Thanks for your help Alexander!
Turns out my exact problem was this <
https://narkive.com/rCnXSfSy.6>.
Anyway, the scenario you are running is not supported by FreeIPA
team.
Could you please educate me which scenario is supported? Or is it not
supported only because of RHEL 7 / CentOS 7?
Happy New Year! :)
чт, 30 дек. 2021 г. в 20:03, Alexander Bokovoy <abokovoy(a)redhat.com>:
> On to, 30 joulu 2021, Konstantin M. Khankin via FreeIPA-users wrote:
> >Hello!
> >
> >I have several SMB shares served by Samba using Kerberos accounts managed
> >by FreeIPA. I have no AD integrations and no AD itself. Windows clients
> are
> >configured using this
> ><https://www.freeipa.org/page/Windows_authentication_against_FreeIPA>
> >guide, linux clients use ipa-client and "smbclient -k". Servers and
linux
> >clients use CentOS 7.
>
> This method is not supported, as stated multiple times on this very
> least for the past several years.
>
> >
> >Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from
> >4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from
> >4.10.16-*15*.el7_9)
> >packages and authentication broke, no clients can connect to shares
> >anymore. Here are logs from linux client:
> >
> >$ klist
> >Ticket cache: KEYRING:persistent:1696200001:1696200001
> >Default principal: me(a)MYDOMAIN.LOC
> >
> >Valid starting Expires Service principal
> >12/30/2021 18:04:03 12/31/2021 18:03:46
> > cifs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
> >12/30/2021 18:04:02 12/31/2021 18:03:46
> > nfs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
> >12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/MYDOMAIN.LOC(a)MYDOMAIN.LOC
> >
> >$ smbclient -k -L //samba.server.mydomain.loc
> >session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> >
> >Server logs:
> >
> >*log.smbd:*
> >[2021/12/30 19:03:23.597495, 2]
> >../../source3/lib/smbldap.c:847(smbldap_open_connection)
> > smbldap_open_connection: connection opened
> >[2021/12/30 19:03:23.695598, 3]
> >../../source3/lib/smbldap.c:1069(smbldap_connect_system)
> > ldap_connect_system: successful connection to the LDAP server
> >[2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam)
> > pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
> >mydomain.loc
> >[2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access)
> > Allowed connection from 192.168.10.1 (192.168.10.1)
> >
> >*log.192.168.10.1:*
> >...
> >[2021/12/30 19:05:22.458992, 3]
> >../../source3/smbd/negprot.c:776(reply_negprot)
> > Selected protocol SMB 2.???
> >[2021/12/30 19:05:22.459495, 3]
> >../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
> > Selected protocol SMB3_11
> >[2021/12/30 19:05:22.524677, 3]
> >../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
> > gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
> >failed: The operation or option is not available or unsupported: No such
> >file or directory
> >[2021/12/30 19:05:22.524750, 1]
> >../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
> > gensec_generate_session_info_pac: Unable to find PAC in ticket from
> >me(a)MYDOMAIN.LOC, failing to allow access
> >[2021/12/30 19:05:22.524784, 3]
> >../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at
> >../../source3/smbd/smb2_sesssetup.c:146
> >[2021/12/30 19:05:22.525565, 3]
> >../../source3/smbd/server_exit.c:236(exit_server_common)
> > Server exit (NT_STATUS_END_OF_FILE)
> >
> >Googling, source-digging and "log level = 5" were not helpful. However,
I
> >find changelogs somewhat interesting:
> >
> >$ rpm -q --changelog ipa-server | head
> >* Thu Dec 16 2021 CentOS Sources <bugs(a)centos.org> -
> 4.6.8-5.el7.centos.10
> >- Roll in CentOS Branding
> >
> >* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud(a)redhat.com> -
> >4.6.8-5.el7_9.10
> >- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT
> setup
> >against a RHEL 7.9 IPA server
> > - Fix cert_request for KDC cert
> >- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not
> >always rely on the SID and PAC in Kerberos tickets*
> > - SMB: switch IPA domain controller role
> >
> >$ rpm -q --changelog samba | head
> >* Mon Nov 15 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-17
> >- related: #2019673 - *Add missing checks for IPA DC server role*
> >
> >* Mon Nov 08 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-16
> >- resolves: #2019661 - Fix CVE-2016-2124
> >- resolves: #2019673 - Fix CVE-2020-25717
> >- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl*
> >
> >I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe
> >someone knows if I need to do something after upgrading these packages?
