Bug 12480 - kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (with MIT krb5)
Summary: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal err...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.5.3
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on: 12369
  Show dependency treegraph
Reported: 2016-12-22 06:49 UTC by Stefan Metzmacher
Modified: 2017-01-24 20:05 UTC (History)
10 users (show)

See Also:

Possible patches for master (6.07 KB, patch)
2016-12-30 21:21 UTC, Stefan Metzmacher
no flags Details
Patches for v4-5-test (6.22 KB, patch)
2017-01-10 15:48 UTC, Stefan Metzmacher
asn: review+
Patches for v4-4-test (also applies to v4-3 and v4-2) (6.22 KB, patch)
2017-01-10 15:50 UTC, Stefan Metzmacher
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-12-22 06:49:53 UTC
+++ This bug was initially created as a clone of Bug #12369 +++


I'm using samba as an AD Domain Member. After a fresh install of 4.4.6
everything works like expected.

But after 10 hours it seems as if winbind is not able to refresh tickets. 
Logins after 10 hours with "smbclient ... -d8"  usually takes about 20 seconds
hanging at NTLMSSP_NEGOTIATE_KEY_EXCH. During the next 5 minutes login is fine, but then again it takes 20 seconds. Restarting winbindd resolves the
problem for the next 10 hours.

In the correlated log.wb-MyDOMAIN at level 10 I see I see entries like:

  gss_init_sec_context failed with [ The context has expired: Success]
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

Attached you will find the whole bunch of logs. 

For testing I compiled samba 4.4.6 using --with-system-mitkrb5 (version 1.14.4) which works fine. Another test with version 4.5.0 and embedded heimdal build however shows the same problem mentioned above.

The samba version I used before upgrading was 4.2.14 and it was working OK.

Any help would be appreciated.


Comment 1 Stefan Metzmacher 2016-12-22 07:08:51 UTC
A similar problem happens when using MIT krb5 (even with the patches from
bug #12369).

The problem is the usage of gss_acquire_cred() that just creates
a credential handle without ccache.

As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.

In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use

The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.

Without the patches from bug #12369, it's even more
confusing as we'll do the kinit for the ldap connection
into MEMORY:ads_sasl_spnego_bind while the main winbindd logic
does an expiry check/cleanup on MEMORY:winbind_ccache.
But the overall behaviour is similar with or without the
patches from #12369.

The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.

We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
Comment 2 Uri Simchoni 2016-12-22 07:21:16 UTC
(In reply to Stefan Metzmacher from comment #1)
Hmm.... That appears to be the original fix proposed for bug 12007, and was rejected by Simo.

See https://lists.samba.org/archive/samba-technical/2016-July/114903.html

And also
Comment 3 Stefan Metzmacher 2016-12-22 07:44:02 UTC
I think Simo's comments indicate that there're more problems
and that we would have to fully understand what's going on.
At that time I thought the major difference was the case
where we had a password and tried without a kinit.

In fact that and
"HEIMDAL:lib/krb5: destroy a memory ccache on reinit" (commit 2abc3710a8a63327a769ba0482c553ed274b2113) fixed the problem for

But now we know that gss_acquire_cred() is dangerous and we know the exact
reason for it.

And using gss_krb5_import_cred() is the most portable way to get
what we want.
Comment 4 Andreas Schneider 2016-12-22 07:56:31 UTC
MIT suggests to use gss_acquire_cred_from() but that function is not available in Heimdal.

Comment 5 Stefan Metzmacher 2016-12-30 21:21:25 UTC
Created attachment 12785 [details]
Possible patches for master
Comment 6 Stefan Metzmacher 2017-01-10 15:48:00 UTC
Created attachment 12818 [details]
Patches for v4-5-test
Comment 7 Stefan Metzmacher 2017-01-10 15:50:52 UTC
Created attachment 12819 [details]
Patches for v4-4-test (also applies to v4-3 and v4-2)
Comment 8 Andreas Schneider 2017-01-11 08:12:29 UTC
Karolin, please add the patches to the relevant branches. Thanks!
Comment 9 Karolin Seeger 2017-01-11 08:16:10 UTC
(In reply to Andreas Schneider from comment #8)
Pushed to autobuild-v4-{5,4}-test.
Comment 10 Karolin Seeger 2017-01-24 20:05:30 UTC
(In reply to Karolin Seeger from comment #9)
Pushed to both branches.
Closing out bug report.