Bug#1052245: SMB authentication failure against main server
So debugging this with Wireshark showed that during the SPNEGO negotiation,
server and client could not settle on a mutually supported authentication
mechanism. The server was only offering NTLMSSP while the client offers MS
KRB5/KRB5 (due to --use-kerberos=required).
The server needs to have "kerberos method" set to use the right keytab, for
some reason "system keytab" does not work and I had to explicitly set
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
This allows SPNEGO negotiation to succeed but leads to the next error:
[2023/09/26 15:21:29.755056, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2023/09/26 15:21:29.755119, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend anonymous
[2023/09/26 15:21:29.755141, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'anonymous'
[2023/09/26 15:21:29.755154, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam
[2023/09/26 15:21:29.755164, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'sam'
[2023/09/26 15:21:29.755173, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2023/09/26 15:21:29.755183, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2023/09/26 15:21:29.755191, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2023/09/26 15:21:29.755201, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'sam_netlogon3'
[2023/09/26 15:21:29.755210, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend winbind
[2023/09/26 15:21:29.755219, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'winbind'
[2023/09/26 15:21:29.755228, 5] ../../source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend unix
[2023/09/26 15:21:29.755237, 5] ../../source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method 'unix'
[2023/09/26 15:21:29.755246, 5] ../../source3/auth/auth.c:426(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2023/09/26 15:21:29.755276, 5] ../../source3/auth/auth.c:451(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2023/09/26 15:21:29.755286, 5] ../../source3/auth/auth.c:426(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2023/09/26 15:21:29.755296, 5] ../../source3/auth/auth.c:451(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2023/09/26 15:21:29.757684, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2023/09/26 15:21:29.757719, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2023/09/26 15:21:29.757732, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2023/09/26 15:21:29.757744, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'spnego' registered
[2023/09/26 15:21:29.757754, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'schannel' registered
[2023/09/26 15:21:29.757764, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'ncalrpc_as_system' registered
[2023/09/26 15:21:29.757774, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2023/09/26 15:21:29.757784, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'ntlmssp' registered
[2023/09/26 15:21:29.757793, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2023/09/26 15:21:29.757803, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_basic' registered
[2023/09/26 15:21:29.757813, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_ntlm' registered
[2023/09/26 15:21:29.757822, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_negotiate' registered
[2023/09/26 15:21:29.757835, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'krb5' registered
[2023/09/26 15:21:29.757853, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2023/09/26 15:21:29.757980, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2023/09/26 15:21:29.758031, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2023/09/26 15:21:29.767904, 5] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2023/09/26 15:21:29.767924, 5] ../../source3/auth/auth.c:426(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2023/09/26 15:21:29.767931, 5] ../../source3/auth/auth.c:451(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2023/09/26 15:21:29.767936, 5] ../../source3/auth/auth.c:426(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2023/09/26 15:21:29.767941, 5] ../../source3/auth/auth.c:451(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2023/09/26 15:21:29.767971, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2023/09/26 15:21:29.768004, 5] ../../auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2023/09/26 15:21:29.768378, 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Unexpected PAC for [atest@INTERN] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
This leads to a bug in Samba, based on false assumptions, which was
introduced in 2021 and makes it impossible to use MIT Kerberos
authentication with the standalone server role.
There is a long thread on the Samba list starting at
https://lists.samba.org/archive/samba/2023-April/244842.html about it,
the actual cause is described by Andrew Bartlett from the Samba team:
> So I knew this would happen, sorry about that.
>
> When we did the big 2021 security fixes, we strictly set a line between
> 'AD has a PAC' and 'MIT Krb5 (traditional) does not'.
>
> This was meant to ensure that folks would not connect Samba as a
> 'standalone' server in an AD domain, bypassing the security mitigation
> we put in place against the 'dollar ticket attack' where users could
> create an account called 'root$' but print it as 'root'.
>
> The problem is that subsequent to that, I saw that the MIT folks
> decided to always issue a PAC, just without the LOGON_INFO
> component. Samba doesn't do well with that, and a fix is needed both
> in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'.
(see https://lists.samba.org/archive/samba/2023-April/244999.html)
So if we don't want to set up a AD DC we will probably not be able to use
Kerberos authentication with our current setup.
--
Guido Berhoerster
Reply to: