RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1836427 - net ads join use of netbios+realm breaks GSSAPI authentication
Summary: net ads join use of netbios+realm breaks GSSAPI authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Isaac Boukris
QA Contact: sssd-qe
URL:
Whiteboard:
: 1832111 1835681 1846068 (view as bug list)
Depends On:
Blocks: 1850981
TreeView+ depends on / blocked
 
Reported: 2020-05-15 21:03 UTC by Robbert Eggermont
Modified: 2024-03-25 15:56 UTC (History)
15 users (show)

Fixed In Version: samba-4.10.16-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1850981 (view as bug list)
Environment:
Last Closed: 2020-09-29 20:19:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3981 0 None None None 2020-09-29 20:19:25 UTC
Samba Project 14396 0 None None None 2020-05-27 18:32:30 UTC

Description Robbert Eggermont 2020-05-15 21:03:34 UTC 
Description of problem:
'net ads join' does not use the host's FQDN, but what looks like some form of "<short_hostname>.<dns_realm>". The resulting incorrect HOST service principle breaks Kerberos.

Version-Release number of selected component (if applicable):
RHEL 7.8
Samba 4.10.4-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Create AD domain "DOMAIN.NET"
2. Set FQDN "hostname.subdomain.domain.nl"
3. Execute "net ads join"

Actual results:
Service principle "host/hostname.domain.net"

Expected results:
ServicePrinciple "host/hostname.subdomain.domain.nl"


Additional info:
This worked as expected in RHEL 7.7 (Samba 4.9.1-10.el7_7) and earlier.
Comment 2 Isaac Boukris 2020-05-15 21:23:20 UTC 
This was changed in bug #1802182 to use netbios+realm, see also bug #1835681.
As an alternative, a new smb.conf option was added "additional dns hostnames", allowing to add SPNs at join time.
Comment 3 Robbert Eggermont 2020-05-15 23:35:32 UTC 
Thanks, I already looked at the "additional dns hostnames" option in the smb.conf man page, but did not see this as applicable, because 1) the currently used netbios+realm "name" is clearly related to the realm and not the DNS, and 2) the consistent use of "additional" made me believe that this was not needed for the default FQDN (which would be the logical thing).

Unfortunately I do not have access to bug #1802182, but I managed to find https://bugzilla.samba.org/show_bug.cgi?id=14116. There is not enough information in there for me to understand the problem that it tries to fix, nor the impact of this change for current common use. Were things like GSSAPI authentication supposed to keep working as before with the new netbios+realm solution in common AD environments? If so, what makes our situation uncommon?

Also, the need to explicitly define an (default!) FQDN in the smb.conf seems to be disproportionate to the previous requirement for a correct /etc/hostname (which usually makes live easier in other ways as well). We were using the same standard smb.conf for all our hosts, the need for host-specific options in there makes rollout and updates more complex.

Is it not possible to automatically add an extra SPN with the default FQDN during (or after) the join in a way that any errors for that extra SPN are silently ignored?
(And if so, would this not also be a solution for the original problem, so that this change can be reverted?)

Alternatively, was adding a more visible extra option to net ads join for specifying the additional DNS names directly during the join considered?
Comment 4 Robbert Eggermont 2020-05-16 00:05:05 UTC 
Using the "additional dns hostnames" option does create the extra SPN, but does not add it to the keytab? To make ssh GSSAPI logins work I had to manually add the SPN to the keytab.
Comment 5 Isaac Boukris 2020-05-16 12:08:36 UTC 
(In reply to Robbert Eggermont from comment #4)
> Using the "additional dns hostnames" option does create the extra SPN, but
> does not add it to the keytab? To make ssh GSSAPI logins work I had to
> manually add the SPN to the keytab.

Sounds like sshd passes an explicit principal when accepting the ticket, you could probably workaround it by setting ignore_acceptor_hostname=true in krb5.conf but this sound like a good reason to add "additional dns hostnames" entries to the keytab. I have reopened bug #1828354 for that matter.

