Bug 834441 - /usr/bin/net can't join windows domain controller unless default_tkt_enctypes = rc4-hmac
/usr/bin/net can't join windows domain controller unless default_tkt_enctypes...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-21 17:31 EDT by Ray Strode [halfline]
Modified: 2013-01-30 04:47 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-30 04:47:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 52390 None None None 2012-07-23 12:38:03 EDT

  None (edit)
Description Ray Strode [halfline] 2012-06-21 17:31:02 EDT
<halfline> simo: if in order to enroll in a windows domain controller (with /usr/bin/net) i need to first change /etc/krb.conf to have default_tks_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96
<halfline> is that likely a misconfiguration of the domain controller ?
<halfline> or a problem in the client machine that is enrolling
<simo> halfline: you shouldn't need that
<simo> what made you do that ?
<halfline> well when i ran net with tracing enabled it hinted that that might be the problem in the spew:

    [root@halfline-ssd] (/srv/sources/fdo/realmd/service) <04:59 PM>
    # KRB5_TRACE=/dev/stderr net ads join SPICE.LAB.ENG.BOS.REDHAT.COM -k
    [23915] 1340312376.44616: Getting credentials halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> cifs/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM using ccache FILE:/tmp/krb5cc_0
    [23915] 1340312376.44806: Retrieving halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> cifs/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
    [23915] 1340312376.44889: Retrieving halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> krbtgt/SPICE.LAB.ENG.BOS.REDHAT.COM@SPICE.LAB.ENG.BOS.REDHAT.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
    [23915] 1340312376.44939: Generated subkey for TGS request: aes256-cts/7B3B
    [23915] 1340312376.44949: etypes requested in TGS request: rc4-hmac
    [23915] 1340312376.45132: Sending request (1595 bytes) to SPICE.LAB.ENG.BOS.REDHAT.COM
    [23915] 1340312376.46051: Resolving hostname directory.spice.lab.eng.bos.redhat.com.
    [23915] 1340312376.46428: Resolving hostname directory.spice.lab.eng.bos.redhat.com.
    [23915] 1340312376.46790: Initiating TCP connection to stream 10.16.24.11:88
    [23915] 1340312376.47005: Sending TCP request to stream 10.16.24.11:88
    [23915] 1340312376.47499: Received answer from stream 10.16.24.11:88
    [23915] 1340312376.47869: Response was not from master KDC
    [23915] 1340312376.47913: Generated subkey for TGS request: aes256-cts/7D39
    [23915] 1340312376.47919: etypes requested in TGS request: rc4-hmac
    [23915] 1340312376.48011: Sending request (1595 bytes) to SPICE.LAB.ENG.BOS.REDHAT.COM
    [23915] 1340312376.48570: Resolving hostname directory.spice.lab.eng.bos.redhat.com.
    [23915] 1340312376.48871: Resolving hostname directory.spice.lab.eng.bos.redhat.com.
    [23915] 1340312376.49200: Initiating TCP connection to stream 10.16.24.11:88
    [23915] 1340312376.49441: Sending TCP request to stream 10.16.24.11:88
    [23915] 1340312376.49859: Received answer from stream 10.16.24.11:88
    [23915] 1340312376.50285: Response was not from master KDC
    [23915] 1340312376.50420: Creating authenticator for halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> cifs/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM, seqnum 0, subkey rc4-hmac/6ED0, session key rc4-hmac/04C9
    [23915] 1340312376.302604: Getting credentials halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> ldap/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM using ccache FILE:/tmp/krb5cc_0
    [23915] 1340312376.302670: Retrieving halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> ldap/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
    [23915] 1340312376.302726: Retrieving halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> krbtgt/SPICE.LAB.ENG.BOS.REDHAT.COM@SPICE.LAB.ENG.BOS.REDHAT.COM from FILE:/tmp/krb5cc_0 with result: -1765328184/No credentials found with supported encryption types
    [23915] 1340312376.302764: Retrieving halfline@SPICE.LAB.ENG.BOS.REDHAT.COM -> krbtgt/SPICE.LAB.ENG.BOS.REDHAT.COM@SPICE.LAB.ENG.BOS.REDHAT.COM from FILE:/tmp/krb5cc_0 with result: -1765328184/No credentials found with supported encryption types
    Failed to join domain: failed to connect to AD: Cannot read password

