Ubuntu
samba package

Bug #1576799
Comment #22

Comment 22 for bug 1576799

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-12-28:

#22

Problem reproduced with the xenial packages, even when using -k in the join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform

Adding some debugging shows:
[LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <>

Looks like there is a bad interaction between kerberos and ldap ssl

Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba:

root@xenial:~# kinit Administrator
Password for <email address hidden>:

root@xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root@xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root@xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>

Valid starting Expires Service principal
12/28/2017 18:52:19 12/29/2017 04:52:19 <email address hidden>
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@
renew until 12/29/2017 18:52:17
12/28/2017 18:52:21 12/29/2017 04:52:19 <email address hidden>
renew until 12/29/2017 18:52:17

Problem reproduced with the xenial packages, even when using -k in the join command (so it authenticates using kerberos).

With my updated packages, I get further but it fails elsewhere:
root@xenial:~# net ads join -U Administrator 
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform
Failed to join domain: failed to connect to AD: Server is unwilling to perform

Looks like there is a bad interaction between kerberos and ldap ssl

Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba:

root@xenial:~# kinit Administrator
Password for Administrator@LOWTECH.INTERNAL:

root@xenial:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
u:LOWTECH\Administrator

root@xenial:~# ldapwhoami -ZZ
SASL/GSSAPI authentication started
SASL username: Administrator@LOWTECH.INTERNAL
SASL SSF: 56
SASL data security layer installed.
ldap_result: Can't contact LDAP server (-1)

The tools do fetch the ldap service ticket:
root@xenial:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LOWTECH.INTERNAL

Valid starting       Expires              Service principal
12/28/2017 18:52:19  12/29/2017 04:52:19  krbtgt/LOWTECH.INTERNAL@LOWTECH.INTERNAL
	renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal@
	renew until 12/29/2017 18:52:17
12/28/2017 18:52:21  12/29/2017 04:52:19  ldap/win-5gvsuklmr3c.lowtech.internal@LOWTECH.INTERNAL
	renew until 12/29/2017 18:52:17

Ubuntusamba package

Comment 22 for bug 1576799

Ubuntu
samba package