Access denied between windows member, Samba ADC / MIT krb5

Be grateful if anyone has any ideas on a stable fix or workaround for this.

I have come across a problem with an active directory domain built with a Samba 4 AD controller. The test system consists of: -

  • 2 DCs, Leap 15.2, samba 4.11, krb5 1.16
  • 1 File Server member, Leap 15.2, samba 4.11, krb5 1.16
  • 1 windows 7 PC member
  • 1 windows 10 PC member

Most of the samba is configured with bare minimum as provisioned config.

What works: -

  • Domain logons on PCs
  • Access to samba shares from PCs to server
  • Roaming profiles
  • Home directories

What does NOT work: -

  • Shares between windows PCs by netbios name (you’re thinking DNS, read on please!): access denied
  • Shares between windows PCs by FDN: access denied
  • Even trying to browsing shares on windows PCs gives : access denied

However, shares between windows PCs can be accessed by IP address (\x.x.x.x\share) or by creating a CNAME dns entry so that the pc is accessed by an alias. So, if I try to access a pcs shares by the machine’s own name it fails.

Ihave been through the DNSs with a fine tooth comb, all of that is correct. The basic conclusion I have come to is that this is likely a krb5 ticket problem. So, just to check that my DCs are not messed up, I provisioned a new AD, on a fresh load, totally separate, totally basic config, again with Leap 15.2. The config was as follows: -

/etc/samba/smb.conf


[global]
    dns forwarder = 192.168.1.3
    netbios name = DC5
    realm = CFAD2.COLOURFOIL.UK
    server role = active directory domain controller
    workgroup = CFAD2
    idmap_ldb:use rfc2307 = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[netlogon]
    path = /var/lib/samba/sysvol/cfad2.colourfoil.uk/scripts
    read only = No

[users]
    comment = All users
    path = /home
    read only = No
    inherit acls = Yes
    veto files = /aquota.user/groups/shares/

/etc/krb5.conf

[libdefaults]
    default_realm = CFAD2.COLOURFOIL.UK
    dns_lookup_realm = false
    dns_lookup_kdc = true

The result is exactly the same, everything works except for access between windows members. An upgrade of samba from 4.11 to 4.13 also made no difference.

Next try was to see if other distros have the same problem, so I tried Ubuntu, Debian and Fedora provisioned as ADC and all three of those worked with the same config, and member windows pcs can access each others shares. The main difference in the samba is that those distros are using the internal Heimdall krb5kdc but Leap is using the MIT kerberos.

Some experimenting with trying to update the MIT kerberos on Leap 15.2 from 1.16 to 1.19 was not successful as the samba-ad-dc package build will just not work with it.

Now, Tumbleweed is up to MIT kr5b 1.19, so I updated the Leap 15.2 ADC to Tumbleweed and the whole thing works perfectly. So I have a workaround of sorts.

So, here’s the real question…

Does anyone know a way that the samba/mit krb5 builds on Leap 15.2 (or 15.3 which looks like it has the same mit krb5 v1.16) can be made to work around this problem. I don’t really want to run my DCs as Tumbleweed unless I really have to.

Any ideas appreciated!

Well above my pay grade, but I note that the samba team consider using M IT Kerberos as experimental…
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC#Experimental_Feature
So, this issue requires a bug report IMHO.

It might be interesting to know if enabling/starting the krb5kdc.service would be sufficient here, and whether ‘krb5 port =’ and 'kpasswd port = ’ need to be explicitly set in smb.conf or not.

It’s a fair point. Of course opensuse is not giving me much choice about that since all the builds have MIT compiled in instead of the internal one and, as far as I can see, that means you cannot turn the internal kdc on leap at present.

