Samba 4 does not find Service Principal Name

MasinAD-SI · October 21, 2020, 9:20am

Edit: Würde es helfen, wenn ich das ganze in deutsch schreibe? Ich habe das Gefühl, dass für eine stärkere internationale Ausrichtung englisch bevorzugt würde. Wenn dann allerdings Forumsmitglieder entmutigt werden zu antworten, wäre das doppelt doof für mich.

In order to keep it simple I broke down my current problem (Kerberos authenticated NFS 4) in several smaller problems.

Setup

UCS Active Directory Domain Controller
Backupserver (not AD Backup or Domain Backup!)

I joined the backupserver to the domain. getent passwd shows results from the AD. I assume the backupserver is successfully integrated into the domain.

On the DC, I added the SPN using samba-tool spn add nfs/backupserver1.example.com backupserver1$ and checked the success:

root@ucs-addc:~$ samba-tool spn list backupserver1$
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
schema_fsmo_init: we are master[no] updates allowed[no]
backupserver1$
schema_fsmo_init: we are master[no] updates allowed[no]
User CN=backupserver1,CN=Computers,DC=example,DC=com has the following servicePrincipalName: 
	 nfs/backupserver1.example.com

I exported the keytab with

samba-tool domain exportkeytab /tmp/backupserver1.keytab --principal=nfs/backupserver1.example.com
samba-tool domain exportkeytab /tmp/backupserver1.keytab --principal=backupserver1$

copied it on the target machine using scp, imported it using ktutil copy backupserver1.keytab /etc/krb5.keytab and checked the success using ktutil list

Current situation

When trying kinit -t /etc/krb5.keytab nfs/backupserver1.example.com, I get

kinit: krb5_get_init_creds: Client (nfs/backupserver1.example.com@EXAMPLE.COM) unknown

On the kdc –which also is the AD DC–, the log shows

Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]: [2020/10/21 10:44:46.470996,  3, pid=5773] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]:   Kerberos: AS-REQ nfs/backupserver1.example.com@EXAMPLE.COM from ipv4:10.3.20.3:60672 for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]: [2020/10/21 10:44:46.473125,  3, pid=5773] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]:   Kerberos: UNKNOWN -- nfs/backupserver1.example.com@EXAMPLE.COM: no such entry found in hdb
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]: [2020/10/21 10:44:46.473218,  2, pid=5773] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]:   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/backupserver1.example.com@EXAMPLE.COM] at [Wed, 21 Oct 2020 10:44:46.473207 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:10.3.20.3:60672] mapped to [(null)]\[(null)]. local host [NULL]
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:10.3.30.100:47105] s[ipv4:10.3.20.22:88] server_id[5773.3][5773]:   {"timestamp": "2020-10-21T10:44:46.473289+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:10.3.20.3:60672", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "nfs/backupserver1.example.com@EXAMPLE.COM", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 2367}}

Besides the requesting SPN not being found, it is strange that the log lines state that the client is the IP 10.3.30.100 which is a completely different machine. At least, later in the lines it shows the actual IP 10.3.20.3.

I can concur that my kinit requests reaches the correct kdc. But I don’t understand why the SPN is not found. I see that the request is for krbtgt/EXAMPLE.COM@EXAMPLE.COM (line 2) which might or might not be wrong but I ran my kinit request also with parameter -S backupserver1$ with the same result besides the request now being for backupserver1$@EXAMPLE.COM.

Christian_Voelker · October 22, 2020, 9:33am

Hi,

I haven’t checked all of your steps here but there is a dedicated tool for UCS available to create such accounts. I would suggest to use this tool.

Have a look here.

/CV

MasinAD-SI · October 22, 2020, 10:34am

Hi Christian,

thanks for your answer. I went through this script to check if I did anything different (yes, I did). What I noticed is that it checks for and creates if necessary a users/user account. I assume this would work, too, but the orthodox view is to use a computer account for this purpose (NFS between servers), isn’t it?

Of course, I can just make a copy of your script and adapt it accordingly. Shouldn’t hurt.

–
Masin

MasinAD-SI · October 22, 2020, 2:38pm

After some more investigation, it showed that the server indeed was not joined anymore. It only showed outdated information from the AD using getent passwd. I don’t know why this happened but there were a few weeks between joining the server and trying to overhaul my kerberization of NFS.

