar.

After that samba-tool just ends without error and without exporting anything.

My guess is that something similar happens when a client requests a ticket for "host/servera.test.foo.bar".

Is what we are doing not possible (by design)?

I hope my description makes any sense.

Regards,

Andre

--
* bitbone AG
* Prymstraße 3
* D-97070 Würzburg

* Tel: +49(0)931-250993-10
* Fax: +49(0)931-250993-199
* E-Mail: [hidden email]
* Web: www.bitbone.de

* Sitz der Gesellschaft: Würzburg
* Handelsregister: Amtsgericht Würzburg HRB-7457
* Aufsichtsratsvorsitzender: Randolf Schürmann
* Vorstand: Sebastian Scheuring, Thomas Sprickmann Kerkerinck
* Ust-ID: DE216268143
______________________________________________________________

  Informationsmanagement und Standardtechnologien
  von Ihrem Open-Source-Systemhaus
______________________________________________________________



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

Samba - General mailing list
On Fri, 14 Jul 2017 10:05:45 +0200
André Welter via samba <[hidden email]> wrote:

> Hi everyone,
>
> I'm new to this list and I already have quite a long question. Please
> bear with me.
>
> We have a samba 4.6 active directory domain which was recently
> upgraded from a samba 3 NT-Style domain.
>
> The name of the domain is something like ad.foo.bar. Domain
> Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.
>
> We have a large number of linux servers (RHEL 7 & 6) joined to the
> domain (using sssd for authentication).
>
> Our goal is to be able to log into a linux server from a linux client
> (or windows client) using a kerberos ticket.
>
> This works for most linux servers but not all of them.
>
> The problem seems to be related to the dns subdomains we are using.
>
> E.g. we have two servers named "servera.foo.bar" and
> "servera.test.foo.bar" they reside in the same class B network, the
> subdomain is just an organizational thing (Our team does not have
> controle over DNS).
>
> To be able to join both servers to the domain we change the netbios
> name of the server from the test.foo.bar domain and append "_T" to it
> (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do
> this, the "netbios name" parameter in smb.conf and the
> ldap_sasl_authid parameter in sssd.conf.
>
> By this both servers can be joined to the domain and users can
> authenticate on both servers locally.
>
> But they can not access servera.test.foo.bar via ssh using a kerberos
> ticket (it works for servera.foo.bar). The error message is "Server
> not found in Kerberos database".
>
> Doing "kvno host/servera.test.foo.bar" results in the same error.
>
> But "samba-tool spn list "SERVERA_T$" shows that the spn
> "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab"
> on servera.test.foo.bar also shows an entry for
> "host/servera.test.foo.bar".
>
> I did not get any further with debugging this but I found something
> that seems to be related:
>
> When trying to export a keytab for servera.test.foo.bar via
> "samba-tool domain exportkeytab" on dc1, I noticed that it is not
> possible to export the principal "host/servera.test.foo.bar". The
> tool simply does nothing and does not return an error.
>
> Doing the exportkeytab with debug level 255 shows an ldb query with
> the following expression:
>
> (|(&(servicePrincipalName=host/servera.test.foo.bar)(objectClass=user))(&(cn=servera)(objectClass=computer)))
>
> This results in two dns being returned:
> CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and
> CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression
> includes "cn=servera" which matches servera.foo.bar and
> "servicePrincipalName=host/servera.test.foo.bar" which matches
> servera.test.foo.bar.
>
> After that samba-tool just ends without error and without exporting
> anything.
>
> My guess is that something similar happens when a client requests a
> ticket for "host/servera.test.foo.bar".
>
> Is what we are doing not possible (by design)?
>
> I hope my description makes any sense.
>
> Regards,
>
> Andre
>

As far as I am aware, your AD realm must be the same as your dns domain
(not to be confused with a NetBIOS domain name), so I don't think this
is going to work as is.

