Bug 38534 - Не создаётся принципал для службы
Summary: Не создаётся принципал для службы
Status: CLOSED NOTABUG
Alias: None
Product: Sisyphus
Classification: Development
Component: samba-DC (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Evgeny Sinelnikov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-25 16:28 MSK by Andrey Cherepanov
Modified: 2020-05-26 16:45 MSK (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Cherepanov 2020-05-25 16:28:28 MSK 
# samba-tool spn add HTTP/pg9.company.localnet alt_pg9
# samba-tool domain exportkeytab /tmp/keytab --principal=HTTP/pg9.company.localnet
# klist -ket /tmp/keytab
Keytab name: FILE:/tmp/keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 25.05.2020 15:48:24 HTTP/pg9.company.localnet@COMPANY.LOCALNET (arcfour-hmac) 
   2 25.05.2020 15:48:24 HTTP/pg9.company.localnet@COMPANY.LOCALNET (des-cbc-md5) 
   2 25.05.2020 15:48:24 HTTP/pg9.company.localnet@COMPANY.LOCALNET (des-cbc-crc) 

# kinit HTTP/pg9.company.localnet@COMPANY.LOCALNET -kt /tmp/keytab       
kinit: Client 'HTTP/pg9.company.localnet@COMPANY.LOCALNET' not found in Kerberos database while getting initial credentials

На p8 не воспроизводится.
Comment 1 Andrey Cherepanov 2020-05-25 16:40:22 MSK 
Причём в базе SPN создаётся без Realm:
# LDAPTLS_REQCERT=never ldapsearch -LLL -h 127.0.0.1 -b 'dc=company,dc=localnet' -x -D 'CN=Administrator,CN=Users,DC=company,DC=localnet' -w 'Altlinux1!' -s sub -ZZ | grep HTTP
servicePrincipalName: HTTP/pg9.company.localnet

А kinit явно запрашивает с именем Realm, даже если задано без него.
Comment 2 Andrey Cherepanov 2020-05-25 17:29:22 MSK 
Хороший ответ (samba-DC-4.9.17-alt1):
root@sp-server ~]# KRB5_TRACE=/dev/stderr kinit HTTP/`hostname` -kt /tmp/keytab
[6986] 1590416742.409224: Getting initial credentials for HTTP/sp-server.alt.test@ALT.TEST
[6986] 1590416742.411949: Looked up etypes in keytab: rc4-hmac, des, des-cbc-crc, des-cbc-crc
[6986] 1590416742.412023: Sending request (178 bytes) to ALT.TEST
[6986] 1590416742.413568: Resolving hostname sp-server.alt.test.
[6986] 1590416742.415519: Sending initial UDP request to dgram 2a0c:88c0:1:102:2ca3:e7ff:fe7a:57d8:88
[6986] 1590416742.419602: Received answer (267 bytes) from dgram 2a0c:88c0:1:102:2ca3:e7ff:fe7a:57d8:88
[6986] 1590416742.420192: Response was not from master KDC
[6986] 1590416742.420273: Received error from KDC: -1765328359/Additional pre-authentication required
[6986] 1590416742.420312: Processing preauth types: 16, 15, 2, 11, 19
[6986] 1590416742.420322: Selected etype info: etype rc4-hmac, salt "", params ""
[6986] 1590416742.420343: PKINIT client has no configured identity; giving up
[6986] 1590416742.420356: PKINIT client has no configured identity; giving up
[6986] 1590416742.420368: Preauth module pkinit (16) (real) returned: 22/Недопустимый аргумент
[6986] 1590416742.420377: PKINIT client has no configured identity; giving up
[6986] 1590416742.420384: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент
[6986] 1590416742.420459: Retrieving HTTP/sp-server.alt.test@ALT.TEST from FILE:/tmp/keytab (vno 0, enctype rc4-hmac) with result: 0/Success
[6986] 1590416742.420477: AS key obtained for encrypted timestamp: rc4-hmac/A120
[6986] 1590416742.420538: Encrypted timestamp (for 1590416742.419669): plain 301AA011180F32303230303532353134323534325AA1050203066755, encrypted A939778787377CA68FB38182D3D61B58987BD18E954DB4FF2173A7047071A52F9743C85D7D855D4A43DAE8ED438F2F4C43C72F6F
[6986] 1590416742.420552: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[6986] 1590416742.420557: Produced preauth for next request: 2
[6986] 1590416742.420571: Sending request (252 bytes) to ALT.TEST
[6986] 1590416742.421640: Resolving hostname sp-server.alt.test.
[6986] 1590416742.422676: Sending initial UDP request to dgram 2a0c:88c0:1:102:2ca3:e7ff:fe7a:57d8:88
[6986] 1590416742.452393: Received answer (1338 bytes) from dgram 2a0c:88c0:1:102:2ca3:e7ff:fe7a:57d8:88
[6986] 1590416742.454161: Response was not from master KDC
[6986] 1590416742.454228: Salt derived from principal: ALT.TESTHTTPsp-server.alt.test
[6986] 1590416742.454259: AS key determined by preauth: rc4-hmac/A120
[6986] 1590416742.454358: Decrypted AS reply; session key is: rc4-hmac/3240
[6986] 1590416742.454370: FAST negotiation: unavailable
[6986] 1590416742.454430: Initializing FILE:/tmp/krb5cc_0 with default princ HTTP/sp-server.alt.test@ALT.TEST
[6986] 1590416742.454594: Storing HTTP/sp-server.alt.test@ALT.TEST -> krbtgt/ALT.TEST@ALT.TEST in FILE:/tmp/krb5cc_0
[6986] 1590416742.454693: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ALT.TEST@ALT.TEST: pa_type: 2
[6986] 1590416742.454777: Storing HTTP/sp-server.alt.test@ALT.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/ALT.TEST\@ALT.TEST@X-CACHECONF: in FILE:/tmp/krb5cc_0

