Bug 1757071

Single-DES support has been removed from krb5 as per
https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization

I invite you to peruse https://tools.ietf.org/html/rfc6649 ; single-DES
is *NOT SECURE*.  You can find information on migrating at
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html

This bug is still needed for Samba to get rid of DES requirements.

Isaac has a work in progress here: https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

Ok, thanks

but now, what I must to do for bypass this problem?

I must fill a bug to samba devel?

Or I can change the procedure to deploy a samba DC?

Or I must wait Isaac to release a solution? 

If so, at this point samba-dc on Fedora 31 is not usable.

Please, let me know

Many thanks
Dario

Don't use Fedora 31 right now if you want to deploy Samba DC.

ok, of course

This is a test environment to help to test samba-dc for Fedora31

Thanks

Per my testing, it isn't only AD-DC that's non-functional, simpler ops such domain join also don't work.

@Dario if you can build this branch from source and give it a test it would be nice (I think the remaining failing tests are using DES, so they'll just need to be adjusted, but I need to take a closer look):
https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

(In reply to Isaac Boukris from comment #7)
> Per my testing, it isn't only AD-DC that's non-functional, simpler ops such
> domain join also don't work.
> 
> @Dario if you can build this branch from source and give it a test it would
> be nice (I think the remaining failing tests are using DES, so they'll just
> need to be adjusted, but I need to take a closer look):
> https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

Ok, help to test is fine for me, but I must know some things

You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from what url I get it?

I'm sorry but I need to know how to use your branch, I'm not a developer and I am not familiar with this things.

But if you give me a little push I can try

(In reply to Dario Lesca from comment #8)
> Ok, help to test is fine for me, but I must know some things
> 
> You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from
> what url I get it?
> 
> I'm sorry but I need to know how to use your branch, I'm not a developer and
> I am not familiar with this things.
> 
> But if you give me a little push I can try

I'm building a test package in COPR right now. Stay tuned (might fail) ;)

I generated a build which includes Isaac's patches in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/:

$ dnf copr enable abbra/samba-nodes-test 
$ dnf install samba-dc
..

(In reply to Alexander Bokovoy from comment #10)
> I generated a build which includes Isaac's patches in
> https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/:
> 
> $ dnf copr enable abbra/samba-nodes-test 
> $ dnf install samba-dc
> ..

It works! ... thanks Isaac and Alexander!

In 5 minute I have setup with 0 problem a fully Samba DC (see the screen history)

Now go to test dhcp + win10 join to domain + a samba member server + access win to samba and win to win ... and let you know

NOTE: like you see into history, I have set into name startup daemon the KRB5RCACHETYPE="none".

This this comes from my old experience (https://lists.samba.org/archive/samba/2017-December/212583.html)

Now I try other things with this flag set, then I try to remove it and let you know. 
 
Many thanks!
Dario

Created attachment 1621265 [details]
Screen history of "5 minute and Samba DC is fully installed"

Screen history of a Samba DC + time server + dhcp server installation

I have setup a Centos8 samba member server and join to DC without problem (OK)

Then I have setup a win10a and a win10b in dhcp, join it to DC and access to \\centos8\public without problem (OK)

Now my network is so composed:

* addc1 (Samba Fedora31 DC)
* centos8 (Samba member server with shared data)
* win10a (MS client)
* win10b (MS client)

a) For all PC, DHCP and DNS update work (OK)

b) Browse from win10* the network do not show any PC/server (NOT-OK)

c) Access from win10* to centos8 (or addc1) with \\centos8\public work (OK)

d) Browse win10* from centos8 show win10* share (OK)
[root@centos8 ~]# smbclient -mSMB2 -L win10a -Uospite%Ospite@2019

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Amministrazione remota
        C$              Disk      Condivisione predefinita
        IPC$            IPC       IPC remoto
        public          Disk      


e) Access from centos8 to \\win10a\public (a shared win10a folder) work (OK)
[root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uospite%Ospite@2019 -c ls
  .                                   D        0  Mon Sep 30 18:33:48 2019
  ..                                  D        0  Mon Sep 30 18:33:48 2019
                28694783 blocks of size 4096. 24742374 blocks available

f) Browse win10a from win10b and vice versa do not work, I get "Access Denied" error (NOT-OK)

g) From addc1 and centos8, if I try nmblookup win10* I get this result (NOT OK)
[root@centos8 ~]# nmblookup win10a
name_query failed to find name win10a

Now let me know how I can help you in order to found and resolve the remaining problem (access win to win and nmblookup).

Many Thanks.

Dario,

thank you very much for the test. I believe (f) is known and will be fixed when https://github.com/krb5/krb5/pull/983 and https://gitlab.com/samba-team/samba/merge_requests/818 (and some more fixes) would be merged in both krb5 and samba.

(g) is somewhat different -- I think there were reports that Windows 10 build 1803 disabled use of NetBIOS over TCP/IP. You can follow recipes in https://support.microsoft.com/en-us/help/204279/direct-hosting-of-smb-over-tcp-ip to see what's the state of your configuration.

