Bug 39522 – Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs

Bug 39522 - Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs


Summary:	Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-13 21:21 CEST by Michael Grandjean
Modified:	2019-01-03 07:17 CET (History)
CC List:	6 users (show)

See Also:	45904
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.017
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2015100821000515, 2018010221000341
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2015-10-13 21:21:12 CEST

Currently it's not possible to search the LDAP directory of a UCS Domaincontroller that is not a Samba AD DC (if there are other UCS Samba AD DCs present in the domain) using a valid Kerberos ticket.

Setup:
1x DC Master as Samba AD DC
1x DC Slave without Samba AD (e.g. Groupware)

On the DC Slave execute the following as a domain user:

> michael@ucssl03:~$ kinit
> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL


Observed behaviour:

> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/ucssl03.mgrandje.local@MGRANDJE.LOCAL) not found)


Expected behaviour:

> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL
> SASL/GSSAPI authentication started
> SASL username: michael@MGRANDJE.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=michael,cn=users,dc=mgrandje,dc=local


Additional information:

This is working if:
- the queried LDAP server is also a Samba AD DC
- the queried LDAP server is not a Samba AD DC and there is no Samba AD DC at all in the domain

This is failing if:
- the queried LDAP server is not a Samba AD DC but there is at least one Samba AD DC in the domain

Comment 1 Michael Grandjean

2015-10-14 09:06:24 CEST

see also 2015100821000515

Comment 2 Stefan Gohmann

2015-10-22 08:22:24 CEST

I guess it is a duplicate of Bug #32079.

*** This bug has been marked as a duplicate of bug 32079 ***

Comment 3 Arvid Requate

2018-01-04 15:24:04 CET

Changing Component tag to S4-Connector, because we would need to adjust the S4-Connector to sync non-Samba-UCS-DCs as simple Windows Memberservers into the Samba/AD LDAP to fix this.

Comment 4 Philipp Hahn

2018-04-21 10:45:23 CEST

# udm kerberos/kdcentry list | sed -ne '/ldap/s/^DN: //p'
krb5PrincipalName=ldap/ma43.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa
krb5PrincipalName=ldap/sla33.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa

# kinit Administrator

# ldapwhoami -Y GSSAPI -H ldap://ma43.phahn.qa:7389
dn:uid=administrator,cn=users,dc=phahn,dc=qa
# klist
Apr 21 09:49:28 2018  Apr 21 19:45:05 2018  ldap/ma43.phahn.qa@
Apr 21 09:49:28 2018  Apr 21 19:45:05 2018  ldap/ma43.phahn.qa@PHAHN.QA

# ldapwhoami -Y GSSAPI -H ldap://sla33.phahn.qa:7389
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
# klist
-


This issue also is a blocker for setting up NFS with Kerberos in S4 environments: <https://help.univention.com/t/nfs4-export/3127/11>
The work-around is to create SPN entries manually in S4 using samba-tool on the command-line - the linked thread for details.

Comment 5 Stefan Gohmann

2019-01-03 07:17:25 CET

This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.