>
> You need to make sure IPA has issued proper SIDs to all your users.
> This can be achieved with 'ipa-adtrust-install --add-sids' ran on IPA
> server owning Trust Controller role. Once SID is present in the user's
> entry, its presence will force IPA KDC to issue PAC as a part of a TGT
> and it will be copied to a service ticket requested by a client which
> presented this TGT, unless the target service object in IPA forbids that
> (only NFS so far).
>
> IPA update on RHEL 7.9 does not have additional logic which went into
> security updates IPA on RHEL 8.4+ and Fedora to issue SIDs at install
> time (and additional tools to make up for missing SIDs). It also does
> not have the code to enforce some of new buffers in PACs as backporting
> them was not feasible.
>
> Regarding what this is all about, I have a blog in works about it but
> now is holidays' time. Below I'd give you few references to read to get a
> glimpse of what we dealt with:
>
> ---------------------------------------------------------
> On November 9th 2021 Microsoft did their traditional monthly security
> update. Four issues among the published security fixes were in the area
> of Active Directory and were attributed to Samba Team and its members:
>
> - CVE-2021-42291: Active Directory Domain Services Elevation of
> Privilege Vulnerability, Active Directory permissions updates,
>
>
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291
>
> - CVE-2021-42287: Active Directory Domain Services Elevation of
> Privilege Vulnerability, Authentication updates,
>
>
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287
>
> - CVE-2021-42282: Active Directory Domain Services Elevation of
> Privilege Vulnerability, Verification of uniqueness for user
> principal name, service principal name, and the service principal
> name alias,
>
>
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42282
>
> - CVE-2021-42278: Active Directory Domain Services Elevation of
> Privilege Vulnerability, Active Directory Security Accounts Manager
> hardening changes,
>
>
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42278
>
> A coordinated security release of Samba 4.15.2 by the Samba Team fixes
> eight security issues, some of them around the same theme as Microsoft's
> ones:
>
> - CVE-2016-2124: SMB1 client connections can be downgraded to
> plaintext authentication,
>
https://www.samba.org/samba/security/CVE-2016-2124.html (Something
> left from the Badlock bugs)
>
> - CVE-2020-25717: A user on the domain can become root on domain
> members,
https://www.samba.org/samba/security/CVE-2020-25717.html,
> (PLEASE READ! There are important behaviour changes described)
>
> - CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
> tickets issued by an RODC,
>
https://www.samba.org/samba/security/CVE-2020-25718.html
>
> - CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
> Kerberos
>
tickets,https://www.samba.org/samba/security/CVE-2020-25719.html
>
> - CVE-2020-25721: Kerberos acceptors need easy access to stable AD
> identifiers (eg objectSid),
>
https://www.samba.org/samba/security/CVE-2020-25721.html
>
> - CVE-2020-25722: Samba AD DC did not do sufficient access and
> conformance checking of data stored,
>
https://www.samba.org/samba/security/CVE-2020-25722.html
>
> - CVE-2021-3738: Use after free in Samba AD DC RPC server,
>
https://www.samba.org/samba/security/CVE-2021-3738.html
>
> - CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability,
>
https://www.samba.org/samba/security/CVE-2021-23192.html
>
> The scope of changes is enormous. Just on the Samba side there are 220
> patches between 4.15.2 and the previous minor release, 4.15.1. However,
> Samba 4.15.1 release was a preparation -- it also merged some 3000
> patches, establishing a ground for testing Kerberos protocol behavior.
> These tests helped to reduce behavior differences between Samba AD and
> Windows-based Active Directory deployments and made the security release
> possible at all.
>
> ---------------------------------------------------------
>
>
Anyway, the scenario you are running is not supported by FreeIPA
team.
>
> >
> >Rolling back samba packages is unwanted given that Samba sources mention
> >this is unsafe.
> >
> >Thanks!
> >
> >--
> >Konstantin Khankin
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
--
Konstantin Khankin