Bug 15715 - Samba 4.21.0 broke FreeIPA domain member integration
Summary: Samba 4.21.0 broke FreeIPA domain member integration
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-13 13:21 UTC by Alexander Bokovoy
Modified: 2024-09-23 14:42 UTC (History)
1 user (show)

See Also:


Attachments
backport to 4.21 branch (5.24 KB, patch)
2024-09-13 13:24 UTC, Alexander Bokovoy
pfilipensky: review+
Details
backport to 4.21 branch (5.29 KB, patch)
2024-09-13 13:40 UTC, Alexander Bokovoy
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2024-09-13 13:21:22 UTC
From Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199: 

When trying to configure an IPA client as samba file server, the ipa-client-samba commands fails in a step calling "net changesecretpw -f".

The failure did not happen with samba-4.20.4-1.fc42.x86_64 but is seen with 4.21.0-0.6.rc4.fc42.

Reproducible: Always

Steps to Reproduce:
1. Install ipa server on server.ipa.test: 
dnf install -y freeipa-server-dns
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
2. install ipa client on client.ipa.test:
dnf install -y freeipa-client-samba
ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U

3. try to configure the client as samba file server:
echo Secret123 | kinit admin
ipa-client-samba -U
Actual Results:  
# ipa-client-samba -U
Searching for IPA server...
IPA server: ['server.ipa.test']
Chosen IPA master: ['server.ipa.test']
SMB principal to be created: cifs/client.ipa.test@IPA.TEST
NetBIOS name to be used: CLIENT
Discovered domains to use:

 Domain name: ipa.test
NetBIOS name: IPA
         SID: S-1-5-21-559329419-496287489-4055619056
    ID range: 1990800000 - 1990999999

Cannot set machine account creds in Samba. Error: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database')
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-samba", line 15, in <module>
    sys.exit(ipa_client_samba.run())
             ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 735, in run
    populate_samba_databases(
    ~~~~~~~~~~~~~~~~~~~~~~~~^
        fstore, statestore, options, domains[0], password
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 366, in populate_samba_databases
    ipautil.run(args, stdin=password, encoding="utf-8")
    ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipapython/ipautil.py", line 594, in run
    raise CalledProcessError(
        p.returncode, arg_string, output_log, error_log
    )
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database')


Expected Results:  
# ipa-client-samba -U
Searching for IPA server...
IPA server: ['server.ipa.test']
Chosen IPA master: ['server.ipa.test']
SMB principal to be created: cifs/client.ipa.test@IPA.TEST
NetBIOS name to be used: CLIENT
Discovered domains to use:

 Domain name: ipa.test
NetBIOS name: IPA
         SID: S-1-5-21-3799508206-3266988578-3110657925
    ID range: 867400000 - 867599999

Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services

This is due to refactoring done by Pavel in

commit 683f6eec40f2efbb122329800ebb2f5d2f518746
Author: Pavel Filipenský <pfilipensky@samba.org>
Date:   Thu Dec 21 13:57:38 2023 +0100

    s3: Sync machine account password in secrets_{prepare,finish}_password_change
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
    

and

commit e08b2963d98ea82cb5989f5e7c80e808859e98dd
Author: Pavel Filipenský <pfilipensky@samba.org>
Date:   Wed Feb 28 13:30:30 2024 +0100

    s3:libads: Call 'sync machine password script' when machine password is updated
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
    


We use 'kerberos method = dedicated keytab' in FreeIPA domain member configuration. 

What we don't do, we don't have 'sync machine password to keytab' which was introduced as a part of that patchset. As a result, Samba attempts to synchronize machine account we set with 'net changesecretpw -f` to the keytab and fails to not find a domain controller to figure out what encryption types/KVNO/SPNs must be set in the keytab.

Thing is, IPA domain controller is Samba DC in a special mode, not AD DC, so it might not respond as you expect.

Second, the current logic of 'sync machine password to keytab' does not allow to handle any use case where we do not want to sync keytabs (because they already in sync).

I think there are two actions here:

 - Samba can add 'sync machine password to keytab = false' to disable syncing

-----------------------------------------------------------------------------------

Solved by MR https://gitlab.com/samba-team/samba/-/merge_requests/3786, 

commit 4f577c7b6894132be4842944f2f950b087312b16 (HEAD -> master, origin/master, origin/HEAD)
Author: Alexander Bokovoy <ab@samba.org>
Date:   Tue Sep 3 08:48:24 2024 +0300

    sync machine password to keytab: handle FreeIPA use case
Comment 1 Alexander Bokovoy 2024-09-13 13:24:08 UTC
Created attachment 18441 [details]
backport to 4.21 branch
Comment 2 Pavel Filipenský 2024-09-13 13:30:56 UTC
Comment on attachment 18441 [details]
backport to 4.21 branch

Applies cleanly
Comment 3 Alexander Bokovoy 2024-09-13 13:40:01 UTC
Created attachment 18442 [details]
backport to 4.21 branch

updated BUG reference
Comment 4 Jule Anger 2024-09-20 14:44:08 UTC
Pushed to autobuild-v4-21-test.
Comment 5 Samba QA Contact 2024-09-20 15:41:03 UTC
This bug was referenced in samba v4-21-test:

0ed55bfe0820819c7653110c5650bb02084a67a1
Comment 6 Jule Anger 2024-09-23 14:42:19 UTC
Closing out bug report.

Thanks!