I had a look at this, but the ports are actually set correctly according to testparm

# testparm -vs |egrep 'kpasswd|krb5 port'
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC

    kpasswd port = 464
    krb5 port = 88

The krb5kdc.service cannot be started because the krb5kdc is actual run by samba in the ADC mode and can be seen in the process tree…

21974 ?        S      0:00  \_ samba
21976 ?        S      0:00  |   \_ samba
21979 ?        S      0:00  |       \_ samba
21999 ?        S      0:00  |           \_ /usr/lib/mit/sbin/krb5kdc -n

# netstat -antp|egrep '88|464'
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      21999/krb5kdc       
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      21976/samba         
tcp6       0      0 :::88                   :::*                    LISTEN      21999/krb5kdc       
tcp6       0      0 :::464                  :::*                    LISTEN      21976/samba         

It does look like this bug is fixed in mit kdc at v1.19, at least. However I cannot at the moment see any way that I can run kdc v1.19 on Leap 15.2 or 15.3 with samba so yes, may be worth a bug report against leap 15.x. I have now tested on 15.3 Beta and the situation is exactly the same, which is what I expected from the version numbers.

I wonder if using the samba version (4.13.4) from the network repo is worth a shot here? That is the same version as currently used in TW.

Yeah, tried that, exactly the same result, and annoyingly still wont allow the v1.19 krb5 (that is in TW) to be used.

I did try compiling up samba with the internal kdc but I got in such a mess with that I decided I really do not want to have to maintain that solution in a live system!

The network repo contains krb5 version 1.19.1…
https://software.opensuse.org/package/krb5

So I was hoping that might lead to a viable upgraded kerberos/samba path?

I did try compiling up samba with the internal kdc but I got in such a mess with that I decided I really do not want to have to maintain that solution in a live system!

Yeah, I wouldn’t be going down that path. :slight_smile:

zypper ar -f https://download.opensuse.org/repositories/network/openSUSE_Leap_15.2/ network
zypper ar -f https://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_Leap_15.2/ samba
zypper clean
zypper ref
zypper install samba-4.13.4+git.199.be6e11f5ab2-lp152.1.1.x86_64 krb5-1.19.1-lp152.275.1.x86_64

Follow the dependency questions to allow the requisite packages to be installed: ‘openSUSE → obs://build.opensuse.org/network:samba’ and ‘openSUSE → obs://build.opensuse.org/network’.

For reference, I also encountered the following, and proceeded with option 3 (which results in samba-ad-dc package being upgraded via the samba repo as well)…

Problem: samba-ad-dc-4.13.4+git.199.be6e11f5ab2-lp152.1.1.x86_64 requires libkadm5srv_mit.so.11()(64bit), but this requirement cannot be provided
  deleted providers: krb5-1.16.3-lp152.5.13.1.x86_64
not installable providers: krb5-1.16.3-lp152.4.6.x86_64[repo-oss]
 Solution 1: do not install samba-ad-dc-4.13.4+git.199.be6e11f5ab2-lp152.1.1.x86_64
 Solution 2: do not install krb5-1.19.1-lp152.275.1.x86_64
 Solution 3: break samba-ad-dc-4.13.4+git.199.be6e11f5ab2-lp152.1.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 3
Resolving dependencies...
Resolving package dependencies...

The following NEW package is going to be installed:
  libndr1

The following package is going to be REMOVED:
  libndr0

The following 31 packages are going to be upgraded:
  krb5 krb5-server libdcerpc-binding0 libdcerpc0 libldb2 libndr-krb5pac0 libndr-nbt0 libndr-standard0 libnetapi0 libsamba-credentials0 libsamba-hostconfig0 libsamba-passdb0 libsamba-policy0-python3
  libsamba-util0 libsamdb0 libsmbclient0 libsmbconf0 libsmbldap2 libtalloc2 libtevent-util0 libwbclient0 python3-ldb python3-talloc samba samba-ad-dc samba-client samba-dsdb-modules samba-libs
  samba-libs-python3 samba-python3 samba-winbind

