openindiana GSSAPI failure to samba 4.6.6

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
Hi,

 We recently updated our AD servers to 4.6.6 and one of the things that
stopped working was our zfs server running illumos. The idmap daemon is
trying to bind to ldap using sasl/GSSAPI and is failing with

additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Client not found in
Kerberos database)

I think this is usually caused by DNS inconsistencies but everthing looks
fine and it was working before the upgrade.

klist shows tickets
and doing and ldapsearch on the command line using GSSAPI seems to work
fine.

Has anyone encountered this? Any idea how to debug?

Thanks,
Greg

--


Greg Dickie
just a guy
514-983-5400
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
On Fri, Jul 28, 2017 at 09:20:29AM -0400, Greg Dickie via samba wrote:
> Hi,
>
>  We recently updated our AD servers to 4.6.6 and one of the things that
> stopped working was our zfs server running illumos. The idmap daemon is
> trying to bind to ldap using sasl/GSSAPI and is failing with
>
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Client not found in
> Kerberos database)

not 100% sure, but iirc this one should help:

ldap server require strong auth = allow_sasl_over_tls

Cf https://www.samba.org/samba/security/CVE-2016-2112.html

-slow

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
Hi Ralphe,

   I actually had already set that parameter to no to fix another problem.
This really looks like a kerberos issue.

Thanks for the reply,
Greg

On Fri, Jul 28, 2017 at 9:45 AM, Ralph Böhme <[hidden email]> wrote:

> On Fri, Jul 28, 2017 at 09:20:29AM -0400, Greg Dickie via samba wrote:
> > Hi,
> >
> >  We recently updated our AD servers to 4.6.6 and one of the things that
> > stopped working was our zfs server running illumos. The idmap daemon is
> > trying to bind to ldap using sasl/GSSAPI and is failing with
> >
> > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> > failure.  Minor code may provide more information (Client not found in
> > Kerberos database)
>
> not 100% sure, but iirc this one should help:
>
> ldap server require strong auth = allow_sasl_over_tls
>
> Cf https://www.samba.org/samba/security/CVE-2016-2112.html
>
> -slow
>



--


Greg Dickie
just a guy
514-983-5400
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
In reply to this post by Samba - General mailing list
2017-07-28 15:20 GMT+02:00 Greg Dickie via samba <[hidden email]>:

> Hi,
>
>  We recently updated our AD servers to 4.6.6 and one of the things that
> stopped working was our zfs server running illumos. The idmap daemon is
> trying to bind to ldap using sasl/GSSAPI and is failing with
>
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Client not found in
> Kerberos database)
>
> I think this is usually caused by DNS inconsistencies but everthing looks
> fine and it was working before the upgrade.
>
> klist shows tickets
>

I don't think this is relevant: for what I feel to have understood Samba
generates its own tickets somewhere but not in /tmp, not available with
klist.


> and doing and ldapsearch on the command line using GSSAPI seems to work
> fine.
>

That's a good point... until you are using same account and keytab as Samba.


>
> Has anyone encountered this? Any idea how to debug?
>

No.
But machine accounts have a password and this password is supposed to
change in MS AD. I'm not sure it is changing with Samba AD but it could as
Samba means to reproduce MS AD behavior.

No idea about illumos but the klist you mentioned as the ldapsearch using
the ticket of that klist have to be tested using the very same account used
by illumos and the same keytab if any.

You could check that account to see it was modified since the update you
mentioned (pwdLastSet, whenChanged).

No idea if this could help, just a try...


>
> Thanks,
> Greg
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
Hai,

You have 3 places to look where you keytab can be found.

When kerberos method is set to "dedicated keytab" see the parameter.
 dedicated keytab file = /where/your/krb5.keytab is configured.