Luckily, I still had the bash script adapted from Integration of Ubuntu clients into a UCS domain

#!/bin/bash
# Set the IP address of the UCS DC Master, 192.0.2.3 in this example
if [ -z "$1" ]; then
	printf "Please provide the IP address of your DC as first parameter. You might wreck your setup if it's not correct.\n"
	exit 1
else
	printf "You provided this IP address as DC: %s\n" $1
fi

export MASTER_IP=$1

if [ ! -d /etc/univention ]; then
	mkdir /etc/univention
fi

# Either be logged in using ssh -A for agent forwarding or have
# password authorization for root enabled
printf "Acquiring information from DC via ssh root@%s\n" $MASTER_IP
ssh -n root@${MASTER_IP} 'ucr shell | grep -v ^hostname=' >/etc/univention/ucr_master
echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
chmod 660 /etc/univention/ucr_master
. /etc/univention/ucr_master
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts

# Download the SSL certificate
mkdir -p /etc/univention/ssl/ucsCA/
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt

# Create an account and save the password
password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c20)"
printf "Creating machine account on DC via ssh root@%s.\n" $MASTER_IP
ssh -n root@${ldap_master} udm computers/linux create \
    --position "cn=computers,${ldap_base}" \
    --set name=$(hostname) --set password="${password}" \
    --set operatingSystem="$(lsb_release -is)" \
    --set operatingSystemVersion="$(lsb_release -rs)"
printf '%s' "$password" >/etc/ldap.secret
chmod 0400 /etc/ldap.secret

# Create ldap.conf
cat >/etc/ldap/ldap.conf <<__EOF__
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
URI ldap://$ldap_master:7389
BASE $ldap_base
__EOF__

# Install required packages
DEBIAN_FRONTEND=noninteractive apt-get install -y heimdal-clients ntpdate

# Default krb5.conf
cat >/etc/krb5.conf <<__EOF__
[libdefaults]
    default_realm = $kerberos_realm
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md4 des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    allow_weak_crypto=true

[realms]
$kerberos_realm = {
   kdc = $master_ip $ldap_master
   admin_server = $master_ip $ldap_master
   kpasswd_server = $master_ip $ldap_master
}
__EOF__

# Synchronize the time with the UCS system
ntpdate -bu $ldap_master

# Test Kerberos: kinit will ask you for a ticket and the SSH login to the master should work with ticket authentication:
kinit Administrator
ssh -n Administrator@$ldap_master ls /etc/univention

# Destroy the kerberos ticket
kdestroy

# Install SSSD based configuration
DEBIAN_FRONTEND=noninteractive apt -y install sssd libnss-sss libpam-sss libsss-sudo

# Create sssd.conf
cat >/etc/sssd/sssd.conf <<__EOF__
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = $kerberos_realm

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/$kerberos_realm]
auth_provider = krb5
krb5_kdcip = ${master_ip}
krb5_realm = ${kerberos_realm}
krb5_server = ${ldap_master}
krb5_kpasswd = ${ldap_master}
id_provider = ldap
ldap_uri = ldap://${ldap_master}:7389
ldap_search_base = ${ldap_base}
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
ldap_default_authtok_type = password
ldap_default_authtok = $(cat /etc/ldap.secret)
__EOF__
chmod 600 /etc/sssd/sssd.conf

# Install auth-client-config
if [ "Debian" = "$(lsb_release -is)" ]; then
	wget http://de.archive.ubuntu.com/ubuntu/pool/universe/a/auth-client-config/auth-client-config_0.9ubuntu1_all.deb -O /tmp/auth-client-config_0.9ubuntu1_all.deb -nc
	dpkg -i /tmp/auth-client-config_0.9ubuntu1_all.deb
elif [ "Ubuntu" = "$(lsb_release -is)" ]; then
	DEBIAN_FRONTEND=noninteractive apt -y install auth-client-config
fi

# Create an auth config profile for sssd
cat >/etc/auth-client-config/profile.d/sss <<__EOF__
[sss]
nss_passwd=   passwd:   compat sss
nss_group=    group:    compat sss
nss_shadow=   shadow:   compat
nss_netgroup= netgroup: nis

pam_auth=
        auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
        auth requisite pam_succeed_if.so uid >= 500 quiet
        auth [success=1 default=ignore] pam_sss.so use_first_pass
        auth requisite pam_deny.so
        auth required pam_permit.so

pam_account=
        account required pam_unix.so
        account sufficient pam_localuser.so
        account sufficient pam_succeed_if.so uid < 500 quiet
        account [default=bad success=ok user_unknown=ignore] pam_sss.so
        account required pam_permit.so

pam_password=
        password requisite pam_pwquality.so retry=3
        password sufficient pam_unix.so obscure sha512
        password sufficient pam_sss.so use_authtok
        password required pam_deny.so

pam_session=
        session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
        session optional pam_keyinit.so revoke
        session required pam_limits.so
        session [success=1 default=ignore] pam_sss.so
        session required pam_unix.so
__EOF__
auth-client-config -a -p sss

# Restart sssd
systemctl restart sssd.service

cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
    required    pam_mkhomedir.so umask=0022 skel=/etc/skel
__EOF__

DEBIAN_FRONTEND=noninteractive pam-auth-update --force

echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' \
   >>/etc/security/group.conf

cat >>/usr/share/pam-configs/local_groups <<__EOF__
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
    required    pam_group.so use_first_pass
__EOF__

DEBIAN_FRONTEND=noninteractive pam-auth-update --force

It does all the steps outlined in the linked chapter in an order that respects dependencies. Maybe it needs some manual tweaking after it ran but it mostly works.

I just wanted to drop this script here as joining a domain using realmd or adcli seemingly does not do all the necessary steps. I still have to investigate now if the join status has any effect on my Kerberos problem.