14992 – Can't authenticate with a samba AD user over a forest with IPA

Bug 14992 - Can't authenticate with a samba AD user over a forest with IPA

Summary: Can't authenticate with a samba AD user over a forest with IPA

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.5
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-02-28 20:20 UTC by Ricardo Alonso
Modified:	2022-11-15 09:00 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ricardo Alonso 2022-02-28 20:20:09 UTC

I'm using samba to replace AD because of a view windows clients, but the forest users aren't able to login on each other domains. The password is authenticated fine, but seems that the host isn't. 

I have 2 domain:
ra.example.com 
  ipa.ra.example.com:
    freeipa (tried with v4.6.8-5.el7.centos.10 on CentOS 7.9 and 4.9.6-6.module+el8.5.0+674+69615a50 on Rocky Linux 8.5, both updated to latest version to the date)
  client.ra.example.com:
    rocky linux 8.5 client (configure with ipa-client-install)


ad.example.com
  samba.ad.example.com
    Fedora 35 server and samba 4.15.5-0.fc35 (domain configure with the command: samba-tool domain provision --use-rfc2307 --interactive) 
  client.ad.example.com 
    Rocky Linux 8.5 configured with realmd
  Windows 10 Pro

After install, trusted was created with the command: 

#  ipa trust-add --two-way true --admin Administrator ad.example.com

and 2 users: ipauser@ra.example.com and smbuser@ad.example.com

With smbuser I can only log in only in the Windows machine. "kinit smbuser" works fine on samba.ad and client.ad, but "id smbuser@ad.example.com" doesn't work as well. From client.ra and ipa.ra I can kinit and id the user, but the login fails. The only error message I'm able to track is this one on /var/log/samba/mit_kdc.log

Feb 28 20:12:23 samba.ad.example.com krb5kdc[1096](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.122.23: PROCESS_TGS: authtime 0, etypes {rep=UNSUPPORTED:(0)} <unknown client> for krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM, No matching key in entry


With ipauser I can log in at ipa.ra and client.ra. At samba.ad and client.ad, kinit ipauser@ra.example.com nor login works. On the windows machine the login fails with the message: 

"Insufficient system resources exist to complete the requested service".

and the /var/log/samba/mit_kdc.log shows the message: 

Feb 28 20:14:13 samba.ad.example.com krb5kdc[1096](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.122.22: PROCESS_TGS: authtime 0, etypes {rep=UNSUPPORTED:(0)} <unknown client> for host/win10pro.ad.example.com@AD.EXAMPLE.COM, No matching key in entry

If a wrong password is used, it fails, as expected. 

I tried to add "log level 50" but the mit_kdc.log doesn't add any extra information. 

If a wrong password is used, it fails

Does anyone have a clue how to work with the cross-domain users? Previous versions used to work fine, but a brand new installation isn't working anymore.

Comment 1 Ricardo Alonso 2022-11-15 09:00:52 UTC

anyone??