Bug 15743 - The use of Kerberos to encrypt the TCP packages give connection interuptions
Summary: The use of Kerberos to encrypt the TCP packages give connection interuptions
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.15.13
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-23 13:53 UTC by Hans van Leeuwen
Modified: 2024-10-24 09:08 UTC (History)
0 users

See Also:

Attachments
C-program source to reproduce the problem. (1.86 KB, text/x-csrc)
2024-10-23 13:53 UTC, Hans van Leeuwen 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans van Leeuwen 2024-10-23 13:53:58 UTC 
Created attachment 18481 [details]
C-program source to reproduce the problem.

We use Ubuntu 20.04.6 systems as Samba server.
The Samba version is 4.15.13-Ubuntu.
The SMC-Client is a Windows Server 2022 Standard 21H2.
The relevant Samba parameters in /etc/samba/smb.conf are:
 
  security = ads
  realm = MAIL-STREET.LOCAL
  workgroup = MAIL-STREET
  server min protocol = SMB3_02
  client min protocol = SMB3_02
  smb encrypt = required
  server signing = mandatory
 
The hostname of the Ubuntu Samba server is "samba-srv"
On the Windows system, Samba disk is shared with the command:
C:\net use Y: \\samba-srv\customers /u:hans
Enter the password for 'hans' to connect to 'samba-srv': 
The command completed successfully

Now the Samba disk on system samba-srv can be accessed on the Y-drive.
The network analyzer Wireshark show that Kerberos is used to encrypt the network packages.
But on the moment that Kerberos ticket renewal, the Samba share is some seconds not available.

An other DNS record is created with the name "samba-srv-alias"
This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv".

The Y-drive is removed and created again and now with as host "samba-srv-alias".
C:\net use Y: \\samba-srv-alias\customers /u:hans

Also now the Samba disk on the samba-srv can be accessed on the Y-drive.
But Wireshark show now that NTLM is used to encrypt the network packages.
NTLM doesn't work with tickets that need to be renewed.
The problem that the Samba shared is some seconds not available doesn't occur when NTML is used to encrypt the network packages.

The problem that the share is some seconds not available also doesn't occur when the share is not on Samba but on an other Windows system, also when Kerberos is used.

In the attachment contains a C-program source that can be used to reproduce the problem. The source can be compiled on Windows with e.g. gcc

The program read every 3 seconds a map/directory on the share to check for files and write in a logfile when the share is not available and available again.

Start the hotfolderscan program e.g. on the way below:
C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log

After +/- 10 hours, when Kerberos renew the ticket, the lines below are written in de log file:
   2024-10-23 09:09:13 Error 2 No such file or directory
   2024-10-23 09:09:16 Share available again 

Is seems that Samba doesn't handle the Kerberos ticket renewal on the right way.
Comment 1 Rowland Penny 2024-10-24 09:08:35 UTC 
(In reply to Hans van Leeuwen from comment #0)

Can you please post this to the samba mailing list, it may not be a bug.
When you post, please add the output of 'testparm -s' to the post.

I should also point out that while Samba 4.15.13 is supported by Ubuntu on 20.04, it is EOL from the Samba point of view.