Плохой ответ (samba-dc-4.11.8-alt1.x86_64):
[root@pg9 ~]# KRB5_TRACE=/dev/stderr kinit HTTP/pg9.company.localnet@COMPANY.LOCALNET -kt /tmp/keytab
[30529] 1590416787.47406: Resolving unique ccache of type KEYRING
[30529] 1590416787.47407: Getting initial credentials for HTTP/pg9.company.localnet@COMPANY.LOCALNET
[30529] 1590416787.47408: Looked up etypes in keytab: rc4-hmac, des, des-cbc-crc, des-cbc-crc
[30529] 1590416787.47410: Sending unauthenticated request
[30529] 1590416787.47411: Sending request (233 bytes) to COMPANY.LOCALNET
[30529] 1590416787.47412: Sending DNS URI query for _kerberos.COMPANY.LOCALNET.
[30529] 1590416787.47413: No URI records found
[30529] 1590416787.47414: Sending DNS SRV query for _kerberos._udp.COMPANY.LOCALNET.
[30529] 1590416787.47415: SRV answer: 0 100 88 "pg9.company.localnet."
[30529] 1590416787.47416: Sending DNS SRV query for _kerberos._tcp.COMPANY.LOCALNET.
[30529] 1590416787.47417: SRV answer: 0 100 88 "pg9.company.localnet."
[30529] 1590416787.47418: Resolving hostname pg9.company.localnet.
[30529] 1590416787.47419: Sending initial UDP request to dgram 2a0c:88c0:1:102:f8d4:e2ff:fe49:3bee:88
[30529] 1590416787.47420: Received answer (167 bytes) from dgram 2a0c:88c0:1:102:f8d4:e2ff:fe49:3bee:88
[30529] 1590416787.47421: Sending DNS URI query for _kerberos.COMPANY.LOCALNET.
[30529] 1590416787.47422: No URI records found
[30529] 1590416787.47423: Sending DNS SRV query for _kerberos-master._udp.COMPANY.LOCALNET.
[30529] 1590416787.47424: No SRV records found
[30529] 1590416787.47425: Response was not from master KDC
[30529] 1590416787.47426: Received error from KDC: -1765328378/Client not found in Kerberos database
[30529] 1590416787.47427: Getting initial credentials for HTTP/pg9.company.localnet@COMPANY.LOCALNET
[30529] 1590416787.47428: Looked up etypes in keytab: rc4-hmac, des, des-cbc-crc, des-cbc-crc
[30529] 1590416787.47430: Sending unauthenticated request
[30529] 1590416787.47431: Sending request (233 bytes) to COMPANY.LOCALNET (master)
[30529] 1590416787.47432: Sending DNS URI query for _kerberos.COMPANY.LOCALNET.
[30529] 1590416787.47433: No URI records found
[30529] 1590416787.47434: Sending DNS SRV query for _kerberos-master._udp.COMPANY.LOCALNET.
[30529] 1590416787.47435: Sending DNS SRV query for _kerberos-master._tcp.COMPANY.LOCALNET.
[30529] 1590416787.47436: No SRV records found
kinit: Client 'HTTP/pg9.company.localnet@COMPANY.LOCALNET' not found in Kerberos database while getting initial credentials
Comment 3 Evgeny Sinelnikov 2020-05-26 16:16:37 MSK 
В новой samba введены более строгие проверки, соответствующие
ограничениям Active Directory. Содержательно, суть проблемы в том, что
пользователь, для которого задаётся SPN не рассматривается как
сущность из-под которой будет осуществляться авторизация. Для того,
чтобы этот было возможно Kerberos ключ должен соответствовать полю
userPrincipalName.

