[Freeipa-users] cannot access to freeipa client's linux share from windows

Alexander Bokovoy abokovoy at redhat.com
Fri Dec 2 09:57:38 UTC 2016 

On pe, 02 joulu 2016, Fujisan wrote:
>Alexander,
>
>I have now in my conf on server A and client B
>
>dedicated keytab file = /etc/samba/samba.keytab
>
>instead of
>
>dedicated keytab file = FILE:/etc/samba/samba.keytab
>
>
>But unfortunately, it did not solve the problem.
It did solve for me. The offending commit in Samba is c2f5c30b

$ git tag --contains c2f5c30b|grep samba
samba-4.5.0
samba-4.5.0rc1
samba-4.5.0rc2
samba-4.5.0rc3
samba-4.5.1

It has following code:
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+                                    const char *keytab_name_req,
+                                    bool write_access,
+                                    krb5_keytab *keytab)
+{
+       if (keytab_name_req != NULL) {
+               if (keytab_name_req[0] != '/') {
+                       return KRB5_KT_BADNAME;
+               }
+       }
+
+       return smb_krb5_open_keytab_relative(context,
+                                            keytab_name_req,
+                                            write_access,
+                                            keytab);
+}

It is the check for keytab_name_req[0] not starting from '/' what causes
the break.

>
>
>
>On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On to, 01 joulu 2016, Fujisan wrote:
>>
>>> Hello,
>>>
>>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>>> recently.
>>> And I *cannot* access linux shares located on the F25 freeipa client from
>>> a
>>> windows desktop.
>>> But I can access linux shares located on the F25 freeipa server from that
>>> windows desktop.
>>> And I can access linux shares located on the F24 freeipa client from that
>>> windows desktop.
>>>
>>> To be clear, I have:
>>>  A/ 1 F25 freeipa server
>>>  B/ 1 F25 freeipa client
>>>  C/ 1 F24 freeipa client
>>>  D/ 1 windows desktop
>>>
>>> I can access linux shares of A from D.
>>> I can access linux shares of C from D.
>>> I *cannot* access linux shares of B from D.
>>>
>>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>>
>>> [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.261653,  1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.263330,  2] ../source3/auth/auth.c:315(
>>> auth_check_ntlm_password)
>>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.263380,  2] ../auth/gensec/spnego.c:720(
>>> gensec_spnego_server_negTokenTarg)
>>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.270531,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.270562,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.270586,  1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.313479,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.313506,  1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.313523,  1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.315256,  2] ../source3/auth/auth.c:315(
>>> auth_check_ntlm_password)
>>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.315291,  2] ../auth/gensec/spnego.c:720(
>>> gensec_spnego_server_negTokenTarg)
>>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>>
>>> Also from the F25 server, I have the following when I run smbclient
>>>
>>> f25server # smbclient -k -L f25desktop.mydomain
>>> lp_load_ex: changing to config backend registry
>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>
>>> But if i run it with a F24 desktop, it works:
>>>
>>> f25server # smbclient -k -L f24desktop.mydomain
>>> lp_load_ex: changing to config backend registry
>>> Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]
>>>
>>>    Sharename       Type      Comment
>>>    ---------       ----      -------
>>>    IPC$            IPC       IPC Service (Samba Server Version 4.4.7)
>>>    data            Disk      /data on f24desktop
>>>    data2           Disk      /data2 on f24desktop
>>>    data3           Disk      /data3 on f24desktop
>>>    backup          Disk      /backup on f24desktop
>>> [...]
>>>
>>>
>>> net conf list on the f25desktop gives:
>>>
>>> f25desktop # net conf list
>>> [global]
>>>    workgroup = MYDOMAIN
>>>    realm = MYDOMAIN
>>>    netbios name = F25SERVER
>>>    server string = Samba Server Version %v
>>>    kerberos method = dedicated keytab
>>>    dedicated keytab file = FILE:/etc/samba/samba.keytab
>>>
>> There seem to be a change in Samba 4.5.0 which uses 'dedicated keytab
>> file' value as it is when constructing a memory keytab. As result,
>> libkrb5 is confused and does not know which keytab processing routine to
>> use (MEMORY:FILE:/etc/samba/samba.keytab is invalid).
>>
>> You can replace the value by removing FILE: right now:
>>
>> net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
>>
>> When no prefix is used, libkrb5 will default to FILE: itself.
>>
>> We are going to look at changing the Samba code to strip the prefix from
>> the 'dedicated keytab file' when applying it to memory-based keytabs.
>>
>> --
>> / Alexander Bokovoy
>>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list