Turns out this was not the end :)

Fully acknowledging that my config is not supported, I'd like to try out if anyone knows how I can fix the current issue.

Linux clients are just fine now. The problem is with Windows clients - user mapping doesn't work anymore. Password check passes but after that users get a new profile. My IPA domain name is DOMAIN.LOC. After I set up SIDs for IPA accounts, PAC record generated by IPA adds "logon_domain: DOMAIN" value, but the default realm is set to DOMAIN.LOC with ksetup. I think this confuses Windows - whoami returns "DOMAIN\me" (instead of LOCALPC\me). I can probably live with this (just need to move user profiles into new directories), but it would be nice to make mapping work correctly again.

I tried playing with ksetup:

* added another non-default kerberos realm DOMAIN

* added explicit mapping of me@DOMAIN and me@DOMAIN.LOC to me instead of "* *",

tried changing computer's work group from DOMAIN.LOC to DOMAIN (which changes little if anything),

and tried changing ipantflatname (which can't be changed, at least not with ipa trustconfig-mod). What else can I try?

Thanks!

пт, 31 дек. 2021 г. в 12:06, Alexander Bokovoy <abokovoy@redhat.com>:

On pe, 31 joulu 2021, Konstantin M. Khankin wrote:
>Thanks for your help Alexander!
>
>Turns out my exact problem was this <https://narkive.com/rCnXSfSy.6>.

Glad that you found a way to fix your ranges to generate SIDs.

>
>> Anyway, the scenario you are running is not supported by FreeIPA team.
>
>Could you please educate me which scenario is supported? Or is it not
>supported only because of RHEL 7 / CentOS 7?

FreeIPA is not providing domain controller services for Windows clients,
regardless of their version. Regardless of RHEL version, this is not
planned and not supported.

Whatever appears to work for you with a standalone Windows client logon
with IPA accounts, it is *not* something that is supported and not
guaranteed to continue working.

If you need to enroll Windows systems to some non-Microsoft-provided
Active Directory, you can use Samba AD DC for that and then establish
trust with FreeIPA forest. However, enrolling Windows machines to
FreeIPA is not planned and is not supported. Also, current FreeIPA
versions do not support login to Windows systems in a trusted Active
Directory forest. The latter is being worked on.