Припоминаю, что раньше такая схема работала - в samba можно было
выполнить kinit из-под SPN. Сейчас это так не работает, что в большей
степени соответствует строгому поведению kerberos-принципала в Active
Directory.

Если говорить ещё более строго, то и SPN должен соответствовать узлу,
для которого он создаётся.

Схема проверки работы через kinit сервисного принципала, строго
говоря, некорректна. С той же ошибкой можно попытаться получить SPN
cifs/dc.hostname на контроллере домена и попытаться выполнить из-под
него kinit:
[root@dc0 ~]# samba-tool domain exportkeytab /tmp/keytab.cifs
--principal=cifs/dc0.domain.alt
Export one principal to /tmp/keytab.cifs
[root@dc0 ~]# klist -ket /tmp/keytab.cifs
Keytab name: FILE:/tmp/keytab.cifs
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/26/20 15:41:15 cifs/dc0.domain.alt@DOMAIN.ALT (aes256-cts-hmac-sha1-96)
   1 05/26/20 15:41:15 cifs/dc0.domain.alt@DOMAIN.ALT (aes128-cts-hmac-sha1-96)
   1 05/26/20 15:41:15 cifs/dc0.domain.alt@DOMAIN.ALT (arcfour-hmac)
   1 05/26/20 15:41:15 cifs/dc0.domain.alt@DOMAIN.ALT (des-cbc-md5)
   1 05/26/20 15:41:15 cifs/dc0.domain.alt@DOMAIN.ALT (des-cbc-crc)
[root@dc0 ~]# kinit -k cifs/dc0.domain.alt@DOMAIN.ALT -t /tmp/keytab.cifs
kinit: Client 'cifs/dc0.domain.alt@DOMAIN.ALT' not found in Kerberos
database while getting initial credentials

При этом сервис из-под этого SPN будет вполне себе рабочим:
[root@dc0 ~]# kinit administrator
Password for administrator@DOMAIN.ALT:
Warning: Your password will expire in 21 days on Wed Jun 17 02:11:33 2020
[root@dc0 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.ALT

Valid starting     Expires            Service principal
05/26/20 15:42:57  05/27/20 01:42:57  krbtgt/DOMAIN.ALT@DOMAIN.ALT
        renew until 06/02/20 15:42:55
[root@dc0 ~]# smbclient -k -L //dc0.domain.alt

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.11.8)
SMB1 disabled -- no workgroup available
[root@dc0 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.ALT

Valid starting     Expires            Service principal
05/26/20 15:42:57  05/27/20 01:42:57  krbtgt/DOMAIN.ALT@DOMAIN.ALT
        renew until 06/02/20 15:42:55
05/26/20 15:43:05  05/27/20 01:42:57  cifs/dc0.domain.alt@DOMAIN.ALT
        renew until 06/02/20 15:42:55
_____________________________

Для решения проблемы в текущих ограничениях достаточно задать в поле
userPrincipalName пользователя alt_pg9 имя созданного принципала:

[root@dc0 ~]# cat adfs/CN\=Users/CN\=alt_pg9/.attributes 
dn: CN=alt_pg9,CN=Users,DC=domain,DC=alt
accountExpires: 0
badPasswordTime: 0
badPwdCount: 0
cn: alt_pg9
codePage: 0
countryCode: 0
distinguishedName: CN=alt_pg9,CN=Users,DC=domain,DC=alt
instanceType: 4
lastLogoff: 0
lastLogon: 0
logonCount: 0
name: alt_pg9
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=alt
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: user
objectGUID:: qAxvpQjbvUSjOA5gxM0xEg==
# a56f0ca8-db08-44bd-a338-0e60c4cd3112
objectSid:: AQUAAAAAAAUVAAAA/5LxX0Fdk/WblfaPWAQAAA==
# S-1-5-21-1609667327-4120075585-2415302043-1112
primaryGroupID: 513
pwdLastSet: 132349681101500350
sAMAccountName: alt_pg9
sAMAccountType: 805306368
servicePrincipalName: HTTP/dc0.domain.alt
uSNChanged: 5363
uSNCreated: 5358
userAccountControl: 66048
userPrincipalName: HTTP/dc0.domain.alt@domain.alt
whenChanged: 20200526121210.0Z
whenCreated: 20200526120150.0Z