The system default keytab ( on my debian system ) /etc/krb5.keytab
Yours might be in :  /etc/krb5/krb5.keytab  

The samba keytab if  "dedicated keytab file"  is not used.
( on my debian system )
/var/lib/samba/private/secret.keytab

And check them all
klist -ke /var/lib/samba/private/secret.keytab  
klist -ke /etc/krb5/krb5.keytab



Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> mathias dufresne via samba
> Verzonden: maandag 31 juli 2017 10:59
> Aan: Greg Dickie
> CC: samba
> Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
>
> 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> <[hidden email]>:
>
> > Hi,
> >
> >  We recently updated our AD servers to 4.6.6 and one of the things
> > that stopped working was our zfs server running illumos. The idmap
> > daemon is trying to bind to ldap using sasl/GSSAPI and is
> failing with
> >
> > additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified
> > GSS failure.  Minor code may provide more information (Client not
> > found in Kerberos database)
> >
> > I think this is usually caused by DNS inconsistencies but everthing
> > looks fine and it was working before the upgrade.
> >
> > klist shows tickets
> >
>
> I don't think this is relevant: for what I feel to have
> understood Samba generates its own tickets somewhere but not
> in /tmp, not available with klist.
(Client not found in Kerberos database)

>
>
> > and doing and ldapsearch on the command line using GSSAPI seems to
> > work fine.
> >
>
> That's a good point... until you are using same account and
> keytab as Samba.
>
>
> >
> > Has anyone encountered this? Any idea how to debug?
> >
>
> No.
> But machine accounts have a password and this password is
> supposed to change in MS AD. I'm not sure it is changing with
> Samba AD but it could as Samba means to reproduce MS AD behavior.
>
> No idea about illumos but the klist you mentioned as the
> ldapsearch using the ticket of that klist have to be tested
> using the very same account used by illumos and the same
> keytab if any.
>
> You could check that account to see it was modified since the
> update you mentioned (pwdLastSet, whenChanged).
>
> No idea if this could help, just a try...
>
>
> >
> > Thanks,
> > Greg
> >
> > --
> >
> >
> > Greg Dickie
> > just a guy
> > 514-983-5400
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
Hey guys,

 Thanks for the ideas. I made life easier for myself and just replaced the
SunOS (illumos) implementation with real samba. That works very well so
we're all good. Is it just me or is kerberos complicated?

Thanks,
Greg

On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
[hidden email]> wrote:

> Hai,
>
> You have 3 places to look where you keytab can be found.
>
> When kerberos method is set to "dedicated keytab" see the parameter.
>  dedicated keytab file = /where/your/krb5.keytab is configured.
>
> The system default keytab ( on my debian system ) /etc/krb5.keytab
> Yours might be in :  /etc/krb5/krb5.keytab
>
> The samba keytab if  "dedicated keytab file"  is not used.
> ( on my debian system )
> /var/lib/samba/private/secret.keytab
>
> And check them all
> klist -ke /var/lib/samba/private/secret.keytab
> klist -ke /etc/krb5/krb5.keytab
>
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > mathias dufresne via samba
> > Verzonden: maandag 31 juli 2017 10:59
> > Aan: Greg Dickie
> > CC: samba
> > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> >
> > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> > <[hidden email]>:
> >
> > > Hi,
> > >
> > >  We recently updated our AD servers to 4.6.6 and one of the things
> > > that stopped working was our zfs server running illumos. The idmap
> > > daemon is trying to bind to ldap using sasl/GSSAPI and is
> > failing with
> > >
> > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > Unspecified
> > > GSS failure.  Minor code may provide more information (Client not
> > > found in Kerberos database)
> > >
> > > I think this is usually caused by DNS inconsistencies but everthing
> > > looks fine and it was working before the upgrade.
> > >
> > > klist shows tickets
> > >
> >
> > I don't think this is relevant: for what I feel to have
> > understood Samba generates its own tickets somewhere but not
> > in /tmp, not available with klist.
> (Client not found in Kerberos database)
>
> >
> >
> > > and doing and ldapsearch on the command line using GSSAPI seems to
> > > work fine.
> > >
> >
> > That's a good point... until you are using same account and
> > keytab as Samba.
> >
> >
> > >
> > > Has anyone encountered this? Any idea how to debug?
> > >
> >
> > No.
> > But machine accounts have a password and this password is
> > supposed to change in MS AD. I'm not sure it is changing with
> > Samba AD but it could as Samba means to reproduce MS AD behavior.
> >
> > No idea about illumos but the klist you mentioned as the
> > ldapsearch using the ticket of that klist have to be tested
> > using the very same account used by illumos and the same
> > keytab if any.
> >
> > You could check that account to see it was modified since the
> > update you mentioned (pwdLastSet, whenChanged).
> >
> > No idea if this could help, just a try...
> >
> >
> > >
> > > Thanks,
> > > Greg
> > >
> > > --
> > >
> > >
> > > Greg Dickie
> > > just a guy
> > > 514-983-5400
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--