Your other problem: neither sssd or adcli are Samba products and as you
are using them, you are asking in the wrong place, try the sssd-users
mailing list.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
> On Fri, 14 Jul 2017 10:05:45 +0200
> André Welter via samba <[hidden email]> wrote:
>
> > Hi everyone,
> >
> > I'm new to this list and I already have quite a long question. Please
> > bear with me.
> >
> > We have a samba 4.6 active directory domain which was recently
> > upgraded from a samba 3 NT-Style domain.
> >
> > The name of the domain is something like ad.foo.bar. Domain
> > Controllers are dc1.ad.foo.bar and dc2.ad.foo.bar.
> >
> > We have a large number of linux servers (RHEL 7 & 6) joined to the
> > domain (using sssd for authentication).
> >
> > Our goal is to be able to log into a linux server from a linux client
> > (or windows client) using a kerberos ticket.
> >
> > This works for most linux servers but not all of them.
> >
> > The problem seems to be related to the dns subdomains we are using.
> >
> > E.g. we have two servers named "servera.foo.bar" and
> > "servera.test.foo.bar" they reside in the same class B network, the
> > subdomain is just an organizational thing (Our team does not have
> > controle over DNS).
> >
> > To be able to join both servers to the domain we change the netbios
> > name of the server from the test.foo.bar domain and append "_T" to it
> > (e.g. SERVERA_T). We use the "-N" parameter of "adcli join" to do
> > this, the "netbios name" parameter in smb.conf and the
> > ldap_sasl_authid parameter in sssd.conf.
> >
> > By this both servers can be joined to the domain and users can
> > authenticate on both servers locally.
> >
> > But they can not access servera.test.foo.bar via ssh using a kerberos
> > ticket (it works for servera.foo.bar). The error message is "Server
> > not found in Kerberos database".
> >
> > Doing "kvno host/servera.test.foo.bar" results in the same error.
> >
> > But "samba-tool spn list "SERVERA_T$" shows that the spn
> > "host/servera.test.foo.bar" exists. And "klist -kt /etc/krb5.keytab"
> > on servera.test.foo.bar also shows an entry for
> > "host/servera.test.foo.bar".
> >
> > I did not get any further with debugging this but I found something
> > that seems to be related:
> >
> > When trying to export a keytab for servera.test.foo.bar via
> > "samba-tool domain exportkeytab" on dc1, I noticed that it is not
> > possible to export the principal "host/servera.test.foo.bar". The
> > tool simply does nothing and does not return an error.
> >
> > Doing the exportkeytab with debug level 255 shows an ldb query with
> > the following expression:
> >
> > (|(&(servicePrincipalName=host/servera.test.foo.bar)(objectClass=user))(&(cn=servera)(objectClass=computer)))
> >
> > This results in two dns being returned:
> > CN=SERVERA_T,CN=Computers,DC=ad,DC=foo,DC=bar and
> > CN=SERVERA,CN=Computers,DC=ad,DC=foo,DC=bar, because the expression
> > includes "cn=servera" which matches servera.foo.bar and
> > "servicePrincipalName=host/servera.test.foo.bar" which matches
> > servera.test.foo.bar.
> >
> > After that samba-tool just ends without error and without exporting
> > anything.
> >
> > My guess is that something similar happens when a client requests a
> > ticket for "host/servera.test.foo.bar".
> >
> > Is what we are doing not possible (by design)?
> >
> > I hope my description makes any sense.
> >
> > Regards,
> >
> > Andre
> >
>
> As far as I am aware, your AD realm must be the same as your dns domain
> (not to be confused with a NetBIOS domain name), so I don't think this
> is going to work as is.
>
> Your other problem: neither sssd or adcli are Samba products and as you
> are using them, you are asking in the wrong place, try the sssd-users
> mailing list.
>
> Rowland

Thanks for the reply.

Ok, I think I got a workaround. By adding a suffix ("_L") to the netbios name of servera.foo.bar the problem goes away.

But I am still curious.

Regardless if it's linux or windows clients, I can arrive at the same problem by only using pdbedit and samba-tool on one of the DCs to create computer accounts and SPNs. And I think, I am doing nothing illegal.

I haven't looked at the code but to me it seems like whatever builds the ldb query I mentioned above assumes that the cn of a computer account (which is the netbios name) always is the hostname. Which might not be true.
Can anybody comment on that?

Andre


--
* bitbone AG
* Prymstraße 3
* D-97070 Würzburg

* Tel: +49(0)931-250993-10
* Fax: +49(0)931-250993-199
* E-Mail: [hidden email]
* Web: www.bitbone.de

* Sitz der Gesellschaft: Würzburg
* Handelsregister: Amtsgericht Würzburg HRB-7457
* Aufsichtsratsvorsitzender: Randolf Schürmann
* Vorstand: Sebastian Scheuring, Thomas Sprickmann Kerkerinck
* Ust-ID: DE216268143
______________________________________________________________

  Informationsmanagement und Standardtechnologien
  von Ihrem Open-Source-Systemhaus
______________________________________________________________



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

Samba - General mailing list

> > >
> >
> > As far as I am aware, your AD realm must be the same as your dns
> > domain (not to be confused with a NetBIOS domain name), so I don't
> > think this is going to work as is.

AD REALM and DNS Domain are 2 different things.
You can have multple dns domains with other names then the REALM domains.
But its more complex to configure.

> >
> > Your other problem: neither sssd or adcli are Samba products and as
> > you are using them, you are asking in the wrong place, try the
> > sssd-users mailing list.
> >
> > Rowland
>
> Thanks for the reply.
>
> Ok, I think I got a workaround. By adding a suffix ("_L") to
> the netbios name of servera.foo.bar the problem goes away.
>
> But I am still curious.
>
> Regardless if it's linux or windows clients, I can arrive at
> the same problem by only using pdbedit and samba-tool on one
> of the DCs to create computer accounts and SPNs. And I think,
> I am doing nothing illegal.
>
> I haven't looked at the code but to me it seems like whatever
> builds the ldb query I mentioned above assumes that the cn of
> a computer account (which is the netbios name) always is the
> hostname. Which might not be true.
> Can anybody comment on that?

adcli join ?
If this works the same as msktutil
which creates a user and sets the needed options then your real hostname and "joined_hostname" are different.

But same here, i dont know SSSD, you might need to ask the sssd list.



>
> Andre
>
>

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server not found in Kerberos database trying to ssh a into a linux server joined to an AD domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 17 Jul 2017 08:48:04 +0200
André Welter via samba <[hidden email]> wrote:

> Thanks for the reply.
>
> Ok, I think I got a workaround. By adding a suffix ("_L") to the
> netbios name of servera.foo.bar the problem goes away.

Glad you found a workaround, not sure if it is going to work in the
long term though.

>
> But I am still curious.
>
> Regardless if it's linux or windows clients, I can arrive at the same
> problem by only using pdbedit and samba-tool on one of the DCs to
> create computer accounts and SPNs. And I think, I am doing nothing
> illegal.

You probably can use pdbedit to pre-create a machine account, but I
wouldn't, but there is no code in samba-tool to do this.
 
>
> I haven't looked at the code but to me it seems like whatever builds
> the ldb query I mentioned above assumes that the cn of a computer
> account (which is the netbios name) always is the hostname. Which
> might not be true. Can anybody comment on that?
>

Why wouldn't you want the 'cn' to be the hostname of the computer ?
This is the way that the Samba tools create machine accounts when the
join occurs.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...