Wanted to verify if my users have PAC and seems like they don't:
# net ads kerberos pac dump --option='realm = MYDOMAIN.LOC'
--option='kerberos method = system keytab' -s /dev/null
local_service=host/client.mydomain.loc(a)MYDOMAIN.LOC -U me
Enter me's password:
../../source3/libads/authdata.c:300: Type mismatch: name[NULL]
expected[struct PAC_DATA_CTR]
PANIC (pid 27062): ../../source3/libads/authdata.c:300: Type mismatch:
name[NULL] expected[struct PAC_DATA_CTR]
I ran ipa-adtrust-install in the past so I expected SIDs (and PAC) to be
present. Seems like that's not true?
# grep ipa-adtrust-install /var/log/ipaserver-install.log | grep success
2019-02-08T15:09:08Z INFO The ipa-adtrust-install command was successful
чт, 30 дек. 2021 г. в 16:11, Konstantin M. Khankin <
khankin.konstantin(a)gmail.com>:
Hello!
I have several SMB shares served by Samba using Kerberos accounts managed
by FreeIPA. I have no AD integrations and no AD itself. Windows clients are
configured using this
<
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA>
guide, linux clients use ipa-client and "smbclient -k". Servers and linux
clients use CentOS 7.
Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from
4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from 4.10.16-
*15*.el7_9) packages and authentication broke, no clients can connect to
shares anymore. Here are logs from linux client:
$ klist
Ticket cache: KEYRING:persistent:1696200001:1696200001
Default principal: me(a)MYDOMAIN.LOC
Valid starting Expires Service principal
12/30/2021 18:04:03 12/31/2021 18:03:46
cifs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
12/30/2021 18:04:02 12/31/2021 18:03:46
nfs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/MYDOMAIN.LOC(a)MYDOMAIN.LOC
$ smbclient -k -L //samba.server.mydomain.loc
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Server logs:
*log.smbd:*
[2021/12/30 19:03:23.597495, 2]
../../source3/lib/smbldap.c:847(smbldap_open_connection)
smbldap_open_connection: connection opened
[2021/12/30 19:03:23.695598, 3]
../../source3/lib/smbldap.c:1069(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam)
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
mydomain.loc
[2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.10.1 (192.168.10.1)
*log.192.168.10.1:*
...
[2021/12/30 19:05:22.458992, 3]
../../source3/smbd/negprot.c:776(reply_negprot)
Selected protocol SMB 2.???
[2021/12/30 19:05:22.459495, 3]
../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2021/12/30 19:05:22.524677, 3]
../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
failed: The operation or option is not available or unsupported: No such
file or directory
[2021/12/30 19:05:22.524750, 1]
../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC in ticket from
me(a)MYDOMAIN.LOC, failing to allow access
[2021/12/30 19:05:22.524784, 3]
../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at
../../source3/smbd/smb2_sesssetup.c:146
[2021/12/30 19:05:22.525565, 3]
../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
Googling, source-digging and "log level = 5" were not helpful. However, I
find changelogs somewhat interesting:
$ rpm -q --changelog ipa-server | head
* Thu Dec 16 2021 CentOS Sources <bugs(a)centos.org> - 4.6.8-5.el7.centos.10
- Roll in CentOS Branding
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud(a)redhat.com> -
4.6.8-5.el7_9.10
- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT
setup against a RHEL 7.9 IPA server
- Fix cert_request for KDC cert
- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not
always rely on the SID and PAC in Kerberos tickets*
- SMB: switch IPA domain controller role
$ rpm -q --changelog samba | head
* Mon Nov 15 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-17
- related: #2019673 - *Add missing checks for IPA DC server role*
* Mon Nov 08 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-16
- resolves: #2019661 - Fix CVE-2016-2124
- resolves: #2019673 - Fix CVE-2020-25717
- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl*
I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe
someone knows if I need to do something after upgrading these packages?
Rolling back samba packages is unwanted given that Samba sources mention
this is unsafe.
Thanks!
--
Konstantin Khankin