Greg Dickie
just a guy
514-983-5400
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
2017-07-31 17:41 GMT+02:00 Greg Dickie via samba <[hidden email]>:

> Hey guys,
>
>  Thanks for the ideas. I made life easier for myself and just replaced the
> SunOS (illumos) implementation with real samba. That works very well so
> we're all good. Is it just me or is kerberos complicated?
>

At first, no it is not you : )
But after a while (and thanks to en.wikipedia.org) it can become quite
clear and almost simple.


>
> Thanks,
> Greg
>
> On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
> [hidden email]> wrote:
>
> > Hai,
> >
> > You have 3 places to look where you keytab can be found.
> >
> > When kerberos method is set to "dedicated keytab" see the parameter.
> >  dedicated keytab file = /where/your/krb5.keytab is configured.
> >
> > The system default keytab ( on my debian system ) /etc/krb5.keytab
> > Yours might be in :  /etc/krb5/krb5.keytab
> >
> > The samba keytab if  "dedicated keytab file"  is not used.
> > ( on my debian system )
> > /var/lib/samba/private/secret.keytab
> >
> > And check them all
> > klist -ke /var/lib/samba/private/secret.keytab
> > klist -ke /etc/krb5/krb5.keytab
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:[hidden email]] Namens
> > > mathias dufresne via samba
> > > Verzonden: maandag 31 juli 2017 10:59
> > > Aan: Greg Dickie
> > > CC: samba
> > > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> > >
> > > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> > > <[hidden email]>:
> > >
> > > > Hi,
> > > >
> > > >  We recently updated our AD servers to 4.6.6 and one of the things
> > > > that stopped working was our zfs server running illumos. The idmap
> > > > daemon is trying to bind to ldap using sasl/GSSAPI and is
> > > failing with
> > > >
> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > > Unspecified
> > > > GSS failure.  Minor code may provide more information (Client not
> > > > found in Kerberos database)
> > > >
> > > > I think this is usually caused by DNS inconsistencies but everthing
> > > > looks fine and it was working before the upgrade.
> > > >
> > > > klist shows tickets
> > > >
> > >
> > > I don't think this is relevant: for what I feel to have
> > > understood Samba generates its own tickets somewhere but not
> > > in /tmp, not available with klist.
> > (Client not found in Kerberos database)
> >
> > >
> > >
> > > > and doing and ldapsearch on the command line using GSSAPI seems to
> > > > work fine.
> > > >
> > >
> > > That's a good point... until you are using same account and
> > > keytab as Samba.
> > >
> > >
> > > >
> > > > Has anyone encountered this? Any idea how to debug?
> > > >
> > >
> > > No.
> > > But machine accounts have a password and this password is
> > > supposed to change in MS AD. I'm not sure it is changing with
> > > Samba AD but it could as Samba means to reproduce MS AD behavior.
> > >
> > > No idea about illumos but the klist you mentioned as the
> > > ldapsearch using the ticket of that klist have to be tested
> > > using the very same account used by illumos and the same
> > > keytab if any.
> > >
> > > You could check that account to see it was modified since the
> > > update you mentioned (pwdLastSet, whenChanged).
> > >
> > > No idea if this could help, just a try...
> > >
> > >
> > > >
> > > > Thanks,
> > > > Greg
> > > >
> > > > --
> > > >
> > > >
> > > > Greg Dickie
> > > > just a guy
> > > > 514-983-5400
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openindiana GSSAPI failure to samba 4.6.6

Samba - General mailing list
thanks ;-)

On Tue, Aug 1, 2017 at 6:05 AM, mathias dufresne <[hidden email]>
wrote:

>
>
> 2017-07-31 17:41 GMT+02:00 Greg Dickie via samba <[hidden email]>:
>
>> Hey guys,
>>
>>  Thanks for the ideas. I made life easier for myself and just replaced the
>> SunOS (illumos) implementation with real samba. That works very well so
>> we're all good. Is it just me or is kerberos complicated?
>>
>
> At first, no it is not you : )
> But after a while (and thanks to en.wikipedia.org) it can become quite
> clear and almost simple.
>
>
>>
>> Thanks,
>> Greg
>>
>> On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
>> [hidden email]> wrote:
>>
>> > Hai,
>> >
>> > You have 3 places to look where you keytab can be found.
>> >
>> > When kerberos method is set to "dedicated keytab" see the parameter.
>> >  dedicated keytab file = /where/your/krb5.keytab is configured.
>> >
>> > The system default keytab ( on my debian system ) /etc/krb5.keytab
>> > Yours might be in :  /etc/krb5/krb5.keytab
>> >
>> > The samba keytab if  "dedicated keytab file"  is not used.
>> > ( on my debian system )
>> > /var/lib/samba/private/secret.keytab
>> >
>> > And check them all
>> > klist -ke /var/lib/samba/private/secret.keytab
>> > klist -ke /etc/krb5/krb5.keytab
>> >
>> >
>> >
>> > Greetz,
>> >
>> > Louis
>> >
>> > > -----Oorspronkelijk bericht-----
>> > > Van: samba [mailto:[hidden email]] Namens
>> > > mathias dufresne via samba
>> > > Verzonden: maandag 31 juli 2017 10:59
>> > > Aan: Greg Dickie
>> > > CC: samba
>> > > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
>> > >
>> > > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
>> > > <[hidden email]>:
>> > >
>> > > > Hi,
>> > > >
>> > > >  We recently updated our AD servers to 4.6.6 and one of the things
>> > > > that stopped working was our zfs server running illumos. The idmap
>> > > > daemon is trying to bind to ldap using sasl/GSSAPI and is
>> > > failing with
>> > > >
>> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
>> > > Unspecified
>> > > > GSS failure.  Minor code may provide more information (Client not
>> > > > found in Kerberos database)
>> > > >
>> > > > I think this is usually caused by DNS inconsistencies but everthing
>> > > > looks fine and it was working before the upgrade.
>> > > >
>> > > > klist shows tickets
>> > > >
>> > >
>> > > I don't think this is relevant: for what I feel to have
>> > > understood Samba generates its own tickets somewhere but not
>> > > in /tmp, not available with klist.
>> > (Client not found in Kerberos database)
>> >
>> > >
>> > >
>> > > > and doing and ldapsearch on the command line using GSSAPI seems to
>> > > > work fine.
>> > > >
>> > >
>> > > That's a good point... until you are using same account and
>> > > keytab as Samba.
>> > >
>> > >
>> > > >
>> > > > Has anyone encountered this? Any idea how to debug?
>> > > >
>> > >
>> > > No.
>> > > But machine accounts have a password and this password is
>> > > supposed to change in MS AD. I'm not sure it is changing with
>> > > Samba AD but it could as Samba means to reproduce MS AD behavior.
>> > >
>> > > No idea about illumos but the klist you mentioned as the
>> > > ldapsearch using the ticket of that klist have to be tested
>> > > using the very same account used by illumos and the same
>> > > keytab if any.
>> > >
>> > > You could check that account to see it was modified since the
>> > > update you mentioned (pwdLastSet, whenChanged).
>> > >
>> > > No idea if this could help, just a try...
>> > >
>> > >
>> > > >
>> > > > Thanks,
>> > > > Greg
>> > > >
>> > > > --
>> > > >
>> > > >
>> > > > Greg Dickie
>> > > > just a guy
>> > > > 514-983-5400
>> > > > --
>> > > > To unsubscribe from this list go to the following URL and read the
>> > > > instructions:  https://lists.samba.org/mailman/options/samba
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>>
>> --
>>
>>
>> Greg Dickie
>> just a guy
>> 514-983-5400
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


--


Greg Dickie
just a guy
514-983-5400
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...