Hi,

I have built our current work in progress patches to make Samba AD DC working with MIT Kerberos in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/. This build is for Fedora 31 and includes fixes for https://bugzilla.redhat.com/show_bug.cgi?id=1748860 and https://bugzilla.redhat.com/show_bug.cgi?id=1757071

Please test it by following these instructions on Fedora 31 host:

$ dnf copr enable abbra/samba-nodes-test 
$ dnf install samba-dc
..

Once tested and also accepted to Samba upstream, we can do backports to Fedora 30/31.

On my test fedora 31 system, for resolve the deploy samba-dc problem, already resolved with previous pathc, I have already enable abba's copr repo, then I have do a simple dnf update on addc1 and reboot all machine.

PC win10a share to all a c:\public folder

On PC win10b I have do "net use x: \\win10a\public /user:administrator"
and I get "System errore 5. Access Denied"

On PC centos8 same command work:

[root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uadministrator -c ls
Enter MOSCA\administrator's password: 
  .                                   D        0  Mon Sep 30 18:33:48 2019
  ..                                  D        0  Mon Sep 30 18:33:48 2019

                28694783 blocks of size 4096. 24330219 blocks available

I must do some other test?

I've had my DC set up with abba's copr for a week and everything is relatively smooth so far

how do we get the fixes integrated for f31's release? it shouldn't ship broken packages

I'd prefer to get the MR818 merged upstream first. There are also few more fixes we need to actually set up Samba AD DC properly on Fedora 31. I have merged a small part of it upstream already but not everything yet.

Since Fedora 31 is in freeze state already, we can get the fixes into updates-testing right now but not into the stable tree.

FEDORA-2019-60b6e9e11b has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-60b6e9e11b

FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

(In reply to Fedora Update System from comment #21)
> FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31.
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

I have install a fresh Fedora server 31 and update it.

For install new version of samba I have must enable updates-testing repo

yum update  samba --enablerepo updates-testing

Now samba-dc-4.11.1-1.fc31.x86_64 is installed

Then I have deploy my test domain and everything worked well

I must test also Win to Win access or this version do not yet contain the S4U fix?

Many thanks
Dario

Hi Dario, thanks for testing.
The fix in fedora 31 only contains minimal changes to allow functionality, it does not include S4U fixes, this will take a while.
Regards.

samba-4.11.2-0.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

Hi, I am taking my first stab at Fedora's native samba dc capabilities.

Not sure if this should be brought up here, but selinux inhibits or interferes with many of the samba-tool commands. Is this a known issue?

Most commonly, I see this:

type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155 comm="samba-tool" path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM.ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) 

But also this:

type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for pid=29202 comm="samba-tool" name="29202" scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2 ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null)
type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1"
type=PATH msg=audit(1572648174.501:18935): item=0 name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1572648174.501:18935): item=1 name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

(In reply to dD.d from comment #25)
> Hi, I am taking my first stab at Fedora's native samba dc capabilities.
> 
> Not sure if this should be brought up here, but selinux inhibits or
> interferes with many of the samba-tool commands. Is this a known issue?
> 
> Most commonly, I see this:
> 
> type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155
> comm="samba-tool"
> path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM.
> ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023
> tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9
> success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155
> auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
> ses=6 comm="samba-tool" exe="/usr/bin/python3.7"
> subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) 
> 
> But also this:
> 
> type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for
> pid=29202 comm="samba-tool" name="29202"
> scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023
> tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0
> type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49
> success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2
> ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7"
> subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null)
> type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1"
> type=PATH msg=audit(1572648174.501:18935): item=0
> name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700
> ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT
> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(1572648174.501:18935): item=1
> name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0
> cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Please open a new bug against selinux policy with this. Right now we have foollowing rules:
# sesearch -A -s sysadm_t -t samba_var_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow nsswitch_domain samba_var_t:dir { getattr open search };
allow nsswitch_domain samba_var_t:file { getattr ioctl lock open read };
allow sysadm_t file_type:blk_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:chr_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow sysadm_t file_type:fifo_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:file { getattr relabelfrom relabelto };
allow sysadm_t file_type:filesystem getattr;
allow sysadm_t file_type:lnk_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:sock_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:blk_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:chr_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:dir { add_name create getattr ioctl link lock open read relabelfrom relabelto remove_name rename reparent rmdir search setattr unlink write };
allow sysadm_t non_security_file_type:fifo_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow sysadm_t non_security_file_type:lnk_file { append create getattr ioctl link lock read relabelfrom relabelto rename setattr unlink write };
allow sysadm_t non_security_file_type:sock_file { getattr relabelfrom relabelto };
allow sysadm_t samba_var_t:dir { getattr open search };
allow sysadm_usertype file_type:filesystem getattr;
allow sysadm_usertype samba_var_t:dir { getattr open search };

'map' should be covered by the SELinux boolean 'domain_can_mmap_files' which is 'off' by default but the second AVC (create) needs a new rule, it seems.

After enabling domain_can_mmap_files I am unable to reproduce either error, thank you.

Spoke too soon. That second selinux error is the result of binding to an interface in smb.conf

Opened a ticket here: https://bugzilla.redhat.com/show_bug.cgi?id=1768656

FEDORA-2019-57d43f3b58 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58

samba-4.11.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58

samba-4.11.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.