Bug 15021 - Samba AD DC on a trust relationship with IdM - kpasswd not working porperly
Summary: Samba AD DC on a trust relationship with IdM - kpasswd not working porperly
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.5
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-17 17:13 UTC by mduffour
Modified: 2022-03-30 15:26 UTC (History)
0 users

See Also:


Attachments
tcpdump_capture (14.01 KB, application/vnd.tcpdump.pcap)
2022-03-17 17:13 UTC, mduffour
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mduffour 2022-03-17 17:13:02 UTC
Created attachment 17227 [details]
tcpdump_capture

Our Samba AD DC 4.15.5 (build from https://samba.tranquil.it/redhat8/) is installed over Roky Linux and it has a trust relationship with an IdM Server also installed over Roky Linux. 
Our user accounts reside on Samba AD DC, we dont have user accounts on IdM.

We are having a problem when executing kpasswd on a user account of Samba AD DC from the IdM Server. It fails:

# KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.XXX.XXX.XX
[47521] 1647008539.753136: Getting initial credentials for usu5@ADTEST.XXX.XXX.XX
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.XXX.XXX.XX@IDMPRU.XXX.XXX.XX -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.XXX.XXX.XX@IDMPRU.XXX.XXX.XX -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753143: Sending unauthenticated request
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008539.753145: Initiating TCP connection to stream 10.2.100.4:88
[47521] 1647008540.776855: Initiating TCP connection to stream 10.2.100.3:88
[47521] 1647008540.776856: Sending TCP request to stream 10.2.100.3:88
[47521] 1647008540.776857: Received answer (278 bytes) from stream 10.2.100.3:88
[47521] 1647008540.776858: Terminating TCP connection to stream 10.2.100.4:88
[47521] 1647008540.776859: Terminating TCP connection to stream 10.2.100.3:88
[47521] 1647008540.776860: Response was from master KDC
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required
[47521] 1647008540.776864: Preauthenticating using KDC method data
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00"
[47521] 1647008540.776867: PKINIT client has no configured identity; giving up
[47521] 1647008540.776868: PKINIT client has no configured identity; giving up
[47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument
Password for usu5@ADTEST.XXX.XXX.XX:
[47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE
[47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
[47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008555.456751: Initiating TCP connection to stream 10.2.100.4:88
[47521] 1647008556.458248: Initiating TCP connection to stream 10.2.100.3:88
[47521] 1647008556.458249: Sending TCP request to stream 10.2.100.3:88
[47521] 1647008556.458250: Received answer (1438 bytes) from stream 10.2.100.3:88
[47521] 1647008556.458251: Terminating TCP connection to stream 10.2.100.4:88
[47521] 1647008556.458252: Terminating TCP connection to stream 10.2.100.3:88
[47521] 1647008556.458253: Response was from master KDC
[47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3)
[47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata type PA-PW-SALT (3)
[47521] 1647008556.458256: Produced preauth for next request: (empty)
[47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE
[47521] 1647008556.458258: Decrypted AS reply; session key is: aes256-cts/35D9
[47521] 1647008556.458259: FAST negotiation: unavailable
kpasswd: KDC reply did not match expectations getting initial ticket

The behavior we are expecting is that it should ask for a password change.

Our Samba AD DC uses the embedded Heimdal Kerberos version.
Your support team told us that what happens is that a Kerberos client (in this case kpasswd) attempts to change a password and fails when expecting a response on Kerberos level from Samba AD DC.
It may be mix of expectations between kpasswd from MIT Kerberos (on
Rocky) and Heimdal (embedded in Samba AD DC).

We have also attached a tcpdump between IdM Server and Samba AD DC when trying to login a user account that has its password expired, experiencing same failure behavior.

Please see original thread for more detail: https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg13718.html
Comment 1 mduffour 2022-03-22 15:03:43 UTC
ERRATA: "In FreeIPA lists" we were told that what happens is that a Kerberos client (in this case kpasswd) attempts to change a password and fails when expecting a response on Kerberos level from Samba AD DC.
Comment 2 Denis Cardon 2022-03-30 15:26:47 UTC
Your IDM is expecting Kerberos FAST support.

...
[47521] 1647008556.458259: FAST negotiation: unavailable
kpasswd: KDC reply did not match expectations getting initial ticket
...

FAST Support has been added in Samba 4.16. So you either have to disable FAST on your kpasswd call or upgrade.