Otherwise, I can think of adding an option to the net-join command, like dnshostname to specify an alternative dNSHostName and SPN, do you think that would be more helpful?
Comment 6 Robbert Eggermont 2020-05-19 07:27:56 UTC 
I would still very much like to know if this change which is incompatible with decades of common practice of using FQDNs (including the uses of FQDNs by one of the major KDC providers, Microsoft's Active Directory) was really necessary and worth the breaks compared to the problem it solves? (We have been running like this for 10(!) years, with RHEL 5, 6, 7 and 8, no problems. I hate to be a tester of this in our production environment!)

But yes, I would prefer a (clearly documented) option for the net-join command.
Comment 7 Isaac Boukris 2020-05-19 08:04:37 UTC 
As explained, samba will no longer implicitly use machine fqdn at join time as decided upstream to make the join process more reliable.

I'll be looking into adding it as an option to net-join command.
Comment 8 Robbert Eggermont 2020-05-19 09:02:45 UTC 
Alright, if the change was correct, then the problem must be in the way ssh uses GSSAPI? Any way then that that can be fixed then so that ssh GSSAPI logins once again work "out-of-the-box" without requiring a change in the way we roll out our installations?
Comment 9 Isaac Boukris 2020-05-19 09:08:37 UTC 
If the fqdn differs as in this case, you'd still need the new net-join option (not implemented yet) or use "additional dns hostnames" (once it is fixed to add entries to the keytab, per #1828354).
Comment 10 Robbert Eggermont 2020-05-19 09:24:06 UTC 
Should the '[domain_realm]' mappings in krb5.conf not somehow make this work?

Or is the new "best practice" thus to have the realm identical to the domain?
Comment 11 Isaac Boukris 2020-05-19 12:30:08 UTC 
Not sure I follow, no need for krb5.conf changes.
Comment 12 Isaac Boukris 2020-06-02 08:32:42 UTC 
*** Bug 1835681 has been marked as a duplicate of this bug. ***
Comment 13 Sumit Bose 2020-06-04 15:29:47 UTC 
*** Bug 1832111 has been marked as a duplicate of this bug. ***
Comment 16 Isaac Boukris 2020-06-10 17:32:13 UTC 
*** Bug 1846068 has been marked as a duplicate of this bug. ***
Comment 17 Isaac Boukris 2020-06-10 17:39:59 UTC 
Summary of the fix to be released:
We recently changed the dnsHostName attribute at join time to be netbios+realm instead of implicitly using machine fqdn.
As an alternative, we provided "additional dns hostnames" smb.conf option to allow specifying additional hostnames.
In addition, this bug fix provides a new net-ads-join dnshostname=fqdn option to allow specifying the dnsHostName at join time.
Comment 21 staeglis 2020-08-06 11:01:20 UTC 
Then will the fix be released?
Comment 25 errata-xmlrpc 2020-09-29 20:19:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3981
Comment 26 PALLAVI 2020-10-16 12:08:49 UTC 
Hello Team,

"Will "net" option "dnshostname" also adopted by command "realm join" ?" It seems samba-4.10.16-7 does not consider dnshostname option by realm command


Thanks & Regards,
Pallavi Soni
Comment 27 Sumit Bose 2020-10-16 15:57:56 UTC 
(In reply to PALLAVI from comment #26)
> Hello Team,
> 
> "Will "net" option "dnshostname" also adopted by command "realm join" ?" It
> seems samba-4.10.16-7 does not consider dnshostname option by realm command
> 
> 
> Thanks & Regards,
> Pallavi Soni

Hi,

see https://bugzilla.redhat.com/show_bug.cgi?id=1867912, please note that realmd in RHEL-8.3 will not use the 'dnshostname' command line option but the 'additional dns hostnames' smb.conf option.

HTH

bye,
Sumit
Note You need to log in before you can comment on or make changes to this bug.