Problem: samba /kerberos issues after update to 5.2

Knowledge Base Community
, ,
1

Problem:

After the update to 5.2 you see obscure and opaque behaviour using samba/kerberos.

In the /var/log/samba/log.samba you see lots of this messages

[2025/05/13 13:10:40.203215, 0, pid=4085142] …/…/source4/kdc/pac-glue.c:1160(samba_kdc_get_user_info_from_db)
samba_kdc_get_user_info_from_db: Getting user info for PAC failed: NT_STATUS_INTERNAL_DB_CORRUPTION

Investigation:

More Debug shows:

[2025/05/13 13:10:40.201791, 3, pid=4085142] …/…/source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ mywin$@SCHEIN.ME from ipv4:192.0.7.165:56900 for krbtgt/SCHEIN.ME @SCHEIN.ME
dsdb_search: BASE flags=0x00000200 <SID=S-1-5-21-2615459141-2503667724-3635462610-515> NULL → Base-DN ‘<SID=S-1-5-21-2615459141-2503667724-3635462610-515>’ not found (No such object)
[2025/05/13 13:10:40.203215, 0, pid=4085142] …/…/source4/kdc/pac-glue.c:1160(samba_kdc_get_user_info_from_db)
samba_kdc_get_user_info_from_db: Getting user info for PAC failed: NT_STATUS_INTERNAL_DB_CORRUPTION

So here is a SID which is searched for, and could not be found in samba. The SID with the RID 515 normally belongs to Domain Computers. In this Case the reason for the incorrect SID was a remnant of an AD Takeover from an german AD.
How to proceed:
We first checked in the Ldap whether the SID with the 515 already belonged to someone, which was the case, it belonged to ‘Windows Hosts’ (presumably even through the takeover mapping at that time in the ucr variables groups/default/windowshosts: Domain computers) Since Windows Hosts is on the ignore list of the connector, the SID was therefore not present in samba.

Solution:

Use ldapmodify to change the SID of the other object using the wrong SID. If the wrong SID is also in samba, you need do change the SID in samba.
So for ldap:

ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: cn=Windows Hosts,cn=groups,dc=schein,dc=me
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-2615459141-2503667724-3635462610-11011
EOR

in samba:

ldbmodify -H /var/lib/samba/private/sam.ldb --controls=provision:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.3:0  <<EOR
dn: CN=Domain Computers,CN=Groups,DC=schein,DC=me
changetype: modify
replace: objectSid
objectSid: S-1-5-21-2615459141-2503667724-3635462610-515
EOR

Why:
In Samba 4.18, the object CN=Domain Computers was accepted even if it did not have the expected SID with the RID 515. As of Samba 4.21, however, the behavior has been changed so that Samba now checks more strictly whether certain objects have the correct SIDs. If an object that should have a specific SID is not found or the SID is not correct, this will result in an error such as NT_STATUS_INTERNAL_DB_CORRUPTION. This is part of a general improvement of the security and consistency checks in Samba 4.21.

1 Like