<halfline> simo: "No credentials found with supported encryption types"
<halfline> so i tried changing that option based on seeing it in the man page
<halfline> if i put  default_tkt_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96 it works
<halfline> if i comment out the line or put default_tkt_enctypes = aes256-cts-hmac-sha1-96, rc4-hmac it fails
<simo> odd
<simo> halfline: what krb5 version ?
<halfline> latest in rawhide
<halfline> krb5-workstation-1.10.2-2
<halfline> fwiw, if i run klist -e in both the success case and the failure case, the diff shows one ticket
<halfline> for ldap that
<halfline> 's missing in the failure case
<halfline> in the success case it has the ticket type arcfour-hmac
<simo> halfline: what samba version ?
<halfline> samba-common-3.6.5-86
<simo> uhmm
<simo> can you do a test for me ?
<halfline> sure
<simo> use default krb5.conf
<simo> and kinit halfline@SPICE....
<halfline> k, i think i have it laying around as a .rpmnew file already
<simo> then run kvno ldap/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM
<simo> halfline: just use a default with aes first
<simo> does kvno ldap/... sucdeed ?
* halfline tries
<halfline> http://fpaste.org/NwbM/
<simo> it didn't fail
<simo> can you klist -e now and paste ?
<halfline> sure:
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: halfline@SPICE.LAB.ENG.BOS.REDHAT.COM
     
    Valid starting Expires Service principal
    06/21/12 17:12:11 06/22/12 03:09:59 krbtgt/SPICE.LAB.ENG.BOS.REDHAT.COM@SPICE.LAB.ENG.BOS.REDHAT.COM
    renew until 06/28/12 17:12:11, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
    06/21/12 17:10:23 06/22/12 03:09:59 cifs/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM
    renew until 06/28/12 17:10:23, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
    06/21/12 17:12:29 06/22/12 03:09:59 ldap/directory.spice.lab.eng.bos.redhat.com@SPICE.LAB.ENG.BOS.REDHAT.COM
    renew until 06/28/12 17:12:11, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

<simo> ok so I think this is a samba limitation
<simo> we have stupid code to set enctypes to rc4/des and esclude aes
<simo> so I think the bug is in samba
<halfline> interesting
<halfline> why does it do that?
<simo> halfline: can you open a bug against samba with the first paste that shows the net command failing ?
<simo> halfline: stupid old compat issues with aes
<simo> I think we have them sorted out in master
<simo> so we'll see whteher we can backport anything to 3.6.x or if we will decide you have to go samba 4.0 to get proper aes support
<simo> well wasn't too stupid at the time, as aes would simply not work ... but yeah now that windows uses aes it is a hindrance
<halfline> on the windows machine initially it didn't have AES checked for my username
<halfline> and i checked them
<halfline> (in an effort to get things working)
<halfline> i'm not sure what stage of broken things were in at that time
<halfline> i should probably try unchecking those boxes and see how the behavior changes
Comment 1 Ray Strode [halfline] 2012-06-21 17:37:37 EDT
just to follow up on my last point, unchecking the boxes changes nothing.  tgt ticket still ends up aes, cifs ticket still ends up arcfour, and the ldap ticket still fails to get acquired.
Comment 2 Stef Walter 2012-06-28 10:37:21 EDT
Ray, does this problem occur if you don't have a 'default_tkt_enctypes' line at all? Or no krb5.conf?
Comment 3 Ray Strode [halfline] 2012-07-23 12:35:40 EDT
yea, the problem happened until I added a default_tkt_enctypes line
Comment 4 Guenther Deschner 2012-12-14 07:34:24 EST
Have you checked with recent samba updates? We changed quite a bit to deal properly with AES kerberos keys.
Comment 5 Andreas Schneider 2013-01-30 04:47:42 EST
This should be fixed with a recent Samba version.

Note You need to log in before you can comment on or make changes to this bug.