Bug 14951 - KVNO off by 100000
Summary: KVNO off by 100000
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.13
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-01-18 07:35 UTC by Andrew Dolgov
Modified: 2022-05-02 09:47 UTC (History)
2 users (show)

See Also:

monkey patch for the kvno issue (626 bytes, patch)
2022-01-18 07:35 UTC, Andrew Dolgov
no flags Details
Patch for v4-16-test (4.27 KB, text/plain)
2022-03-25 12:43 UTC, Stefan Metzmacher
abartlet: review+
Patch for v4-15-test (4.38 KB, text/plain)
2022-03-25 12:43 UTC, Stefan Metzmacher
abartlet: review+
Patch for v4-14-test (4.38 KB, text/plain)
2022-03-25 12:44 UTC, Stefan Metzmacher
abartlet: review+
Patch for v4-13-test (4.38 KB, patch)
2022-03-25 12:47 UTC, Stefan Metzmacher
no flags Details
Patch for v4-16-test (4.28 KB, patch)
2022-03-29 10:36 UTC, Stefan Metzmacher
metze: review? (abartlet)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Dolgov 2022-01-18 07:35:27 UTC
Created attachment 17104 [details]
monkey patch for the kvno issue

Last year, I ran into an issue trying to add Samba as a controller to an existing active directory domain, first provisioned sometime in 2003.

Everything worked well until I demoted and turned off Windows DCs. Then Samba couldn’t authorize anyone while complaining about Kerberos, no-one could authenticate nor access any network shares like SYSVOL.

The following errors were specifically logged:

    Kerberos: samba_kdc_fetch: could not find KRBTGT number 1 in DB!
    Kerberos: Ticket-granting ticket not found in database: no such entry found in hdb

I got the source code, and added some debugging:

    krb5_warnx(context, "samba_kdc_fetch:KRBTGT: my %u vs req %u kvno %u pr %s rodc %u", 
               (unsigned)(kdc_db_ctx->my_krbtgt_number), (unsigned)(krbtgt_number), (unsigned)kvno,
               realm_from_princ, (unsigned)kdc_db_ctx->rodc);

And got the following output:

    Kerberos: samba_kdc_fetch: KRBTGT: my 0 vs req 1 kvno 100008 pr X.X.RU rodc 0

For some reason, several principals (including krbtgt) had their KVNO ticking from 1000000 instead of 0:

# ldbsearch -H sam.ldb msDS-KeyVersionNumber | grep krbtgt -A1
dn: CN=krbtgt,CN=Users,DC=x,DC=x,DC=ru
msDS-KeyVersionNumber: 100008

Which seems to break the following macro:

#define SAMBA_KVNO_GET_KRBTGT(kvno) \
	((uint16_t)(((uint32_t)kvno) >> 16))

I couldn't figure out any other way to make this work other than patching Samba so that impossibly high KVNO is brought back to a normalized value, by substracting 100000 when necessary (patch attached).

With the monkey patch, things started to work properly, however it's likely not the correct solution to this problem. I'd rather not maintain a custom version of Samba so I'd very much like this properly fixed, somehow.

Maybe this could be made configurable? I'm not sure. Thanks in advance for any help.
Comment 1 Andrew Dolgov 2022-01-18 09:54:02 UTC
Sorry, put attached an incorrect patch which does nothing. It should read:

1813       unsigned int krbtgt_number;
1814       /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
1815          trust tickets. We don't yet know what this means, but we do
1816          seem to need to treat it as unspecified */
1817       if (flags & SDB_F_KVNO_SPECIFIED) {
1818 +         if (kvno >= 100000)
1819 +            kvno -= 100000;
1821          krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
Comment 2 Stefan Metzmacher 2022-02-16 13:11:31 UTC
I think we need to have tests how Windows behaves in such a situation
and adapt our code to do the same.

Maybe it's truncating the msDS-KeyVersionNumber value just to 16 or 8 bits.
Comment 3 Samba QA Contact 2022-03-24 10:18:06 UTC
This bug was referenced in samba master:

Comment 4 Stefan Metzmacher 2022-03-25 12:43:38 UTC
Created attachment 17246 [details]
Patch for v4-16-test
Comment 5 Stefan Metzmacher 2022-03-25 12:43:58 UTC
Created attachment 17247 [details]
Patch for v4-15-test
Comment 6 Stefan Metzmacher 2022-03-25 12:44:19 UTC
Created attachment 17248 [details]
Patch for v4-14-test
Comment 7 Stefan Metzmacher 2022-03-25 12:47:48 UTC
Created attachment 17249 [details]
Patch for v4-13-test
Comment 8 Stefan Metzmacher 2022-03-25 12:49:33 UTC
Andrew can you check if the patch I just uploaded, fixes the problem for
you? If so we can backport them to the release branches.
Comment 9 Andrew Dolgov 2022-03-25 13:42:29 UTC
(In reply to Stefan Metzmacher from comment #8)

Yeah I've already rebuilt my 4.13.13 packages with your patch. I plan to deploy  on our domain tomorrow (Saturday) so I could test things in peace without user aggro.

Thank you for working on this.
Comment 10 Andrew Dolgov 2022-03-26 06:02:37 UTC
I'm glad to report that domain authentication seems to be working properly with above patch (using 4.13.13).
Comment 11 Stefan Metzmacher 2022-03-26 11:13:54 UTC
(In reply to Andrew Dolgov from comment #10)

Great thanks for testing!
The fix will most likely be part of the next 4.14, 4.15 and 4.16 release
Comment 12 Jule Anger 2022-03-29 08:00:16 UTC
Pushed to autobuild-v4-{15,14}-test.
The patch for v4-16-test does not apply. Reassigning to Metze.
Comment 13 Samba QA Contact 2022-03-29 09:09:05 UTC
This bug was referenced in samba v4-15-test:

Comment 14 Samba QA Contact 2022-03-29 10:33:04 UTC
This bug was referenced in samba v4-14-test:

Comment 15 Stefan Metzmacher 2022-03-29 10:36:55 UTC
Created attachment 17255 [details]
Patch for v4-16-test
Comment 16 Samba QA Contact 2022-04-04 12:49:53 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.13):

Comment 17 Samba QA Contact 2022-04-26 14:44:33 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.7):

Comment 18 Samba QA Contact 2022-04-28 15:43:03 UTC
This bug was referenced in samba v4-16-test:

Comment 19 Samba QA Contact 2022-05-02 09:47:34 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.1):