Ubuntu
realmd package

realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

Bug #1905000 reported by Alexander Fieroch
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
realmd (Ubuntu)
New
Undecided
Andreas Hasenack

Bug Description

I'm not sure if this bug is in package realmd, samba or winbind.

Joining to a AD domain with realm (using samba and winbind for authentication) sets wrong entries in krb5.keytab.
Our clients are in a subdomain HOSTNAME.CLIENT.DOMAIN. After joining the keytab entries point to HOSTNAME.DOMAIN.

I join clients with:

  realm join -v --automatic-id-mapping=no --membership-software=samba --client-software=winbind DOMAIN

wrong keytab:

root@kubuntu-latest:~# klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN (aes256-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN (aes256-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN (aes128-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN (aes128-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN (arcfour-hmac)
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN (arcfour-hmac)
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN (aes256-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (aes256-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN (aes128-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (aes128-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN (arcfour-hmac)
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (arcfour-hmac)
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (aes256-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (aes128-cts-hmac-sha1-96)
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (arcfour-hmac)

host is in subdomain kubuntu-latest.client.domain:

root@kubuntu-latest:~# nslookup kubuntu-latest
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: kubuntu-latest.client.domain

I also recognized the ldap attribute "dNSHostName" for this machine account in AD is set to the incorrect FQDN: kubuntu-latest.domain

If I set the system to use SSSD instead of winbind and join with
  realm join --membership-software=adcli --client-software=sssd
the krb5.keytab is set correctly with subdomain.
But I need winbind...

Tested with:
Ubuntu 20.10
realmd 0.16.3-3ubuntu1
samba 2:4.12.5+dfsg-3ubuntu4.1

Revision history for this message
Bryce Harrington (bryce) wrote :

Could you elaborate further on how you're configuring things? I'm not very versed in Samba, but adding the 'client' level between the host and domain looks unusual, so would be helpful if you could explain more (or provide link to reference describing your use case). Thanks ahead of time.

Changed in realmd (Ubuntu):
status: New → Incomplete
Revision history for this message
Alexander Fieroch (fieroch) wrote :
Download full text (4.9 KiB)

Our dhcp sets clients with dynamically configured ip into a subdomain .client.DOMAIN, while clients with static ip go to .DOMAIN.

Example:
I join clients to AD using sssd for authentication.
realm join --automatic-id-mapping=no --membership-software=adcli DOMAIN

The FQDN for this client is: kubuntu-lts.client.mpi-dortmund.mpg.de

realm sets correct keytab entries with correct FQDN including subdomain .client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)

Now joining the same test VM using winbind for authentication.
realm join --automatic-id-mapping=no --membership-software=samba --client-software=winbind DOMAIN

The FQDN for this client is still: kubuntu-lts.client.mpi-dortmund.mpg.de

realm sets incorrect keytab entries without subdomain .client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (ar...

Read more...

Revision history for this message
Paride Legovini (paride) wrote :

Thank you Alexander for the additional information. I noticed you are using Ubuntu 20.10. Is the missing subdomain problem you are observing a regression of Ubuntu 20.10, or is the problem present even with earlier version of Ubuntu (e.g. 20.04 LTS)?

Setting up a reproducer for this kind of issue is not straightforward, and bounding the problem to a change happened between two releases helps the search for a possibly breaking change.

Thanks!

Revision history for this message
Alexander Fieroch (fieroch) wrote :

I just installed a VM with 20.04 and can confirm that the regression is also present in 20.04.
Nex I'll test it on 19.10...

Revision history for this message
Alexander Fieroch (fieroch) wrote :
Download full text (4.0 KiB)

On 19.10 the bug does not occur and keytab entries are correct:

I joined to AD with:
realm join --user-principal=KUBUNTU-TEST$ --automatic-id-mapping=no --membership-software=samba --client-software=winbind --computer-name=kubuntu-test --os-name=Ubuntu --os-version=19.10 MPI-DORTMUND.MPG.DE

