Created attachment 17104 [details] monkey patch for the kvno issue Last year, I ran into an issue trying to add Samba as a controller to an existing active directory domain, first provisioned sometime in 2003. Everything worked well until I demoted and turned off Windows DCs. Then Samba couldn’t authorize anyone while complaining about Kerberos, no-one could authenticate nor access any network shares like SYSVOL. The following errors were specifically logged: Kerberos: samba_kdc_fetch: could not find KRBTGT number 1 in DB! Kerberos: Ticket-granting ticket not found in database: no such entry found in hdb I got the source code, and added some debugging: krb5_warnx(context, "samba_kdc_fetch:KRBTGT: my %u vs req %u kvno %u pr %s rodc %u", (unsigned)(kdc_db_ctx->my_krbtgt_number), (unsigned)(krbtgt_number), (unsigned)kvno, realm_from_princ, (unsigned)kdc_db_ctx->rodc); And got the following output: Kerberos: samba_kdc_fetch: KRBTGT: my 0 vs req 1 kvno 100008 pr X.X.RU rodc 0 For some reason, several principals (including krbtgt) had their KVNO ticking from 1000000 instead of 0: # ldbsearch -H sam.ldb msDS-KeyVersionNumber | grep krbtgt -A1 dn: CN=krbtgt,CN=Users,DC=x,DC=x,DC=ru msDS-KeyVersionNumber: 100008 Which seems to break the following macro: #define SAMBA_KVNO_GET_KRBTGT(kvno) \ ((uint16_t)(((uint32_t)kvno) >> 16)) I couldn't figure out any other way to make this work other than patching Samba so that impossibly high KVNO is brought back to a normalized value, by substracting 100000 when necessary (patch attached). With the monkey patch, things started to work properly, however it's likely not the correct solution to this problem. I'd rather not maintain a custom version of Samba so I'd very much like this properly fixed, somehow. Maybe this could be made configurable? I'm not sure. Thanks in advance for any help.
Sorry, put attached an incorrect patch which does nothing. It should read: 1813 unsigned int krbtgt_number; 1814 /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain 1815 trust tickets. We don't yet know what this means, but we do 1816 seem to need to treat it as unspecified */ 1817 if (flags & SDB_F_KVNO_SPECIFIED) { 1818 + if (kvno >= 100000) 1819 + kvno -= 100000; 1820 1821 krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
I think we need to have tests how Windows behaves in such a situation and adapt our code to do the same. Maybe it's truncating the msDS-KeyVersionNumber value just to 16 or 8 bits.
This bug was referenced in samba master: ab0946a75d51b8f4826d98c61c3ad503615009fe
Created attachment 17246 [details] Patch for v4-16-test
Created attachment 17247 [details] Patch for v4-15-test
Created attachment 17248 [details] Patch for v4-14-test
Created attachment 17249 [details] Patch for v4-13-test
Andrew can you check if the patch I just uploaded, fixes the problem for you? If so we can backport them to the release branches.
(In reply to Stefan Metzmacher from comment #8) Yeah I've already rebuilt my 4.13.13 packages with your patch. I plan to deploy on our domain tomorrow (Saturday) so I could test things in peace without user aggro. Thank you for working on this.
I'm glad to report that domain authentication seems to be working properly with above patch (using 4.13.13).
(In reply to Andrew Dolgov from comment #10) Great thanks for testing! The fix will most likely be part of the next 4.14, 4.15 and 4.16 release
Pushed to autobuild-v4-{15,14}-test. The patch for v4-16-test does not apply. Reassigning to Metze.
This bug was referenced in samba v4-15-test: 77352e08d779d604dfdc499ca93c136b78978ed1
This bug was referenced in samba v4-14-test: 56018a50e76521f287ac93671f18f1d741075507
Created attachment 17255 [details] Patch for v4-16-test
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 56018a50e76521f287ac93671f18f1d741075507
This bug was referenced in samba v4-15-stable (Release samba-4.15.7): 77352e08d779d604dfdc499ca93c136b78978ed1
This bug was referenced in samba v4-16-test: 82d86282ca64177fe65cb5ab017a475a95d67cf3
This bug was referenced in samba v4-16-stable (Release samba-4.16.1): 82d86282ca64177fe65cb5ab017a475a95d67cf3