Bug 38827 - Huawei Unified Storage System S5500 V3 fails to join UCS AD domain
Huawei Unified Storage System S5500 V3 fails to join UCS AD domain
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-2-errata
Assigned To: Arvid Requate
Stefan Gohmann
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-03 09:03 CEST by Janis Meybohm
Modified: 2017-06-20 22:55 CEST (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2015061621000357
Bug group (optional):
Max CVSS v3 score:


Attachments
patch for 1) (1.02 KB, patch)
2015-07-03 09:03 CEST, Janis Meybohm
Details | Diff
98_allow-no-checksum.patch (7.88 KB, patch)
2015-07-03 09:04 CEST, Janis Meybohm
Details | Diff
98_allow-no-checksum_heimdal.patch (2.82 KB, patch)
2015-07-03 09:07 CEST, Janis Meybohm
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-07-03 09:03:23 CEST
Created attachment 6997 [details]
patch for 1)

Ticket#2015061621000357 

Two problems were identified the prevented the storage from successfully joining the UCS AD domain:

1) Huawai does a cldap query without NtVer filter ("(DnsDomain=<DOMAINNAME>)" instead of "(&(DnsDomain=<DOMAINNAME>)(Ntver=06:00:00:00))"


2) Huawai does not send some checksums during kerberos authentication


Attached patches were successfully tested by the customer.
Comment 1 Janis Meybohm univentionstaff 2015-07-03 09:04:46 CEST
Created attachment 6998 [details]
98_allow-no-checksum.patch

patch for 2) (part 1)
Comment 2 Janis Meybohm univentionstaff 2015-07-03 09:07:09 CEST
Created attachment 6999 [details]
98_allow-no-checksum_heimdal.patch

patch for 2) (part 2)

Patch notes suggest that there is a third part we've not build yet?
Comment 3 Arvid Requate univentionstaff 2015-07-06 11:23:17 CEST
98_allow-no-checksum_heimdal.patch just contains the Heimdal specific hunk from 98_allow-no-checksum.patch.
Comment 4 Arvid Requate univentionstaff 2015-07-08 13:05:01 CEST
Patches merged to errata4.0-2, packages rebuilt.

Advisories:
* 2015-05-27-samba.yaml
* 2015-07-08-heimdal.yaml
Comment 5 IT man 2015-07-15 11:59:07 CEST
(In reply to Arvid Requate from comment #4)
> Patches merged to errata4.0-2, packages rebuilt.

Advisories:
*
> 2015-05-27-samba.yaml
* 2015-07-08-heimdal.yaml

bug 1:Huawai does a cldap query without NtVer filter ,UCS  response with failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response;I found NetApp didn't send "NtVer" too, when NetApp join windows AD server,I haven't try to join UCS domain with NetApp.So I think this bug is samba's bug,samba don't support ping without "NtVer", right?

bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check "checksum",in heimdal's website(http://www.h5l.org/manual/HEAD/info/heimdal.html   Section 8.6) I found heimdal support kerberos authentication without "checksum",but you need change some configure.and  MIT kerberos  maybe don't send "checksum" , I think client send "checksum" or not,UCS should reply success.

If only, UCS can compatible more product.
                   thinks!a
Comment 6 Stefan Gohmann univentionstaff 2015-07-18 21:21:03 CEST
Patches: OK, they have been applied in the build

YAML: OK

Code review: OK

(In reply to IT man from comment #5)
> bug 1:Huawai does a cldap query without NtVer filter ,UCS  response with
> failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without
> NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to
> send the response;I found NetApp didn't send "NtVer" too, when NetApp join
> windows AD server,I haven't try to join UCS domain with NetApp.So I think
> this bug is samba's bug,samba don't support ping without "NtVer", right?

Yes. We've worked with Andrew to get this fixed. Arvid also filed an upstream bug:
 https://bugzilla.samba.org/show_bug.cgi?id=11392

> bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check
> "checksum",in heimdal's
> website(http://www.h5l.org/manual/HEAD/info/heimdal.html   Section 8.6) I
> found heimdal support kerberos authentication without "checksum",but you
> need change some configure.and  MIT kerberos  maybe don't send "checksum" ,
> I think client send "checksum" or not,UCS should reply success.

Yeah, UCS need to do it like AD does it. So, we changed heimdal in the needed way.
Comment 7 IT man 2015-07-19 05:11:45 CEST
(In reply to Stefan Gohmann from comment #6)
> Patches: OK, they have been applied in the build

YAML: OK

Code review: OK
> (In reply to IT man from comment #5)
> bug 1:Huawai does a cldap query
> without NtVer filter ,UCS  response with
> failure. But [MS-ADTS] Section
> 6.3.3.2 said that if client ping without
> NtVer ,server should uses the
> NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to
> send the response;I found
> NetApp didn't send "NtVer" too, when NetApp join
> windows AD server,I
> haven't try to join UCS domain with NetApp.So I think
> this bug is samba's
> bug,samba don't support ping without "NtVer", right?

Yes. We've worked with
> Andrew to get this fixed. Arvid also filed an upstream bug:
> https://bugzilla.samba.org/show_bug.cgi?id=11392

> bug 2:UCS use krb5
> algorithm of heimdal ,but heimdal need check
> "checksum",in heimdal's
>
> website(http://www.h5l.org/manual/HEAD/info/heimdal.html   Section 8.6) I
>
> found heimdal support kerberos authentication without "checksum",but you
>
> need change some configure.and  MIT kerberos  maybe don't send "checksum" ,
> > I think client send "checksum" or not,UCS should reply success.

Yeah, UCS
> need to do it like AD does it. So, we changed heimdal in the needed way.

If I send "checksum" request to UCS,what's the value of "ap_req_checksum_type" and "kdc_req_checksum_type" in client krb5.conf ?
the  list of "ap_req_checksum_type" and "kdc_req_checksum_type" value:
1 CRC32 
2 RSA MD4 
3 RSA MD4 DES 
4 DES CBC 
7 RSA MD5 
8 RSA MD5 DES 
9 NIST SHA 
12 HMAC SHA1 DES3 
-138 Microsoft MD5 HMAC checksum type
Comment 8 Janek Walkenhorst univentionstaff 2015-07-20 17:50:38 CEST
<http://errata.univention.de/ucs/4.0/258.html>
Comment 9 Janek Walkenhorst univentionstaff 2015-07-20 17:52:22 CEST
<http://errata.univention.de/ucs/4.0/253.html>