Bug 1549969

Summary: 'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while accessing share.
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: sambaAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: asn, gdeschner, jarrpa
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-28 10:49:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Logs from Samba Server
none
ENV Setup Details none

Description Sudhir Menon 2018-02-28 08:03:33 UTC 
Description of problem:
'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while accessing share.


Version-Release number of selected component (if applicable):
samba-common-tools-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
samba-common-libs-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-libs-4.7.1-6.el7.x86_64
samba-4.7.1-6.el7.x86_64
samba-client-4.7.1-6.el7.x86_64
samba-winbind-modules-4.7.1-6.el7.x86_64
samba-winbind-clients-4.7.1-6.el7.x86_64
samba-winbind-4.7.1-6.el7.x86_64

How reproducible: Always


Steps to Reproduce:
1. Try to access share hosted on 'ipa-fserver.ipa.test' from ipa-client as trusted aduser using the below command.

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 

Actual results: Cannot access the share.

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


Expected results:
Should be able to access the samba share.

Additional info:
The said issue was seen while running existing CIFS test and although these test passed earlier, not sure if this is a bug, logging it to see as in what causes the internal error "Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR"

Somewhat similar message was seen here in the below ticket.
https://pagure.io/freeipa/issue/6551

Also removed the 'FILE:' from smb.conf, but still can't access the share.

Note: Attaching the specific setup used while the issue was seen.
Also attaching the logs of the samba server [ipa-fserver.ipa.test] where the share is hosted.
Comment 2 Sudhir Menon 2018-02-28 08:05:55 UTC 
Created attachment 1401670 [details]
Logs from Samba Server
Comment 3 Sudhir Menon 2018-02-28 08:19:52 UTC 
Created attachment 1401684 [details]
ENV Setup Details
Comment 5 Alexander Bokovoy 2018-02-28 08:52:58 UTC 
according to the comment 3, the configuration is incorrect. You shouldn't give a keytab with wrong keys.

Logs in comment 2 confirm it:
[2018/02/28 13:27:34.624795,  5, pid=21548, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
  Starting GENSEC submechanism gse_krb5
[2018/02/28 13:27:34.625086, 10, pid=21548, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2018/02/28 13:27:34.625229,  1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:513(fill_mem_keytab_from_dedicated_keytab)
  ../source3/librpc/crypto/gse_krb5.c:513: krb5_kt_start_seq_get failed (No such file or directory)
[2018/02/28 13:27:34.625295,  1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:593(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:593: Error! Unable to set mem keytab - 2

smbd was unable to find a proper principal from the keytab.
Comment 6 Alexander Bokovoy 2018-02-28 09:21:06 UTC 
Also, this ipa-fserver host is not enrolled into IPA domain. This is an invalid test as something should be done to set up basic kerberos configuration, namely default realm used by the krb5 library.
Comment 7 Sudhir Menon 2018-02-28 10:48:55 UTC 
ab,

Thank you for explaining the issue where the setup was wrong. After rectifying the same was able to able to access the samba share.

1. Tried to get keytab on ipa-server itself was incorrect. So joined ipa-fserver  to IPA realm using ipa-client-install, since only setting up smb.conf with realm = IPA.TEST doesn't let samba server locate kerberos server.

2. Also there was no need to replace the /etc/krb5.keytab on ipa-fserver, just copied keytab generated in /root/samba.keytab to /etc/samba which only included entries for ipa-fserver in this case.

2. so ran the below commands on ipa-fserver after running ipa-client-install and the share was accessible using ipauser and as well as trusted AD user.


[root@ipa-fserver ~]# ipa service-add cifs/ipa-fserver.ipa.test
--------------------------------------------------
Added service "cifs/ipa-fserver.ipa.test"
--------------------------------------------------
  Principal name: cifs/ipa-fserver.ipa.test
  Principal alias: cifs/ipa-fserver.ipa.test
  Managed by: ipa-fserver.ipa.test

[root@ipa-fserver ~]# ipa-getkeytab -s ipa-server1.ipa.test -p cifs/ipa-fserver.ipa.test -k /root/samba.keytab 

Keytab successfully retrieved and stored in: /root/samba.keytab
[root@ipa-fserver ~]# ktutil
ktutil:  read_kt /root/samba.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1       cifs/ipa-server1.ipa.test
   2    1       cifs/ipa-server1.ipa.test
   3    1       cifs/ipa-fserver.ipa.test
   4    1       cifs/ipa-fserver.ipa.test
   5    1       cifs/ipa-fserver.ipa.test
   6    1       cifs/ipa-fserver.ipa.test
   7    1       cifs/ipa-fserver.ipa.test
   8    1       cifs/ipa-fserver.ipa.test
ktutil:  q

[root@ipa-fserver ~]# cp -frv /root/samba.keytab /etc/samba/
‘/root/samba.keytab’ -> ‘/etc/samba/samba.keytab’

[root@ipa-fserver ~]# cd /etc/samba/
[root@ipa-fserver samba]# ls -l
total 28
-rw-r--r--. 1 root root    20 Dec 20 22:30 lmhosts
-rwx------. 1 root root   682 Feb 28 16:09 samba.keytab
-rw-r--r--. 1 root root   369 Feb 28 12:55 smb.conf
-rw-r--r--. 1 root root 11327 Dec 20 22:30 smb.conf.example
-rw-r--r--. 1 root root   706 Feb 27 14:34 smb.conf.org

[root@ipa-fserver samba]# chmod 0700 samba.keytab 
[root@ipa-fserver samba]# ls -l
total 28
-rw-r--r--. 1 root root    20 Dec 20 22:30 lmhosts
-rwx------. 1 root root   682 Feb 28 16:09 samba.keytab

===Accessing share as trusted ad user from ipa-fclient===

[root@ipa-fclient ~]# klist -l
Principal name                 Cache name
--------------                 ----------
cuser1                  KEYRING:persistent:0:0

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1
Try "help" to get a list of possible commands.
smb: \> md cifsuser1
smb: \> ls
  .                                   D        0  Wed Feb 28 16:10:25 2018
  ..                                  D        0  Tue Feb 27 14:35:59 2018
  cifsuser1                           D        0  Wed Feb 28 16:10:25 2018

		36805060 blocks of size 1024. 34189912 blocks available
smb: \> [root@ipa-fclient ~]# 

===Accessing share as trusted ad user from ipa-fclient===

[root@ipa-fclient ~]# kdestroy -A

[root@ipa-fclient ~]# echo ipauser1 | kinit ipauser1
Password for ipauser1: 

[root@ipa-fclient ~]# klist -l
Principal name                 Cache name
--------------                 ----------
ipauser1              KEYRING:persistent:0:0

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1
Try "help" to get a list of possible commands.
smb: \> md ipauser1
smb: \> ls
  .                                   D        0  Wed Feb 28 16:11:00 2018
  ..                                  D        0  Tue Feb 27 14:35:59 2018
  cifsuser1                           D        0  Wed Feb 28 16:10:25 2018
  ipauser1                            D        0  Wed Feb 28 16:11:00 2018

		36805060 blocks of size 1024. 34188924 blocks available


[root@ipa-fserver ~]# cd /mnt/samba/share1/
[root@ipa-fserver share1]# pwd
/mnt/samba/share1
[root@ipa-fserver share1]# ls -l
total 0
drwxr-xr-x. 2 cuser1 cuser1 6 Feb 28 16:10 cifsuser1
drwxr-xr-x. 2 ipauser1      ipauser1      6 Feb 28 16:11 ipauser1