Bug 39522

Summary: Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs
Product: UCS Reporter: Michael Grandjean <grandjean>
Component: S4 ConnectorAssignee: Samba maintainers <samba-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: andree.hingst, C.Herrmann, gohmann, hahn, requate, stephan.hendl
Version: UCS 4.0   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=45904
What kind of report is it?: Bug Report What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.017 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2015100821000515, 2018010221000341 Bug group (optional):
Max CVSS v3 score:

Description Michael Grandjean univentionstaff 2015-10-13 21:21:12 CEST 
Currently it's not possible to search the LDAP directory of a UCS Domaincontroller that is not a Samba AD DC (if there are other UCS Samba AD DCs present in the domain) using a valid Kerberos ticket.

Setup:
1x DC Master as Samba AD DC
1x DC Slave without Samba AD (e.g. Groupware)

On the DC Slave execute the following as a domain user:

> michael@ucssl03:~$ kinit
> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL


Observed behaviour:

> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/ucssl03.mgrandje.local@MGRANDJE.LOCAL) not found)


Expected behaviour:

> michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL
> SASL/GSSAPI authentication started
> SASL username: michael@MGRANDJE.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=michael,cn=users,dc=mgrandje,dc=local


Additional information:

This is working if:
- the queried LDAP server is also a Samba AD DC
- the queried LDAP server is not a Samba AD DC and there is no Samba AD DC at all in the domain

This is failing if:
- the queried LDAP server is not a Samba AD DC but there is at least one Samba AD DC in the domain
Comment 1 Michael Grandjean univentionstaff 2015-10-14 09:06:24 CEST 
see also 2015100821000515
Comment 2 Stefan Gohmann univentionstaff 2015-10-22 08:22:24 CEST 
I guess it is a duplicate of Bug #32079.

*** This bug has been marked as a duplicate of bug 32079 ***
Comment 3 Arvid Requate univentionstaff 2018-01-04 15:24:04 CET 
Changing Component tag to S4-Connector, because we would need to adjust the S4-Connector to sync non-Samba-UCS-DCs as simple Windows Memberservers into the Samba/AD LDAP to fix this.
Comment 4 Philipp Hahn univentionstaff 2018-04-21 10:45:23 CEST 
# udm kerberos/kdcentry list | sed -ne '/ldap/s/^DN: //p'
krb5PrincipalName=ldap/ma43.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa
krb5PrincipalName=ldap/sla33.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa

# kinit Administrator

# ldapwhoami -Y GSSAPI -H ldap://ma43.phahn.qa:7389
dn:uid=administrator,cn=users,dc=phahn,dc=qa
# klist
Apr 21 09:49:28 2018  Apr 21 19:45:05 2018  ldap/ma43.phahn.qa@
Apr 21 09:49:28 2018  Apr 21 19:45:05 2018  ldap/ma43.phahn.qa@PHAHN.QA

# ldapwhoami -Y GSSAPI -H ldap://sla33.phahn.qa:7389
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
# klist
-


This issue also is a blocker for setting up NFS with Kerberos in S4 environments: <https://help.univention.com/t/nfs4-export/3127/11>
The work-around is to create SPN entries manually in S4 using samba-tool on the command-line - the linked thread for details.
Comment 5 Stefan Gohmann univentionstaff 2019-01-03 07:17:25 CET 
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.