[Freeipa-users] cannot access to freeipa client's linux share from windows
Alexander Bokovoy
abokovoy at redhat.com
Fri Dec 2 09:57:38 UTC 2016
On pe, 02 joulu 2016, Fujisan wrote:
>Alexander,
>
>I have now in my conf on server A and client B
>
>dedicated keytab file = /etc/samba/samba.keytab
>
>instead of
>
>dedicated keytab file = FILE:/etc/samba/samba.keytab
>
>
>But unfortunately, it did not solve the problem.
It did solve for me. The offending commit in Samba is c2f5c30b
$ git tag --contains c2f5c30b|grep samba
samba-4.5.0
samba-4.5.0rc1
samba-4.5.0rc2
samba-4.5.0rc3
samba-4.5.1
It has following code:
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+ const char *keytab_name_req,
+ bool write_access,
+ krb5_keytab *keytab)
+{
+ if (keytab_name_req != NULL) {
+ if (keytab_name_req[0] != '/') {
+ return KRB5_KT_BADNAME;
+ }
+ }
+
+ return smb_krb5_open_keytab_relative(context,
+ keytab_name_req,
+ write_access,
+ keytab);
+}
It is the check for keytab_name_req[0] not starting from '/' what causes
the break.
>
>
>
>On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On to, 01 joulu 2016, Fujisan wrote:
>>
>>> Hello,
>>>
>>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>>> recently.
>>> And I *cannot* access linux shares located on the F25 freeipa client from
>>> a
>>> windows desktop.
>>> But I can access linux shares located on the F25 freeipa server from that
>>> windows desktop.
>>> And I can access linux shares located on the F24 freeipa client from that
>>> windows desktop.
>>>
>>> To be clear, I have:
>>> A/ 1 F25 freeipa server
>>> B/ 1 F25 freeipa client
>>> C/ 1 F24 freeipa client
>>> D/ 1 windows desktop
>>>
>>> I can access linux shares of A from D.
>>> I can access linux shares of C from D.
>>> I *cannot* access linux shares of B from D.
>>>
>>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>>
>>> [2016/12/01 11:42:19.218759, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.218800, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.218823, 1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.261611, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.261638, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.261653, 1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.263330, 2] ../source3/auth/auth.c:315(
>>> auth_check_ntlm_password)
>>> check_ntlm_password: Authentication for user [smith] -> [smith] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.263380, 2] ../auth/gensec/spnego.c:720(
>>> gensec_spnego_server_negTokenTarg)
>>> SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.270531, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.270562, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.270586, 1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.313479, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>> (Key
>>> table name malformed)
>>> [2016/12/01 11:42:19.313506, 1] ../source3/librpc/crypto/gse_
>>> krb5.c:627(gse_krb5_get_server_keytab)
>>> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>>> - -1765328205
>>> [2016/12/01 11:42:19.313523, 1] ../auth/gensec/gensec_start.c:
>>> 698(gensec_start_mech)
>>> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>>> [2016/12/01 11:42:19.315256, 2] ../source3/auth/auth.c:315(
>>> auth_check_ntlm_password)
>>> check_ntlm_password: Authentication for user [smith] -> [smith] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2016/12/01 11:42:19.315291, 2] ../auth/gensec/spnego.c:720(
>>> gensec_spnego_server_negTokenTarg)
>>> SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>>
>>> Also from the F25 server, I have the following when I run smbclient
>>>
>>> f25server # smbclient -k -L f25desktop.mydomain
>>> lp_load_ex: changing to config backend registry
>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>
>>> But if i run it with a F24 desktop, it works:
>>>
>>> f25server # smbclient -k -L f24desktop.mydomain
>>> lp_load_ex: changing to config backend registry
>>> Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]
>>>
>>> Sharename Type Comment
>>> --------- ---- -------
>>> IPC$ IPC IPC Service (Samba Server Version 4.4.7)
>>> data Disk /data on f24desktop
>>> data2 Disk /data2 on f24desktop
>>> data3 Disk /data3 on f24desktop
>>> backup Disk /backup on f24desktop
>>> [...]
>>>
>>>
>>> net conf list on the f25desktop gives:
>>>
>>> f25desktop # net conf list
>>> [global]
>>> workgroup = MYDOMAIN
>>> realm = MYDOMAIN
>>> netbios name = F25SERVER
>>> server string = Samba Server Version %v
>>> kerberos method = dedicated keytab
>>> dedicated keytab file = FILE:/etc/samba/samba.keytab
>>>
>> There seem to be a change in Samba 4.5.0 which uses 'dedicated keytab
>> file' value as it is when constructing a memory keytab. As result,
>> libkrb5 is confused and does not know which keytab processing routine to
>> use (MEMORY:FILE:/etc/samba/samba.keytab is invalid).
>>
>> You can replace the value by removing FILE: right now:
>>
>> net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
>>
>> When no prefix is used, libkrb5 will default to FILE: itself.
>>
>> We are going to look at changing the Samba code to strip the prefix from
>> the 'dedicated keytab file' when applying it to memory-based keytabs.
>>
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list