>
>Happy New Year! :)
>
>
>чт, 30 дек. 2021 г. в 20:03, Alexander Bokovoy <abokovoy@redhat.com>:
>
>> On to, 30 joulu 2021, Konstantin M. Khankin via FreeIPA-users wrote:
>> >Hello!
>> >
>> >I have several SMB shares served by Samba using Kerberos accounts managed
>> >by FreeIPA. I have no AD integrations and no AD itself. Windows clients
>> are
>> >configured using this
>> ><https://www.freeipa.org/page/Windows_authentication_against_FreeIPA>
>> >guide, linux clients use ipa-client and "smbclient -k". Servers and linux
>> >clients use CentOS 7.
>>
>> This method is not supported, as stated multiple times on this very
>> least for the past several years.
>>
>> >
>> >Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from
>> >4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from
>> >4.10.16-*15*.el7_9)
>> >packages and authentication broke, no clients can connect to shares
>> >anymore. Here are logs from linux client:
>> >
>> >$ klist
>> >Ticket cache: KEYRING:persistent:1696200001:1696200001
>> >Default principal: me@MYDOMAIN.LOC
>> >
>> >Valid starting Expires Service principal
>> >12/30/2021 18:04:03 12/31/2021 18:03:46
>> > cifs/samba.server.mydomain.loc@MYDOMAIN.LOC
>> >12/30/2021 18:04:02 12/31/2021 18:03:46
>> > nfs/samba.server.mydomain.loc@MYDOMAIN.LOC
>> >12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/MYDOMAIN.LOC@MYDOMAIN.LOC
>> >
>> >$ smbclient -k -L //samba.server.mydomain.loc
>> >session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>> >
>> >Server logs:
>> >
>> >*log.smbd:*
>> >[2021/12/30 19:03:23.597495, 2]
>> >../../source3/lib/smbldap.c:847(smbldap_open_connection)
>> > smbldap_open_connection: connection opened
>> >[2021/12/30 19:03:23.695598, 3]
>> >../../source3/lib/smbldap.c:1069(smbldap_connect_system)
>> > ldap_connect_system: successful connection to the LDAP server
>> >[2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam)
>> > pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>> >mydomain.loc
>> >[2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access)
>> > Allowed connection from 192.168.10.1 (192.168.10.1)
>> >
>> >*log.192.168.10.1:*
>> >...
>> >[2021/12/30 19:05:22.458992, 3]
>> >../../source3/smbd/negprot.c:776(reply_negprot)
>> > Selected protocol SMB 2.???
>> >[2021/12/30 19:05:22.459495, 3]
>> >../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
>> > Selected protocol SMB3_11
>> >[2021/12/30 19:05:22.524677, 3]
>> >../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
>> > gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
>> >failed: The operation or option is not available or unsupported: No such
>> >file or directory
>> >[2021/12/30 19:05:22.524750, 1]
>> >../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>> > gensec_generate_session_info_pac: Unable to find PAC in ticket from
>> >me@MYDOMAIN.LOC, failing to allow access
>> >[2021/12/30 19:05:22.524784, 3]
>> >../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
>> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
>> >status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at
>> >../../source3/smbd/smb2_sesssetup.c:146
>> >[2021/12/30 19:05:22.525565, 3]
>> >../../source3/smbd/server_exit.c:236(exit_server_common)
>> > Server exit (NT_STATUS_END_OF_FILE)
>> >
>> >Googling, source-digging and "log level = 5" were not helpful. However, I
>> >find changelogs somewhat interesting:
>> >
>> >$ rpm -q --changelog ipa-server | head
>> >* Thu Dec 16 2021 CentOS Sources <bugs@centos.org> -
>> 4.6.8-5.el7.centos.10
>> >- Roll in CentOS Branding
>> >
>> >* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> -
>> >4.6.8-5.el7_9.10
>> >- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT
>> setup
>> >against a RHEL 7.9 IPA server
>> > - Fix cert_request for KDC cert
>> >- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not
>> >always rely on the SID and PAC in Kerberos tickets*
>> > - SMB: switch IPA domain controller role
>> >
>> >$ rpm -q --changelog samba | head
>> >* Mon Nov 15 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-17
>> >- related: #2019673 - *Add missing checks for IPA DC server role*
>> >
>> >* Mon Nov 08 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-16
>> >- resolves: #2019661 - Fix CVE-2016-2124
>> >- resolves: #2019673 - Fix CVE-2020-25717
>> >- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl*
>> >
>> >I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe
>> >someone knows if I need to do something after upgrading these packages?
>>
>> You need to make sure IPA has issued proper SIDs to all your users.
>> This can be achieved with 'ipa-adtrust-install --add-sids' ran on IPA
>> server owning Trust Controller role. Once SID is present in the user's
>> entry, its presence will force IPA KDC to issue PAC as a part of a TGT
>> and it will be copied to a service ticket requested by a client which
>> presented this TGT, unless the target service object in IPA forbids that
>> (only NFS so far).
>>
>> IPA update on RHEL 7.9 does not have additional logic which went into
>> security updates IPA on RHEL 8.4+ and Fedora to issue SIDs at install
>> time (and additional tools to make up for missing SIDs). It also does
>> not have the code to enforce some of new buffers in PACs as backporting
>> them was not feasible.
>>
>> Regarding what this is all about, I have a blog in works about it but
>> now is holidays' time. Below I'd give you few references to read to get a
>> glimpse of what we dealt with:
>>
>> ---------------------------------------------------------
>> On November 9th 2021 Microsoft did their traditional monthly security
>> update. Four issues among the published security fixes were in the area
>> of Active Directory and were attributed to Samba Team and its members:
>>
>> - CVE-2021-42291: Active Directory Domain Services Elevation of
>> Privilege Vulnerability, Active Directory permissions updates,
>>
>> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291
>>
>> - CVE-2021-42287: Active Directory Domain Services Elevation of
>> Privilege Vulnerability, Authentication updates,
>>
>> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287
>>
>> - CVE-2021-42282: Active Directory Domain Services Elevation of
>> Privilege Vulnerability, Verification of uniqueness for user
>> principal name, service principal name, and the service principal
>> name alias,
>>
>> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42282
>>
>> - CVE-2021-42278: Active Directory Domain Services Elevation of
>> Privilege Vulnerability, Active Directory Security Accounts Manager
>> hardening changes,
>>
>> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42278
>>
>> A coordinated security release of Samba 4.15.2 by the Samba Team fixes
>> eight security issues, some of them around the same theme as Microsoft's
>> ones:
>>
>> - CVE-2016-2124: SMB1 client connections can be downgraded to
>> plaintext authentication,
>> https://www.samba.org/samba/security/CVE-2016-2124.html (Something
>> left from the Badlock bugs)
>>
>> - CVE-2020-25717: A user on the domain can become root on domain
>> members, https://www.samba.org/samba/security/CVE-2020-25717.html,
>> (PLEASE READ! There are important behaviour changes described)
>>
>> - CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
>> tickets issued by an RODC,
>> https://www.samba.org/samba/security/CVE-2020-25718.html
>>
>> - CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
>> Kerberos
>> tickets,https://www.samba.org/samba/security/CVE-2020-25719.html
>>
>> - CVE-2020-25721: Kerberos acceptors need easy access to stable AD
>> identifiers (eg objectSid),
>> https://www.samba.org/samba/security/CVE-2020-25721.html
>>
>> - CVE-2020-25722: Samba AD DC did not do sufficient access and
>> conformance checking of data stored,
>> https://www.samba.org/samba/security/CVE-2020-25722.html
>>
>> - CVE-2021-3738: Use after free in Samba AD DC RPC server,
>> https://www.samba.org/samba/security/CVE-2021-3738.html
>>
>> - CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability,
>> https://www.samba.org/samba/security/CVE-2021-23192.html
>>
>> The scope of changes is enormous. Just on the Samba side there are 220
>> patches between 4.15.2 and the previous minor release, 4.15.1. However,
>> Samba 4.15.1 release was a preparation -- it also merged some 3000
>> patches, establishing a ground for testing Kerberos protocol behavior.
>> These tests helped to reduce behavior differences between Samba AD and
>> Windows-based Active Directory deployments and made the security release
>> possible at all.
>>
>> ---------------------------------------------------------
>>
>>
>> Anyway, the scenario you are running is not supported by FreeIPA team.
>>
>> >
>> >Rolling back samba packages is unwanted given that Samba sources mention
>> >this is unsafe.
>> >
>> >Thanks!
>> >
>> >--
>> >Konstantin Khankin
>>
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
>
>--
>Konstantin Khankin

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

Konstantin Khankin