root@kubuntu-test:# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
   3 01.12.2020 17:04:15 <email address hidden> (etype 1)
   3 01.12.2020 17:04:15 <email address hidden> (etype 1)
   3 01.12.2020 17:04:15 <email address hidden> (etype 3)
   3 01.12.2020 17:04:15 <email address hidden> (etype 3)
   3 01.12.2020 17:04:15 <email address hidden> (aes128-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 <email address hidden> (aes128-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 <email address hidden> (aes256-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 <email address hidden> (aes256-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 <email address hidden> (arcfour-hmac)
   3 01.12.2020 17:04:15 <email address hidden> (arcfour-hmac)
   3 01.12.2020 17:04:15 KUBUNTU-TEST$@MPI-DORTMUND.MPG.DE (etype 1)
   3 01.12.2020 17:04:15 KUBUNTU-TEST$@MPI-DORTMUND.MPG.DE (etype 3)
   3 01.12.2020 17:04:15 KUBUNTU-TEST$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 KUBUNTU-TEST$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   3 01.12.2020 17:04:15 KUBUNTU-TEST$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   3 01.12.2020 17:05:07 <email address hidden> (etype 1)
   3 01.12.2020 17:05:07 <email address hidden> (etype 1)
   3 01.12.2020 17:05:07 <email address hidden> (etype 3)
   3 01.12.2020 17:05:07 <email address hidden> (etype 3)
   3 01.12.2020 17:05:07 <email address hidden> (aes128-cts-hmac-sha1-96)
   3 01.12.2020 17:05:07 <email address hidden> (aes128-cts-hmac-sha1-96)
   3 01.12.2020 17:05:07 <email address hidden> (aes256-cts-hmac-sha1-96)
   3 01.12.2020 17:05:07 <email address hidden> (aes256-cts-hmac-sha1-96)
   3 01.12.2020 17:05:07 <email address hidden> (arcfour-hmac)
   3 01.12.2020 17:05:07 <email address hidden> (arcfour-hmac)

So the regression starts with 20.04.

Last version of samba and realm creating a correct keytab in 19.10 are:

root@kubuntu-test:# dpkg -l | grep -E "realm|samba"
ii python3-samba 2:4.10.7+dfsg-0ubuntu2.6 amd64 Python 3 bindings for Samba
ii realmd 0.16.3-3 amd64 DBus service for configuring ker...

Read more...

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for providing more info. I'm marking this bug as New again, since the ball is now on our court. I'll see if I time to look into this soon.

Changed in realmd (Ubuntu):
status: Incomplete → New
Revision history for this message
Sebastien Bacher (seb128) wrote :

I see you commented upstream on https://gitlab.freedesktop.org/realmd/realmd/-/issues/28 which sounds similar?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm working on realmd (and adcli next) for Ubuntu 22.04 and will look at this.

Changed in realmd (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I think this is working in jammy (22.04):

realm 0.17 (to be uploaded)
samba 4.13.14

My client vm:
root@j1:~# hostname -f
j1.internal.example.fake

Server is AD 2016:

join:
root@j1:~# realm join -v --automatic-id-mapping=no --membership-software=samba --client-software=winbind internal.example.fake
 * Resolving: _ldap._tcp.internal.example.fake
 * Performing LDAP DSE lookup on: 10.0.16.5
 * Successfully discovered: internal.example.fake
 * Unconditionally checking packages
 * Resolving required packages
 * Installing necessary packages: libnss-winbind samba-common-bin libpam-winbind winbind
 * LANG=C LOGNAME=root KRB5CCNAME=/var/cache/realmd/realm-ad-kerberos-B0AOF1 /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7B1DF1 -k ads join internal.example.fake
Using short domain name -- INTEXAMPLE
Joined 'J1' to dns domain 'internal.example.fake'
 * LANG=C LOGNAME=root KRB5CCNAME=/var/cache/realmd/realm-ad-kerberos-B0AOF1 /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7B1DF1 -k ads keytab create
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/sbin/update-rc.d winbind enable
 * /usr/sbin/service winbind restart
 * Successfully enrolled machine in realm

keytab (notice the host key has the "internal" domain component):
root@j1:~# klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
   1 01/10/22 14:56:04 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (DEPRECATED:arcfour-hmac)
   1 01/10/22 14:56:04 <email address hidden> (DEPRECATED:arcfour-hmac)
   1 01/10/22 14:56:04 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 <email address hidden> (DEPRECATED:arcfour-hmac)
   1 01/10/22 14:56:04 <email address hidden> (DEPRECATED:arcfour-hmac)
   1 01/10/22 14:56:04 J1$@INTERNAL.EXAMPLE.FAKE (aes256-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 J1$@INTERNAL.EXAMPLE.FAKE (aes128-cts-hmac-sha1-96)
   1 01/10/22 14:56:04 J1$@INTERNAL.EXAMPLE.FAKE (DEPRECATED:arcfour-hmac)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hm, I just realized I didn't have the exact same scenario as you. My DNS domain for the client was equal to the realm.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Confirmed on focal:

root@f1:~# hostname
f1.client.internal.example.fake
root@f1:~# klist -ekt|grep client
root@f1:~#

In jammy I'm not sure. I get both host keys:
root@j1:~# klist -ekt|grep host/j1 -w
   1 01/10/22 19:37:57 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 19:37:57 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 19:37:57 <email address hidden> (DEPRECATED:arcfour-hmac)
   1 01/10/22 19:37:57 <email address hidden> (aes256-cts-hmac-sha1-96)
   1 01/10/22 19:37:57 <email address hidden> (aes128-cts-hmac-sha1-96)
   1 01/10/22 19:37:57 <email address hidden> (DEPRECATED:arcfour-hmac)

With and without the "client" subdomain part. And it's the same samba version: 4.13.14.

Samba is due an upgrade in jammy anyway, I'll revisit this ticket then.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.