[root@dc0 ~]# diff -u alt_pg9.ldif alt_pg9.fixed.ldif
--- alt_pg9.ldif        2020-05-26 15:11:33.000000000 +0300
+++ alt_pg9.fixed.ldif  2020-05-26 15:12:21.126000000 +0300
@@ -25,9 +25,9 @@
 sAMAccountName: alt_pg9
 sAMAccountType: 805306368
 servicePrincipalName: HTTP/dc0.domain.alt
-uSNChanged: 5362
+uSNChanged: 5363
 uSNCreated: 5358
 userAccountControl: 66048
-userPrincipalName: alt_pg9@domain.alt
-whenChanged: 20200526120218.0Z
+userPrincipalName: HTTP/dc0.domain.alt@domain.alt
+whenChanged: 20200526121210.0Z
 whenCreated: 20200526120150.0Z

После этого kinit будет работать:

[root@dc0 ~]# kinit -k HTTP/dc0.domain.alt -t /tmp/keytab
[root@dc0 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/dc0.domain.alt@DOMAIN.ALT

Valid starting     Expires            Service principal
05/26/20 16:00:46  05/27/20 02:00:46  krbtgt/DOMAIN.ALT@DOMAIN.ALT
        renew until 06/02/20 16:00:46


PS: для просмотра и редактирования пользователя, я использовал hadfs:
[root@dc0 ~]# kinit administrator
Password for administrator@DOMAIN.ALT: 
Warning: Your password will expire in 21 days on Wed Jun 17 02:11:33 2020

[root@dc0 ~]# hadfs adfs/ dc0.domain.alt
FUSE loop started
refreshing: /
...

Правильный LDAP-запрос на wiki странице внести стоит:
https://www.altlinux.org/Создание_SPN_и_Keytab_файла#С_помощью_Samba_DC
Comment 4 Evgeny Sinelnikov 2020-05-26 16:45:25 MSK 
В данном случае, это не проблема, а особенность. Строгий вариант решения требует следующего:

1) Получаем текущий userPrincipalName:

[root@dc0 ~]# ldapsearch -Q -LLL -Y GSSAPI -h dc0  "(&(objectClass=user)(sAMAccountName=alt_pg9))" -b dc=domain,dc=alt sAMAccountName dn userPrincipalName
dn: CN=alt_pg9,CN=Users,DC=domain,DC=alt
sAMAccountName: alt_pg9
userPrincipalName: alt_pg9

# refldap://domain.alt/CN=Configuration,DC=domain,DC=alt

# refldap://domain.alt/DC=DomainDnsZones,DC=domain,DC=alt

# refldap://domain.alt/DC=ForestDnsZones,DC=domain,DC=alt

2) Задаем правильный userPrincipalName, соответствующий созданному SPN:

[root@dc0 ~]# ldapmodify -Q -Y GSSAPI -h dc0
dn: CN=alt_pg9,CN=Users,DC=domain,DC=alt
changetype: modify
replace: userPrincipalName
userPrincipalName: HTTP/dc0.domain.alt@domain.alt
-
modifying entry "CN=alt_pg9,CN=Users,DC=domain,DC=alt"

3) Проверяем новое значение userPrincipalName:

[root@dc0 ~]# ldapsearch -Q -LLL -Y GSSAPI -h dc0  "(&(objectClass=user)(sAMAccountName=alt_pg9))" -b dc=domain,dc=alt sAMAccountName dn userPrincipalName
dn: CN=alt_pg9,CN=Users,DC=domain,DC=alt
sAMAccountName: alt_pg9
userPrincipalName: HTTP/dc0.domain.alt@domain.alt

# refldap://domain.alt/CN=Configuration,DC=domain,DC=alt

# refldap://domain.alt/DC=DomainDnsZones,DC=domain,DC=alt

# refldap://domain.alt/DC=ForestDnsZones,DC=domain,DC=alt