Bug 5454 - cli_session_setup_spnego() has krb/ntlm failures contacting a trusted domain
cli_session_setup_spnego() has krb/ntlm failures contacting a trusted domain
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.28a
Other All
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on: 5451
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-09 13:37 UTC by Steven Danneman
Modified: 2013-11-05 21:57 UTC (History)
1 user (show)

See Also:


Attachments
spnego-SPN-fix-when-contacting-trusted-domains.patch (6.81 KB, text/plain)
2008-05-09 13:38 UTC, Steven Danneman
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steven Danneman 2008-05-09 13:37:09 UTC
This bug and the explained repro are dependent on bug 5451 being fixed first.

Example Domain Topology:

Computer named MACHINE joined to W2K3.DOMAIN.COM, which has a transitive forest
trust with W2K8.DOMAIN.COM.

Repro:

1) Start winbindd with debug level 10
2) Run a command that will connect to W2K8
   # wbinfo -g --domain=w2k8

Expect:

Kerberos authentication will occur with w2k8.

Actual:

Check the logs and you'll see:

[2008/05/09 11:24:10, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(733)
  connecting to w2k8-dc1.w2k8.domain.com from MACHINE with kerberos principal  [MACHINE$@W2K3.DOMAIN.COM]
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(801)
  Doing spnego session setup (blob length=124)
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 48018 1 2 2
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 113554 1 2 2
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 113554 1 2 2 3
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 3 6 1 4 1 311 2 2 10
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(834)
  got principal=not_defined_in_RFC4178@please_ignore
[2008/05/09 11:24:10, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
  kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [(null)]
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(886)
  cli_session_setup_spnego: got a bad server principal, trying to guess ...
[2008/05/09 11:24:10, 5] libads/kerberos.c:kerberos_get_default_realm_from_ccache(384)
  kerberos_get_default_realm_from_ccache: Trying to read krb5 cache: MEMORY:cliconnect
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(909)
  cli_session_setup_spnego: guessed server principal=w2k8-dc1$@W2K3.DOMAIN.COM
[2008/05/09 11:24:10, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(621)
  Doing kerberos session setup
[2008/05/09 11:24:10, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for w2k8-dc1$@W2K3.DOMAIN.COM (Server not found in Kerberos database)
[2008/05/09 11:24:10, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(628)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos database
[2008/05/09 11:24:10, 4] nsswitch/winbindd_cm.c:cm_prepare_connection(742)
  failed kerberos session setup with Server not found in Kerberos database
[2008/05/09 11:24:10, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(758)
  connecting to w2k8-dc1.w2k8.isilon.com from MACHINE with username [W2K8]\[MACHINE$]
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(801)
  Doing spnego session setup (blob length=124)
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 48018 1 2 2
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 113554 1 2 2
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 2 840 113554 1 2 2 3
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
  got OID=1 3 6 1 4 1 311 2 2 10
[2008/05/09 11:24:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(834)
  got principal=not_defined_in_RFC4178@please_ignore

...[2008/05/09 11:24:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018)
  Got challenge flags:
[2008/05/09 11:24:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x62898215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_CHAL_TARGET_INFO
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2008/05/09 11:24:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040)
  NTLMSSP: Set final flags:
[2008/05/09 11:24:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2008/05/09 11:24:10, 5] libsmb/ntlmssp.c:ntlmssp_client_challenge(1112)
  NTLMSSP challenge set by NTLM2
[2008/05/09 11:24:10, 5] libsmb/ntlmssp.c:ntlmssp_client_challenge(1113)
  challenge is:
[2008/05/09 11:24:10, 5] lib/util.c:dump_data(2264)
  [000] 57 12 F5 07 00 EC EA 4C                           W......L
[2008/05/09 11:24:10, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/05/09 11:24:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH

...
[2008/05/09 11:24:10, 4] nsswitch/winbindd_cm.c:cm_prepare_connection(766)
  authenticated session setup failed with Logon failure

Problem:

You can see in the logs that the guessed SPN is incorrect.  We're using W2K3.DOMAIN.COM instead of W2K8.DOMAIN.COM, and when we fall back to NTLM, the credentials we pass in there are incorrect as well.  We should pass W2K3\MACHINE$ not W2K8\MACHINE$.

1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.

2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.

The fix for both is to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters.  We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet.  If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Comment 1 Steven Danneman 2008-05-09 13:38:39 UTC
Created attachment 3285 [details]
spnego-SPN-fix-when-contacting-trusted-domains.patch

Patch to fix both issues listed in the bug.