* Breaks sshd for kerberos/gssapi login * Breaks sssd for connecting to ldap, as it defaults to /etc/krb5.keytab for all principals, including ldap connect... This is with smb.conf settings: kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password for good compatibility with Unix services. sssd is expecting to find the machine account principal in /etc/krb5.keytab, with form MACHINE$@AD.REALM.ORG, and sshd is looking for the principal 'host/machine.ad.realm.org@AD.REALM.ORG' in /etc/krb5.keytab as well. According to RFC 4120, section 6.1 realm names are upper case, and section 6.1 user principal account names are case sensitive, and section 6.2.1 service principals should have lower cased host names... 6.2.1 specifies that 'host' should be lower case... Thus for sshd it looks for 'host/machine.ad.realm.org@' NOTE: windowsish keytab entries like 'host/MACHINE@AD.REALM.ORG' are also technically not correct for unix... Best idea for unix compatibility in the keytab generation ( for smb.conf sync machine password to keytab parameter): * is for specifier 'sync_spns' to lower case all SPN service principal names left of the '@' * have an additional specifier 'sync_spns_with_account_name' to produce a machine keytab similar to that in Samba 4.20 and previous, suitable for use as '/etc/krb5.keytab'. Previous to Samba 4.21, net ads join/net ads create would produce a keytab with principal names as follows, which actually works: $ sudo ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 host/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 host/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 host/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 host/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 host/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 restrictedkrbhost/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 restrictedkrbhost/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 restrictedkrbhost/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 nfs/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 nfs/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 nfs/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 nfs/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 nfs/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 nfs/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 ZION$@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 ZION$@AD.REALM.ORG 2 arcfour-hmac-md5 ZION$@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 cifs/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 cifs/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 cifs/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 cifs/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 cifs/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 cifs/ZION@AD.REALM.ORG Samba 4.21.1+ produces a keytab listing like so: # ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 2 arcfour-hmac-md5 HOST/SHARON@AD.REALM.ORG 1 aes256-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 1 aes128-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 1 arcfour-hmac-md5 HOST/SHARON@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 aes256-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 aes128-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 arcfour-hmac-md5 HOST/sharon.ad.realm.org@AD.REALM.ORG Thank you! Samba is a great product. I am just trying to make it better!
Please note that Windows Server does case insensitive compares of the Kerberos service principal 'service/cname', where the service principal is of the form 'service/cname@AD.REALM.ORG'
Created attachment 18520 [details] Patch for fixing sync_spns and spn_prefixes Fix I worked out to make sync_spns/spn_prefixes produce default text in service principal names in lower case, in line with RFC 4120 section 6.2.1
We had looked at it with Pavel on Friday, here are some notes. - service names are case sensitive and actually set in stone for most protocols outside of Active Directory/Kerberos specs. 'host/' cannot be 'HOST/', but 'HTTP/' cannot be 'http/'. This means all-lowcasing or all-upcasing is not possible. - MSFT specs don't do justice for SPNs definitions. There are also confusing statements where SPNs defined in MSFT documentation by explaining certain service names in all-caps (e.g. HOST) throughout a document and never saying this is an example. - multi-part principals will have to have *some* parts case-preserved. E.g. ldap/<hostname>/<REALM>@<REALM> or ldap/<hostname>/<NETBIOS>@<REALM>. I suspect HOST/ SPN comes from Samba's ~15-20 years old mistake of reading specs. RFC 4120 6.2.1 does only say that for DNS-based hostnames they must be low-cased but it says nothing about the service identifier (e.g. host/ or HTTP/). This is intentional because Kerberos principals are case-sensitive by RFC definitions, as well as Kerberos realms. MSFT docs: - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/04033bd5-913c-4c78-a398-b549b09e65d9 (MS-KILE 3.1.5.11) - https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names, make sure to read the whole section - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/599d1fe8-0549-4653-bdce-cb51965c19ae (MS-DRSR 2.2.2) is an example of a protocol-specific definition with an upper case service class. - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/41efc56e-0007-4e88-bafe-d7af61efd91f (MS-DRSR 2.2.3.2) is an example of guid-based SPNs that probably should not be low-cased at all. - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c154285-454c-4353-9a99-fb586e806944 (MS-ADTS 3.1.1.5.1.3) is an example of a confusing naming of the service classes that use CIFS/ and HOST/ upper case while they really should not be used this way.