The following 31 packages are going to change vendor:
  krb5                      openSUSE -> obs://build.opensuse.org/network
  krb5-server               openSUSE -> obs://build.opensuse.org/network
  libdcerpc-binding0        openSUSE -> obs://build.opensuse.org/network:samba
  libdcerpc0                openSUSE -> obs://build.opensuse.org/network:samba
  libldb2                   openSUSE -> obs://build.opensuse.org/network:samba
  libndr-krb5pac0           openSUSE -> obs://build.opensuse.org/network:samba
  libndr-nbt0               openSUSE -> obs://build.opensuse.org/network:samba
  libndr-standard0          openSUSE -> obs://build.opensuse.org/network:samba
  libnetapi0                openSUSE -> obs://build.opensuse.org/network:samba
  libsamba-credentials0     openSUSE -> obs://build.opensuse.org/network:samba
  libsamba-hostconfig0      openSUSE -> obs://build.opensuse.org/network:samba
  libsamba-passdb0          openSUSE -> obs://build.opensuse.org/network:samba
  libsamba-policy0-python3  openSUSE -> obs://build.opensuse.org/network:samba
  libsamba-util0            openSUSE -> obs://build.opensuse.org/network:samba
  libsamdb0                 openSUSE -> obs://build.opensuse.org/network:samba
  libsmbclient0             openSUSE -> obs://build.opensuse.org/network:samba
  libsmbconf0               openSUSE -> obs://build.opensuse.org/network:samba
  libsmbldap2               openSUSE -> obs://build.opensuse.org/network:samba
  libtalloc2                openSUSE -> obs://build.opensuse.org/network:samba
  libtevent-util0           openSUSE -> obs://build.opensuse.org/network:samba
  libwbclient0              openSUSE -> obs://build.opensuse.org/network:samba
  python3-ldb               openSUSE -> obs://build.opensuse.org/network:samba
  python3-talloc            openSUSE -> obs://build.opensuse.org/network:samba
  samba                     openSUSE -> obs://build.opensuse.org/network:samba
  samba-ad-dc               openSUSE -> obs://build.opensuse.org/network:samba
  samba-client              openSUSE -> obs://build.opensuse.org/network:samba
  samba-dsdb-modules        openSUSE -> obs://build.opensuse.org/network:samba
  samba-libs                openSUSE -> obs://build.opensuse.org/network:samba
  samba-libs-python3        openSUSE -> obs://build.opensuse.org/network:samba
  samba-python3             openSUSE -> obs://build.opensuse.org/network:samba
  samba-winbind             openSUSE -> obs://build.opensuse.org/network:samba

31 packages to upgrade, 1 new, 1 to remove, 31  to change vendor.
Overall download size: 15.3 MiB. Already cached: 0 B. After the operation, additional 2.1 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y

I suspected that the kdc can be built and deployed standalone.
After some investigation, I verified it’s possible and not that difficult.
But, I haven’t actually done this myself, so this one of those “YMMV for the brave, it’s something I haven’t actually done myself.”

Don’t know why SUSE/openSUSE doesn’t package samba and kdc separately, it makes plenty of sense to me. Looks like there have been old attempts by individuals to build packages for standalone samba kdc, but it’s not clear what happened to the effort.
As far as I can tell, integration with SAMBA should be pretty simple, the krb5.conf file should point to whatever kdc that are deployed, and in an Enterprise setup of course it’s preferable to deploy primary and secondary kdc for fault tolerance.

The MIT Kerberos build instructions, pretty minimal and straightforward, instructs how to build a single or multiple versions at once.
https://web.mit.edu/kerberos/krb5-devel/doc/build/doing_build.html#do-build

The modifications needed to configure the kerberos configuration files
https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html

One of many options to obtain the latest kerberos source, this is from github and provides up to v. 1.20 (I assume you can build 1.19 if you wish and wonder why Tumbleweed isn’t on this version already)
https://github.com/krb5/krb5

HTH,
TSU

@deano_ferrari
Well for me the samba-4.13.4 will install ok and works (in the same way as 4.11) but the inclusion of the krb5-1.19.1 always breaks samba-ad-dc. What happens is that it inevitably will not spawn the krb5kdc.

