Univention Bugzilla – Full Text Bug Listing |
Summary: | Huawei Unified Storage System S5500 V3 fails to join UCS AD domain | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | 783415147, andree.hingst, gohmann, grandjean, requate, stephan.hendl, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://bugzilla.samba.org/show_bug.cgi?id=11392 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2015061621000357 | Bug group (optional): | |
Max CVSS v3 score: | |||
Attachments: |
patch for 1)
98_allow-no-checksum.patch 98_allow-no-checksum_heimdal.patch |
Created attachment 6998 [details]
98_allow-no-checksum.patch
patch for 2) (part 1)
Created attachment 6999 [details]
98_allow-no-checksum_heimdal.patch
patch for 2) (part 2)
Patch notes suggest that there is a third part we've not build yet?
98_allow-no-checksum_heimdal.patch just contains the Heimdal specific hunk from 98_allow-no-checksum.patch. Patches merged to errata4.0-2, packages rebuilt. Advisories: * 2015-05-27-samba.yaml * 2015-07-08-heimdal.yaml (In reply to Arvid Requate from comment #4) > Patches merged to errata4.0-2, packages rebuilt. Advisories: * > 2015-05-27-samba.yaml * 2015-07-08-heimdal.yaml bug 1:Huawai does a cldap query without NtVer filter ,UCS response with failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response;I found NetApp didn't send "NtVer" too, when NetApp join windows AD server,I haven't try to join UCS domain with NetApp.So I think this bug is samba's bug,samba don't support ping without "NtVer", right? bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check "checksum",in heimdal's website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I found heimdal support kerberos authentication without "checksum",but you need change some configure.and MIT kerberos maybe don't send "checksum" , I think client send "checksum" or not,UCS should reply success. If only, UCS can compatible more product. thinks!a Patches: OK, they have been applied in the build YAML: OK Code review: OK (In reply to IT man from comment #5) > bug 1:Huawai does a cldap query without NtVer filter ,UCS response with > failure. But [MS-ADTS] Section 6.3.3.2 said that if client ping without > NtVer ,server should uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to > send the response;I found NetApp didn't send "NtVer" too, when NetApp join > windows AD server,I haven't try to join UCS domain with NetApp.So I think > this bug is samba's bug,samba don't support ping without "NtVer", right? Yes. We've worked with Andrew to get this fixed. Arvid also filed an upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11392 > bug 2:UCS use krb5 algorithm of heimdal ,but heimdal need check > "checksum",in heimdal's > website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I > found heimdal support kerberos authentication without "checksum",but you > need change some configure.and MIT kerberos maybe don't send "checksum" , > I think client send "checksum" or not,UCS should reply success. Yeah, UCS need to do it like AD does it. So, we changed heimdal in the needed way. (In reply to Stefan Gohmann from comment #6) > Patches: OK, they have been applied in the build YAML: OK Code review: OK > (In reply to IT man from comment #5) > bug 1:Huawai does a cldap query > without NtVer filter ,UCS response with > failure. But [MS-ADTS] Section > 6.3.3.2 said that if client ping without > NtVer ,server should uses the > NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to > send the response;I found > NetApp didn't send "NtVer" too, when NetApp join > windows AD server,I > haven't try to join UCS domain with NetApp.So I think > this bug is samba's > bug,samba don't support ping without "NtVer", right? Yes. We've worked with > Andrew to get this fixed. Arvid also filed an upstream bug: > https://bugzilla.samba.org/show_bug.cgi?id=11392 > bug 2:UCS use krb5 > algorithm of heimdal ,but heimdal need check > "checksum",in heimdal's > > website(http://www.h5l.org/manual/HEAD/info/heimdal.html Section 8.6) I > > found heimdal support kerberos authentication without "checksum",but you > > need change some configure.and MIT kerberos maybe don't send "checksum" , > > I think client send "checksum" or not,UCS should reply success. Yeah, UCS > need to do it like AD does it. So, we changed heimdal in the needed way. If I send "checksum" request to UCS,what's the value of "ap_req_checksum_type" and "kdc_req_checksum_type" in client krb5.conf ? the list of "ap_req_checksum_type" and "kdc_req_checksum_type" value: 1 CRC32 2 RSA MD4 3 RSA MD4 DES 4 DES CBC 7 RSA MD5 8 RSA MD5 DES 9 NIST SHA 12 HMAC SHA1 DES3 -138 Microsoft MD5 HMAC checksum type |
Created attachment 6997 [details] patch for 1) Ticket#2015061621000357 Two problems were identified the prevented the storage from successfully joining the UCS AD domain: 1) Huawai does a cldap query without NtVer filter ("(DnsDomain=<DOMAINNAME>)" instead of "(&(DnsDomain=<DOMAINNAME>)(Ntver=06:00:00:00))" 2) Huawai does not send some checksums during kerberos authentication Attached patches were successfully tested by the customer.