Bug 15759 - net ads create/join/winbind producing unix dysfunctional keytabs
Summary: net ads create/join/winbind producing unix dysfunctional keytabs
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-28 21:20 UTC by Matthew Grant
Modified: 2024-11-29 09:20 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Grant 2024-11-28 21:20:06 UTC
* Breaks sshd for kerberos/gssapi login
* Breaks sssd for connecting to ldap, as it defaults to /etc/krb5.keytab for all principals, including ldap connect...

This is with smb.conf settings:

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password

for good compatibility with Unix services.  sssd is expecting to find the machine account principal in /etc/krb5.keytab, with form MACHINE$@AD.REALM.ORG, and sshd is looking for the principal 'host/machine.ad.realm.org@AD.REALM.ORG' in /etc/krb5.keytab as well.

According to RFC 4120, section 6.1 realm names are upper case, and section 6.1 user principal account names are case sensitive, and section 6.2.1 service principals should have lower cased host names...  6.2.1 specifies that 'host' should be lower case... 

Thus for sshd it looks for 'host/machine.ad.realm.org@'  NOTE: windowsish keytab entries like 'host/MACHINE@AD.REALM.ORG' are also technically not correct for unix...

Best idea for unix compatibility in the keytab generation ( for smb.conf sync machine password to keytab parameter):

* is for specifier 'sync_spns' to lower case all SPN service principal names left of the '@'
* have an additional specifier 'sync_spns_with_account_name' to produce a machine keytab similar to that in Samba 4.20 and previous, suitable for use as '/etc/krb5.keytab'.

Previous to Samba 4.21, net ads join/net ads create would produce a keytab with principal names as follows, which actually works:

$ sudo ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal                                               Aliases
  2  aes256-cts-hmac-sha1-96  host/zion.ad.realm.org@AD.REALM.ORG               
  2  aes256-cts-hmac-sha1-96  host/ZION@AD.REALM.ORG                               
  2  aes128-cts-hmac-sha1-96  host/zion.ad.realm.org@AD.REALM.ORG               
  2  aes128-cts-hmac-sha1-96  host/ZION@AD.REALM.ORG                               
  2  arcfour-hmac-md5         host/zion.ad.realm.org@AD.REALM.ORG               
  2  arcfour-hmac-md5         host/ZION@AD.REALM.ORG                               
  2  aes256-cts-hmac-sha1-96  restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG  
  2  aes256-cts-hmac-sha1-96  restrictedkrbhost/ZION@AD.REALM.ORG                  
  2  aes128-cts-hmac-sha1-96  restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG  
  2  aes128-cts-hmac-sha1-96  restrictedkrbhost/ZION@AD.REALM.ORG                  
  2  arcfour-hmac-md5         restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG  
  2  arcfour-hmac-md5         restrictedkrbhost/ZION@AD.REALM.ORG                  
  2  aes256-cts-hmac-sha1-96  nfs/zion.ad.realm.org@AD.REALM.ORG                
  2  aes256-cts-hmac-sha1-96  nfs/ZION@AD.REALM.ORG                                
  2  aes128-cts-hmac-sha1-96  nfs/zion.ad.realm.org@AD.REALM.ORG                
  2  aes128-cts-hmac-sha1-96  nfs/ZION@AD.REALM.ORG                                
  2  arcfour-hmac-md5         nfs/zion.ad.realm.org@AD.REALM.ORG                
  2  arcfour-hmac-md5         nfs/ZION@AD.REALM.ORG                                
  2  aes256-cts-hmac-sha1-96  ZION$@AD.REALM.ORG                                   
  2  aes128-cts-hmac-sha1-96  ZION$@AD.REALM.ORG                                   
  2  arcfour-hmac-md5         ZION$@AD.REALM.ORG                                   
  2  aes256-cts-hmac-sha1-96  cifs/zion.ad.realm.org@AD.REALM.ORG               
  2  aes256-cts-hmac-sha1-96  cifs/ZION@AD.REALM.ORG                               
  2  aes128-cts-hmac-sha1-96  cifs/zion.ad.realm.org@AD.REALM.ORG               
  2  aes128-cts-hmac-sha1-96  cifs/ZION@AD.REALM.ORG                               
  2  arcfour-hmac-md5         cifs/zion.ad.realm.org@AD.REALM.ORG               
  2  arcfour-hmac-md5         cifs/ZION@AD.REALM.ORG                               

Samba 4.21.1+ produces a keytab listing like so:

# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal                                    Aliases
  2  aes256-cts-hmac-sha1-96  HOST/SHARON@AD.REALM.ORG                  
  2  aes128-cts-hmac-sha1-96  HOST/SHARON@AD.REALM.ORG                  
  2  arcfour-hmac-md5         HOST/SHARON@AD.REALM.ORG                  
  1  aes256-cts-hmac-sha1-96  HOST/SHARON@AD.REALM.ORG                  
  1  aes128-cts-hmac-sha1-96  HOST/SHARON@AD.REALM.ORG                  
  1  arcfour-hmac-md5         HOST/SHARON@AD.REALM.ORG                  
  2  aes256-cts-hmac-sha1-96  HOST/sharon.ad.realm.org@AD.REALM.ORG  
  2  aes128-cts-hmac-sha1-96  HOST/sharon.ad.realm.org@AD.REALM.ORG  
  2  arcfour-hmac-md5         HOST/sharon.ad.realm.org@AD.REALM.ORG  
  1  aes256-cts-hmac-sha1-96  HOST/sharon.ad.realm.org@AD.REALM.ORG  
  1  aes128-cts-hmac-sha1-96  HOST/sharon.ad.realm.org@AD.REALM.ORG  
  1  arcfour-hmac-md5         HOST/sharon.ad.realm.org@AD.REALM.ORG  


Thank you!  Samba is a great product.  I am just trying to make it better!
Comment 1 Matthew Grant 2024-11-28 21:39:45 UTC
Please note that Windows Server does case insensitive compares of the Kerberos service principal 'service/cname', where the service principal is of the form 'service/cname@AD.REALM.ORG'