Mar 07 17:06:49 dc5a systemd[1]: Starting Samba AD Daemon...
Mar 07 17:06:49 dc5a samba[7183]: [2021/03/07 17:06:49.061974,  0] ../../source4/smbd/server.c:646(binary_smbd_main)
Mar 07 17:06:49 dc5a samba[7183]:   samba version 4.13.4-git.199.be6e11f5ab2lp152.1.1-SUSE-oS15.0-x86_64 started.
Mar 07 17:06:49 dc5a samba[7183]:   Copyright Andrew Tridgell and the Samba Team 1992-2020
Mar 07 17:06:49 dc5a samba[7183]: [2021/03/07 17:06:49.062117,  0] ../../lib/util/become_daemon.c:166(daemon_status)
Mar 07 17:06:49 dc5a samba[7183]:   daemon_status: daemon 'samba' : Starting process...
Mar 07 17:06:49 dc5a samba[7183]: [2021/03/07 17:06:49.195281,  0] ../../source4/smbd/server.c:920(binary_smbd_main)
Mar 07 17:06:49 dc5a samba[7183]:   binary_smbd_main: samba: using 'prefork' process model
Mar 07 17:06:49 dc5a samba[7183]: [2021/03/07 17:06:49.230223,  0] ../../source4/smbd/service.c:108(server_service_startup)
Mar 07 17:06:49 dc5a samba[7183]:   server_service_startup: Failed to start service 'kdc' - NT_STATUS_INVALID_SYSTEM_SERVICE
Mar 07 17:06:49 dc5a systemd[1]: samba-ad-dc.service: Failed to parse ERRNO= field in notification message: -1073741796
Mar 07 17:06:49 dc5a samba[7183]: [2021/03/07 17:06:49.231335,  0] ../../lib/util/become_daemon.c:136(exit_daemon)
Mar 07 17:06:49 dc5a samba[7183]:   exit_daemon: daemon failed to start: Samba failed to start services, error code -1073741796
Mar 07 17:06:49 dc5a systemd[1]: samba-ad-dc.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 17:06:49 dc5a systemd[1]: Failed to start Samba AD Daemon.
Mar 07 17:06:49 dc5a systemd[1]: samba-ad-dc.service: Unit entered failed state.
Mar 07 17:06:49 dc5a systemd[1]: samba-ad-dc.service: Failed with result 'exit-code'.

@tsu2***
I have been looking at building the kdc from 1.19.1 src (only because that is working on TW), and I can build it but I have not yes managed an install that did not break the whole thing. However, I have not yet given that up. I think I need to go and see if I can find out how the TW version is built specifically to see if there’s an opensuse specific trick to it.

Best to submit a bug report I think.

Yes, but I like to go really well informed when I report a bug!

The BIG news, I have got it to work, sort of. It would be safer to say that I have proven that it can be got to work. What I did was to use the source RPMs from TW for samba and krb5 to build new RPMs for Leap 15.2, installed those and rebooted the 2 client PCs.

rpmbuild --rebuild krb5-1.19.1-1.1.src.rpm
...(had to satisfy some dependencies here)...

then

rpm -Uvh --nodeps /usr/src/packages/RPMS/x86_64/krb5*
rpmbuild --rebuild samba-4.13.4+git.187.5ad4708741a-1.1.src.rpm
...(had to satisfy some dependencies here)...

then I added /usr/src/packages/RPMS/ as a pain rpm repo and used yast to update the samba packages to the new ones. I could have done all the installs with zypper but it was all a bit of an experiment. But it does work now. So I think I will report as a bug with that info and possibly test against 15.3 too.