Problem is the sync_spns and spn_prefixes produce default information that breaks Unix daemons, and installs raw SPNs with upper case components that are contrary to their default settings. Sssd breaks, as well as sshd, for kerberos authentication after upgrade to Samba 4.21. Changes introduced should NOT break things unexpectedly. I am going to log this as a Debian bug, along with the patch I produced above. The transformation I have come up with in the patch modifies the Posix system keytab by lower casing the default components of the SPN string, and does NOT touch the contents of the AD SPN database. The most important thing is to produce winbind keytab that does not break AD joined Linux clients.
I am working on addition of new keytab SPN specifiers which will address also this issue. Draft is here: https://gitlab.com/samba-team/samba/-/merge_requests/3925 The solution is not to lowercase the "servicePrincipalNames" from AD (which is wrong in general) but to construct a principal 'host/machine.ad.realm.org@AD.REALM.ORG' and also MACHINE$@AD.REALM.ORG using new syntax. These two changes will provide a solution: - new specifier 'host' - new syntax will allow to add a list of spn specifiers It will allow to use this: sync machine password to keytab = /etc/krb5.keytab:host:account_name:sync_spns:sync_kvno:machine_password
This bug was referenced in samba master: 15e191736d3eaba83b2fb4b901e1df2214526b64 7a662e097be5e0d3f7779fa544486968b8f57063
Created attachment 18560 [details] 4.21 patch
Created attachment 18561 [details] 4.22 patch
Jule, please apply the patches the the corresponding branches. Thanks!
(In reply to Andreas Schneider from comment #9) Jule, please wait for additional patches as discussed...
This bug was referenced in samba master: ccc3b2b2fba7b5d223c79bffc0f655490aed19cf 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b
Created attachment 18565 [details] 4.22 patch
Created attachment 18566 [details] 4.21 patch
Jule, this is ready now
(In reply to Pavel Filipenský from comment #13) No patch for 4.20?
The new keytab code was first released with 4.21, no need to patch 4.20 (In reply to Stefan Metzmacher from comment #15)
(In reply to Matthew Grant from comment #0) The upstream fix and the attached patch adds the possibility to put multiple specifiers for the same keytab. To have both 'host' and COMPUTER$ principals add the 'account_name' and 'spn_prefixes=host'. So it can be e.g.: sync machine password to keytab = /etc/krb5.keytab:account_name:spn_prefixes=host:sync_spns:sync_kvno:machine_password
Pushed to autobuild-v4-{22,21}-test.
This bug was referenced in samba v4-21-test: 58a7666b6788b68b82bf9f178e8e42d9e2c3fac3 8d5384e965f86fdc40f01654b6f401b2faf4e3b7 63b115a0092dbf38f8b519b9a469b758b0f3dbf0 cead38fb09647ca20bf489c808f39df993316f12
This bug was referenced in samba v4-21-stable (Release samba-4.21.4): 58a7666b6788b68b82bf9f178e8e42d9e2c3fac3 8d5384e965f86fdc40f01654b6f401b2faf4e3b7 63b115a0092dbf38f8b519b9a469b758b0f3dbf0 cead38fb09647ca20bf489c808f39df993316f12
This bug was referenced in samba v4-22-test: 430591895969d092256de295dd095c530272cf88 5b5862dc690ad0d546f8b11d21e231f556475e05 cb50befaa2107882fb465f7770038246e31d82d4 b9c08aec94a6bf41fd7fe7f810349b3c243542ba
Closing out bug report. Thanks!
This bug was referenced in samba v4-22-stable (Release samba-4.22.0rc3): 430591895969d092256de295dd095c530272cf88 5b5862dc690ad0d546f8b11d21e231f556475e05 cb50befaa2107882fb465f7770038246e31d82d4 b9c08aec94a6bf41fd7fe7f810349b3c243542ba