Bug 1549969 - 'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while accessing share.
Summary: 'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while...
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alexander Bokovoy
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-28 08:03 UTC by Sudhir Menon
Modified: 2018-02-28 10:49 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-02-28 10:49:47 UTC


Attachments (Terms of Use)
Logs from Samba Server (33.38 KB, text/plain)
2018-02-28 08:05 UTC, Sudhir Menon
no flags Details
ENV Setup Details (7.61 KB, text/plain)
2018-02-28 08:19 UTC, Sudhir Menon
no flags Details

Description Sudhir Menon 2018-02-28 08:03:33 UTC
Description of problem:
'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while accessing share.


Version-Release number of selected component (if applicable):
samba-common-tools-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
samba-common-libs-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-libs-4.7.1-6.el7.x86_64
samba-4.7.1-6.el7.x86_64
samba-client-4.7.1-6.el7.x86_64
samba-winbind-modules-4.7.1-6.el7.x86_64
samba-winbind-clients-4.7.1-6.el7.x86_64
samba-winbind-4.7.1-6.el7.x86_64

How reproducible: Always


Steps to Reproduce:
1. Try to access share hosted on 'ipa-fserver.ipa.test' from ipa-client as trusted aduser using the below command.

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 

Actual results: Cannot access the share.

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


Expected results:
Should be able to access the samba share.

Additional info:
The said issue was seen while running existing CIFS test and although these test passed earlier, not sure if this is a bug, logging it to see as in what causes the internal error "Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR"

Somewhat similar message was seen here in the below ticket.
https://pagure.io/freeipa/issue/6551

Also removed the 'FILE:' from smb.conf, but still can't access the share.

Note: Attaching the specific setup used while the issue was seen.
Also attaching the logs of the samba server [ipa-fserver.ipa.test] where the share is hosted.

Comment 2 Sudhir Menon 2018-02-28 08:05 UTC
Created attachment 1401670 [details]
Logs from Samba Server

Comment 3 Sudhir Menon 2018-02-28 08:19 UTC
Created attachment 1401684 [details]
ENV Setup Details

Comment 5 Alexander Bokovoy 2018-02-28 08:52:58 UTC
according to the comment 3, the configuration is incorrect. You shouldn't give a keytab with wrong keys.

Logs in comment 2 confirm it:
[2018/02/28 13:27:34.624795,  5, pid=21548, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
  Starting GENSEC submechanism gse_krb5
[2018/02/28 13:27:34.625086, 10, pid=21548, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2018/02/28 13:27:34.625229,  1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:513(fill_mem_keytab_from_dedicated_keytab)
  ../source3/librpc/crypto/gse_krb5.c:513: krb5_kt_start_seq_get failed (No such file or directory)
[2018/02/28 13:27:34.625295,  1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:593(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:593: Error! Unable to set mem keytab - 2

smbd was unable to find a proper principal from the keytab.

Comment 6 Alexander Bokovoy 2018-02-28 09:21:06 UTC
Also, this ipa-fserver host is not enrolled into IPA domain. This is an invalid test as something should be done to set up basic kerberos configuration, namely default realm used by the krb5 library.

Comment 7 Sudhir Menon 2018-02-28 10:48:55 UTC
ab,

Thank you for explaining the issue where the setup was wrong. After rectifying the same was able to able to access the samba share.

1. Tried to get keytab on ipa-server itself was incorrect. So joined ipa-fserver  to IPA realm using ipa-client-install, since only setting up smb.conf with realm = IPA.TEST doesn't let samba server locate kerberos server.

2. Also there was no need to replace the /etc/krb5.keytab on ipa-fserver, just copied keytab generated in /root/samba.keytab to /etc/samba which only included entries for ipa-fserver in this case.

2. so ran the below commands on ipa-fserver after running ipa-client-install and the share was accessible using ipauser and as well as trusted AD user.


