Univention Bugzilla – Bug 38827
Huawei Unified Storage System S5500 V3 fails to join UCS AD domain
Last modified: 2017-06-20 22:55:54 CEST
Created attachment 6997 [details] patch for 1) Ticket#2015061621000357 Two problems were identified the prevented the storage from successfully joining the UCS AD domain: 1) Huawai does a cldap query without NtVer filter ("(DnsDomain=<DOMAINNAME>)" instead of "(&(DnsDomain=<DOMAINNAME>)(Ntver=06:00:00:00))" 2) Huawai does not send some checksums during kerberos authentication Attached patches were successfully tested by the customer.
Created attachment 6998 [details] 98_allow-no-checksum.patch patch for 2) (part 1)
Created attachment 6999 [details] 98_allow-no-checksum_heimdal.patch patch for 2) (part 2) Patch notes suggest that there is a third part we've not build yet?
98_allow-no-checksum_heimdal.patch just contains the Heimdal specific hunk from 98_allow-no-checksum.patch.
Patches merged to errata4.0-2, packages rebuilt. Advisories: * 2015-05-27-samba.yaml * 2015-07-08-heimdal.yaml
(In reply to Arvid Requate from comment #4) > Patches merged to errata4.0-2, packages rebuilt. Advisories: * > 2015-05-27-samba.yaml * 2015-07-08-heimdal.yaml bug 1:Huawai does a cldap query without NtVer filter ,UCS response with failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response;I found NetApp didn't send "NtVer" too, when NetApp join windows AD server,I haven't try to join UCS domain with NetApp.So I think this bug is samba's bug,samba don't support ping without "NtVer", right? bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check "checksum",in heimdal's website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I found heimdal support kerberos authentication without "checksum",but you need change some configure.and MIT kerberos maybe don't send "checksum" , I think client send "checksum" or not,UCS should reply success. If only, UCS can compatible more product. thinks!a
Patches: OK, they have been applied in the build YAML: OK Code review: OK (In reply to IT man from comment #5) > bug 1:Huawai does a cldap query without NtVer filter ,UCS response with > failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without > NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to > send the response;I found NetApp didn't send "NtVer" too, when NetApp join > windows AD server,I haven't try to join UCS domain with NetApp.So I think > this bug is samba's bug,samba don't support ping without "NtVer", right? Yes. We've worked with Andrew to get this fixed. Arvid also filed an upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11392 > bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check > "checksum",in heimdal's > website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I > found heimdal support kerberos authentication without "checksum",but you > need change some configure.and MIT kerberos maybe don't send "checksum" , > I think client send "checksum" or not,UCS should reply success. Yeah, UCS need to do it like AD does it. So, we changed heimdal in the needed way.
(In reply to Stefan Gohmann from comment #6) > Patches: OK, they have been applied in the build YAML: OK Code review: OK > (In reply to IT man from comment #5) > bug 1:Huawai does a cldap query > without NtVer filter ,UCS response with > failure. But [MS-ADTS] Section > 6.3.3.2 said that if client ping without > NtVer ,server should uses the > NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to > send the response;I found > NetApp didn't send "NtVer" too, when NetApp join > windows AD server,I > haven't try to join UCS domain with NetApp.So I think > this bug is samba's > bug,samba don't support ping without "NtVer", right? Yes. We've worked with > Andrew to get this fixed. Arvid also filed an upstream bug: > https://bugzilla.samba.org/show_bug.cgi?id=11392 > bug 2:UCS use krb5 > algorithm of heimdal ,but heimdal need check > "checksum",in heimdal's > > website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I > > found heimdal support kerberos authentication without "checksum",but you > > need change some configure.and MIT kerberos maybe don't send "checksum" , > > I think client send "checksum" or not,UCS should reply success. Yeah, UCS > need to do it like AD does it. So, we changed heimdal in the needed way. If I send "checksum" request to UCS,what's the value of "ap_req_checksum_type" and "kdc_req_checksum_type" in client krb5.conf ? the list of "ap_req_checksum_type" and "kdc_req_checksum_type" value: 1 CRC32 2 RSA MD4 3 RSA MD4 DES 4 DES CBC 7 RSA MD5 8 RSA MD5 DES 9 NIST SHA 12 HMAC SHA1 DES3 -138 Microsoft MD5 HMAC checksum type
<http://errata.univention.de/ucs/4.0/258.html>
<http://errata.univention.de/ucs/4.0/253.html>