Thanks for the update. Well done. :slight_smile:

I tried to reproduce this on Leap 15.2, in an effort to see whether this also fixes some password reset issues I’m seeing on Windows 10 machines, and maybe some machine-based GPO issues as well, but the Samba version I can pull from Tumbleweed is samba-4.13.4+git.199.be6e11f5ab2-1.2.src.rpm, which has some unique dependencies that I couldn’t satisfy with Leap 15.2 sources, e.g. libldb-devel >= 2.1.4, libtalloc-devel >= 2.3.1, libtdb-devel >= 1.4.3, libtevent-devel >= 0.10.2, python3-ldb-devel >= 2.1.4.

I’m hesitant to start pulling additional src RPM’s to satisfy these, I’m worried about what other cans of worms I’ll be opening. Any thoughts? I’m really looking to test these previous issues to see whether they’re fixed and hopefully provide feedback.

There’s a “Stable” version of samba-4.13.4+git.199.be6e11f5ab2-lp152.1.2 listed in the /repositories/network:/samba:/STABLE/openSUSE_Leap_15.2/ repository, and comes with all the goodies that go with it. Has anyone experimented with it yet?

I’m not sure exactly what you mean by experimenting. I’m using this version currently from the samba repo, albeit as a standalone server environment, and not aware of any issues. My fie sharing requirements are fairly simple though.

I’m unable to build the 4.13 RPM using Leap 15.2 supporting devel packages. I was hoping I could simply refer to the STABLE repository of Samba to get 4.13 installed. Well, I tried that, but 4.13 is still dependent on KRB5 1.16, and broke when trying to use KRB5 1.19.

So, I’m now entertaining the idea of adding Tumbleweed SRC RPM’s to satisfy the 4.13 RPM build for samba. Will let you know how that goes. My concerns are about what other cans of worms I’m going to open (i.e. what else am I going to break) by doing this…

That’s the basic dependency problem that kicked off this thread in the first place. It can be solved with a bit of fancy finger work but the samba HAS to be rebuilt against krb5 1.19. It’s back up there in the thread, but this is the update summary, and you don’t actually need anything from Tumbleweed (though those sources work too)

The krb5 came from network/openSUSE_Leap_15.2/src
The samba came from network:/samba:/STABLE/openSUSE_Leap_15.2/src
You DO need the network:/samba:/STABLE/openSUSE_Leap_15.2 repo enabled to satisfy those libldb libtdb dependancies.

What I did, for 15.2 in the end, was (really basic outline, and the minor version numbers have changed a bit): -

rpmbuild --rebuild krb5-1.19.1-lp152.275.1.src.rpm
...(had to satisfy some dependencies here)...
rpm -Uvh --nodeps /usr/src/packages/RPMS/x86_64/krb5*
rpmbuild --rebuild samba-4.13.4+git.199.be6e11f5ab2-lp152.1.1.src.rpm
...(had to satisfy some dependencies here)...

What I did then was create a local dir repo and get yast to install / upgrade samba. Be aware it will complain bitterly about unsigned packages!

zypper ar -f /usr/src/packages/RPMS/x86_64 Local

Really, it boils down to samba has to be compiled against krb5 1.19 to get this working and the src form Tumbleweed or from network:samba:STABLE will work, I tried them both.
It is possible that rebuilding krb5 was not actually necessary.

Also, this works for 15.3, but as that is beta you have to hunt a bit for some off the repos and src.

After much twiddling about I have finally built samba in the OBS with the 1.19.x mit krb5 kdc it is available in home:jedi98a (for 15.2) and in home:jedi98a:samba (for 15.3). The twiddling about was all me not the obs, that was simple, wish I’d tried that earlier!

I’ll try to keep the thing maintained until 15.3 catches up officially to krb5 >= 1.19.

Thanks for the update. I’m sure it will be of value to others.

Ditto! Thanks, Jedi