Krb5 gssapi error after ad takevoer

6uellerBpanda · March 20, 2019, 11:21am

after we made an ad-takeover from win2012r2 to UCS 4.3-3 sssd with gssapi isn’t working anymore.
we also tried the same sssd config with another UCS master system (without takeover) and that was working fine.

here the relevant part of sssd.conf:

# sssd.conf
[domain/test.test.cc]
case_sensitive = False

id_provider = ldap

ldap_search_base = dc=test,dc=test,dc=cc
ldap_uri = ldaps://srv-ucs-01.test.test.cc:7636
ldap_schema = rfc2307

ldap_sasl_mech = GSSAPI

ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
ldap_force_upper_case_realm = true
ldap_id_mapping = false
ldap_krb5_keytab = /etc/krb5.keytab

auth_provider = krb5
chpass_provider = krb5

krb5_keytab = /etc/krb5.keytab
krb5_realm = test.test.cc
krb5_store_password_if_offline = true

root@debian:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 DEBIAN$@TEST.TEST.CC
   5 DEBIAN$@TEST.TEST.CC
   5 DEBIAN$@TEST.TEST.CC
   5 DEBIAN$@TEST.TEST.CC
   5 DEBIAN$@TEST.TEST.CC
   5 host/DEBIAN@TEST.TEST.CC
   5 host/DEBIAN@TEST.TEST.CC
   5 host/DEBIAN@TEST.TEST.CC
   5 host/DEBIAN@TEST.TEST.CC
   5 host/DEBIAN@TEST.TEST.CC
   5 host/debian@TEST.TEST.CC
   5 host/debian@TEST.TEST.CC
   5 host/debian@TEST.TEST.CC
   5 host/debian@TEST.TEST.CC
   5 host/debian@TEST.TEST.CC
   5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
   5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
   5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
   5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
   5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
   5 RestrictedKrbHost/debian@TEST.TEST.CC
   5 RestrictedKrbHost/debian@TEST.TEST.CC
   5 RestrictedKrbHost/debian@TEST.TEST.CC
   5 RestrictedKrbHost/debian@TEST.TEST.CC
   5 RestrictedKrbHost/debian@TEST.TEST.CC

root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TEST.TEST.CC

Valid starting       Expires              Service principal
03/20/2019 10:22:34  03/20/2019 20:22:34  krbtgt/TEST.TEST.CC@TEST.TEST.CC
        renew until 03/27/2019 10:22:30
03/20/2019 10:27:05  03/20/2019 20:22:34  ldap/srv-ucs-01.test.test.CC@TEST.TEST.CC
        renew until 03/27/2019 10:22:30

# krb5.conf from client
[libdefaults]
  default_realm = TEST.TEST.CC
  clockskew = 300
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  proxiable = true
  rdns = false

[realms]
  TEST.TEST.CC = {
    admin_server = srv-ucs-01.test.test.cc
  }
  

[logging]
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON

[domain_realm]
  test.test.cc = TEST.TEST.CC
  .test.test.cc = TEST.TEST.CC

[appdefaults]
  pam = {
    ticket_lifetime = 25h
    renew_lifetime = 25h
    forwardable = true
    proxiable = false
    minimum_uid = 1
    external = sshd
    use_shmem = sshd
  }

### sssd log
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [dp_get_account_info_handler] (0x0200): Got request for [0x5][BE_REQ_SERVICES][name=syslog]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv-ucs-01.test.test.cc' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_server_common_status] (0x0100): Marking server 'srv-ucs-01.test.test.cc' as 'resolving name'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'srv-ucs-01.test.test.cc' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'srv-ucs-01.test.test.cc' in DNS
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_server_common_status] (0x0100): Marking server 'srv-ucs-01.test.test.cc' as 'name resolved'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_resolve_server_process] (0x0200): Found address for server srv-ucs-01.test.test.cc: [10.0.200.11] TTL 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [get_naming_context] (0x0200): Using value from [namingContexts] as naming context.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [get_single_value_as_string] (0x0080): More than one value found.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_set_config_options_with_rootdse] (0x0020): get_naming_context failed.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn!
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'debian' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'debian' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'debian' in DNS
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.test.test.cc'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_resolve_server_process] (0x0200): Found address for server srv-ucs-01.test.test.cc: [10.0.200.11] TTL 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [child_sig_handler] (0x0100): child [1643] finished successfully.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (80)[Other (e.g., implementation specific) error]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more infor
mation (No key table entry found matching ldap/srv-ucs-01.test.test.cc@)]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_set_port_status] (0x0100): Marking port 7636 of server 'srv-ucs-01.test.test.cc' as 'not working'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.TEST.TEST.CC], [2][No such file or directory]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.TEST.TEST.CC], [2][No such file or directory]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.TEST.TEST.CC], [2][No such file or directory]

what is interesting is this -> No key table entry found matching ldap/srv-ucs-01.test.test.cc@
something is stripping the REALM/DOMAIN part at the end of the service principal.

can somebody give us any hints where we to debug this or which config we should check.
thanks

6uellerBpanda · March 21, 2019, 3:42pm

so I got one step further:

during the takeover /usr/share/univention-samba4/scripts/create-keytab.sh is executed which removes the current krb5.keytab (before that the ldap/srv-ucs-01.test.test.cc@TEST.TEST.CC was present) but it doesn’t generate the ldap principal again.

Is this a bug ?

6uellerBpanda · March 22, 2019, 2:18pm

ok another step:

I exported the principal via samba-tools and then imported it with ktutil copy /tmp/samba_export.keytab /etc/krb5.keytab. restarted slapd it was working but still I think this shouldn’t happened at all after takeover…can somebody from univention comment on this please ? I’m happy to provide a bug report if it is really a bug…