[root@ipa-fserver ~]# ipa service-add cifs/ipa-fserver.ipa.test
--------------------------------------------------
Added service "cifs/ipa-fserver.ipa.test@IPA.TEST"
--------------------------------------------------
  Principal name: cifs/ipa-fserver.ipa.test@IPA.TEST
  Principal alias: cifs/ipa-fserver.ipa.test@IPA.TEST
  Managed by: ipa-fserver.ipa.test

[root@ipa-fserver ~]# ipa-getkeytab -s ipa-server1.ipa.test -p cifs/ipa-fserver.ipa.test -k /root/samba.keytab 

Keytab successfully retrieved and stored in: /root/samba.keytab
[root@ipa-fserver ~]# ktutil
ktutil:  read_kt /root/samba.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1       cifs/ipa-server1.ipa.test@IPA.TEST
   2    1       cifs/ipa-server1.ipa.test@IPA.TEST
   3    1       cifs/ipa-fserver.ipa.test@IPA.TEST
   4    1       cifs/ipa-fserver.ipa.test@IPA.TEST
   5    1       cifs/ipa-fserver.ipa.test@IPA.TEST
   6    1       cifs/ipa-fserver.ipa.test@IPA.TEST
   7    1       cifs/ipa-fserver.ipa.test@IPA.TEST
   8    1       cifs/ipa-fserver.ipa.test@IPA.TEST
ktutil:  q

[root@ipa-fserver ~]# cp -frv /root/samba.keytab /etc/samba/
‘/root/samba.keytab’ -> ‘/etc/samba/samba.keytab’

[root@ipa-fserver ~]# cd /etc/samba/
[root@ipa-fserver samba]# ls -l
total 28
-rw-r--r--. 1 root root    20 Dec 20 22:30 lmhosts
-rwx------. 1 root root   682 Feb 28 16:09 samba.keytab
-rw-r--r--. 1 root root   369 Feb 28 12:55 smb.conf
-rw-r--r--. 1 root root 11327 Dec 20 22:30 smb.conf.example
-rw-r--r--. 1 root root   706 Feb 27 14:34 smb.conf.org

[root@ipa-fserver samba]# chmod 0700 samba.keytab 
[root@ipa-fserver samba]# ls -l
total 28
-rw-r--r--. 1 root root    20 Dec 20 22:30 lmhosts
-rwx------. 1 root root   682 Feb 28 16:09 samba.keytab

===Accessing share as trusted ad user from ipa-fclient===

[root@ipa-fclient ~]# klist -l
Principal name                 Cache name
--------------                 ----------
cuser1@PNE.QE                  KEYRING:persistent:0:0

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1
Try "help" to get a list of possible commands.
smb: \> md cifsuser1
smb: \> ls
  .                                   D        0  Wed Feb 28 16:10:25 2018
  ..                                  D        0  Tue Feb 27 14:35:59 2018
  cifsuser1                           D        0  Wed Feb 28 16:10:25 2018

		36805060 blocks of size 1024. 34189912 blocks available
smb: \> [root@ipa-fclient ~]# 

===Accessing share as trusted ad user from ipa-fclient===

[root@ipa-fclient ~]# kdestroy -A

[root@ipa-fclient ~]# echo ipauser1 | kinit ipauser1
Password for ipauser1@IPA.TEST: 

[root@ipa-fclient ~]# klist -l
Principal name                 Cache name
--------------                 ----------
ipauser1@IPA.TEST              KEYRING:persistent:0:0

[root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1
Try "help" to get a list of possible commands.
smb: \> md ipauser1
smb: \> ls
  .                                   D        0  Wed Feb 28 16:11:00 2018
  ..                                  D        0  Tue Feb 27 14:35:59 2018
  cifsuser1                           D        0  Wed Feb 28 16:10:25 2018
  ipauser1                            D        0  Wed Feb 28 16:11:00 2018

		36805060 blocks of size 1024. 34188924 blocks available


[root@ipa-fserver ~]# cd /mnt/samba/share1/
[root@ipa-fserver share1]# pwd
/mnt/samba/share1
[root@ipa-fserver share1]# ls -l
total 0
drwxr-xr-x. 2 cuser1@pne.qe cuser1@pne.qe 6 Feb 28 16:10 cifsuser1
drwxr-xr-x. 2 ipauser1      ipauser1      6 Feb 28 16:11 ipauser1


Note You need to log in before you can comment on or make changes to this bug.