13560 – Unable to join macOS clients to Samba 4.8.3 AD when built against MIT Kerberos

Bug 13560 - Unable to join macOS clients to Samba 4.8.3 AD when built against MIT Kerberos

Summary: Unable to join macOS clients to Samba 4.8.3 AD when built against MIT Kerberos

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andreas Schneider
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-05 09:41 UTC by Phillip Potter
Modified:	2018-08-31 13:31 UTC (History)
CC List:	0 users

See Also:

Attachments
/var/log/samba/mit_kdc.log file from time of joining attempt (3.16 KB, text/x-log) 2018-08-05 09:41 UTC, Phillip Potter	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Phillip Potter 2018-08-05 09:41:55 UTC

Created attachment 14385 [details]
/var/log/samba/mit_kdc.log file from time of joining attempt

Component: Kerberos authentication.

OS: Fedora 28 Linux

Overview: After setting up a newly provisioned Active Directory domain on Samba, joining a macOS client to it fails.

Steps to reproduce:
(1) Provision new AD with samba-tool.

(2) On macOS client (only tested with 10.13.6) go to System Preferences -> Users & Groups.

(3) Select 'Login Options' and then select 'Join' next to 'Network Account Server:'.

(4) Enter AD domain name and select 'OK'.

Actual Results: Causes an error on the client: "Unable to add server. Authentication server failed to completed the requested operation. (5103)" and the joining fails.

Expected Results: Joining should be successful.

Additional Information: Rebuilding the Fedora 28 Samba package manually with the built in Heimdal Kerberos instead of using the system's MIT Kerberos solves this problem, tested with all other versions (macOS, system libraries etc.) being the same.

Attached is the log entries from /var/log/samba/mit_kdc.log made during the joining attempt.

Comment 1 Andrew Bartlett 2018-08-28 03:54:34 UTC

Assigning to Andreas, who is most involved in the MIT KDC.

Comment 2 Andreas Schneider 2018-08-28 12:36:55 UTC

Can you please provide logs with 'log level = 10' set in the smb.conf?

Comment 3 Phillip Potter 2018-08-29 18:17:05 UTC

Dear Andreas,

As Samba has moved on from 4.8.3 (including on Fedora 28) and I no longer had the original install around, I built a test VM with Fedora 28 and built the Samba 4.8.3 package from the source RPM supplied by the Fedora project to get as close to the previous setup as I could.

I had to enable the updates-testing repo to fix a mismatch between libldb and Samba (the Fedora version in updates is too new to work properly with 4.8.3, which it is still shipped with oddly, but the fixed package has been pushed to updates-testing).

After this and provisioning a totally new domain on the VM, I attempted to join the Mac as before, and this time it worked perfectly. I can't explain this, other than to say I checked and triple checked before when this bug came up - I definitely wasn't imagining it. I can only think the newer dependencies on the Fedora box when I built Samba this time are the reason this now works?

Anyhow, thank you for your time.

Regards,
Phil

Comment 4 Andreas Schneider 2018-08-31 13:31:56 UTC

Thanks you very much for testing it!!!

I'm glad that it is fixed.