View previous topic :: View next topic |
Author |
Message |
ocbMaurice Tux's lil' helper
Joined: 14 Feb 2003 Posts: 90 Location: Switzerland
|
Posted: Fri Oct 28, 2022 5:33 pm Post subject: Samba AD Kerberos issues with windows 22H2 |
|
|
With Windows Update 22H2 there were some changes which seem to trip up Samba AD.
I encountered the issue with Windows 11, but seems Windows 10 will get that change too.
https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
Heimdal (the integrated Kerberos solution) seems to already have addressed that issue.
So currently the safest bet seems to use Samba 16.6 with integrated Heimdal Kerberos.
But no idea how to convert existing MIT Kerberos settings to integrated Heimdal.
https://github.com/heimdal/heimdal/issues/1011
Disclaimer: I'm using x86 arch since my AMD G-T40E Processor only has 2GB of RAM.
This might be related here and it is possible MIT Kerberos on amd64 already works!?
Unfortunately Gentoo seems to use system MIT Kerberos by default.
With MIT Kerberos the issue can be seen in `/var/log/samba/mit_kdc.log`:
Quote: | ASN.1 failed call to system time library - while dispatching (tcp) |
To trigger this you can simply try `klist get 1` from a Windows Domain Member.
I couldn't find any bugs or other reports for MIT Kerberos in that regard.
So no idea when they will be able to provide a proper fix for it.
Therefore I tried to monkey patch it myself to get it working for now.
Note that this patch is in no way considered safe, although I don't see why not.
It adds another hardcoded timestamp which I assume means "max allowed".
Store the following as `mit-krb5-1.20.1-22h2.patch`
Code: | --- src/lib/krb5/asn.1/asn1_encode.c 2022-10-28 19:23:09.546711506 +0200
+++ src/lib/krb5/asn.1/asn1_encode.c 2022-10-28 19:23:45.991516161 +0200
@@ -256,6 +256,14 @@
*time_out = 0;
return 0;
}
+ if (memcmp(s, "99990913024805Z", 15) == 0) {
+ *time_out = 0;
+ return 0;
+ }
+ if (memcmp(s, "21000913024805Z", 15) == 0) {
+ *time_out = 0;
+ return 0;
+ }
#define c2i(c) ((c) - '0')
for (i = 0; i < 14; ++i) {
if ((uint8_t)c2i(s[i]) > 9)
|
Compile/Patch MIT Kerberos (adjust versions/paths if needed)
Code: | ebuild /var/db/repos/gentoo/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild unpack configure
cd /var/tmp/portage/app-crypt/mit-krb5-1.20.1/work/krb5-1.20.1
patch src/lib/krb5/asn.1/asn1_encode.c ~/mit-krb5-1.20.1-22h2.patch
ebuild /var/db/repos/gentoo/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild compile install qmerge
|
With this my Windows 11 Host can again successfully get a Kerberos Tickets.
Again, I don't know the exact implications of this patch, so apply at your own risk.
And if anyone knows a better fix or approach, feel free to add it here.
Hope this info is useful for some Samba AD admins
Last edited by ocbMaurice on Fri Mar 17, 2023 9:18 am; edited 1 time in total |
|
Back to top |
|
|
mrhe n00b
Joined: 07 Aug 2012 Posts: 38 Location: Kraków
|
Posted: Fri Nov 11, 2022 10:26 am Post subject: |
|
|
Hi
When will new samba 4.17.2 be added to porage tree?
That will sove the problem with 22H2 ?
I have the same issue with samba 4.15.9 from portage tree.
I have problems to add to domain after 22h2 and some reports about access to shares after 22h2.
i'll try to use this patch and let you know. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Fri Nov 11, 2022 1:13 pm Post subject: |
|
|
That is a question for the Gentoo Samba maintainers, who may not be reading this thread. I do not see any open Gentoo bugs requesting a bump to the 4.17.x series. |
|
Back to top |
|
|
christoph_peter_s Tux's lil' helper
Joined: 30 Nov 2015 Posts: 106
|
Posted: Sun Dec 11, 2022 1:07 am Post subject: |
|
|
I just would like to add, that there is an old but nasty bug in Samba on 32 bit systems. It hit me with my Raspi based Domain Controllers...
So when You intend to run a recent samba on a 32bit OS, You should have a look on this Samba bug:
https://bugzilla.samba.org/show_bug.cgi?id=15110
I don't know, whether the last Gentoo supplied version already contains the patch. I had big issues with 4.16.7, so I upgraded to 4.17.2 and added the patch from the Samba 15110 bug. This is not including the security patch that messed around with the Kerberos problem. Later I found a DNS issue (a mis-configuration of mine, everything OK from the Gentoo side), so I am not sure, whether 4.17.3 would run smooth.
I also would appreciate, if Gentoo used more cordial manners within their dev team, as the long term lead of the Samba team had been forced out. This is definitely not a plus for Gentoo... Gentoo is already a small distribution. So every avoidable loss of contribution does really hurt.
Best regards
Peter
PS:
Samba on 32 bit systems is not too easy these days...
https://bugzilla.samba.org/show_bug.cgi?id=15203 |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sun Dec 11, 2022 1:53 am Post subject: |
|
|
christoph_peter_s wrote: | I also would appreciate, if Gentoo used more cordial manners within their dev team, as the long term lead of the Samba team had been forced out. | For those who wish to read more on this, do you have a citation for when and where this happened? |
|
Back to top |
|
|
christoph_peter_s Tux's lil' helper
Joined: 30 Nov 2015 Posts: 106
|
Posted: Sun Dec 11, 2022 1:47 pm Post subject: |
|
|
I am reluctant to point to details, as I read only the statements from one side.
But what I can openly do, is to talk about the state of the samba package one or two years ago.
Some of You may still remember, that the now retired developer polynomial-c held the package always perfectly up to date. Even the release candidates appeared in the Gentoo repo typically one or two weeks after being officially released by the Samba team. This was the one side. The other was that: I operate a small Samba domain for my at-home-stuff on a small bunch of Raspberry-Pi based DCs and a rather powerful file server. Especially the arm32 architecture cause one or the other problem from time to time. And here I got very good support by Lars a.k.a. polynomial-c. I remember well the private communication with him, when Samba started using io_uring, which at first wasn't available for the arm32 architecture. And he worked to fix this.
What I want to say: I am very sad, that Lars polynomial-c left the Gentoo team.
For those who want to know more about this, I can just recommend to google for polynomial-c's Gentoo blog. There You find his version, on why and how he left Gentoo.
Best regards
Peter |
|
Back to top |
|
|
mrhe n00b
Joined: 07 Aug 2012 Posts: 38 Location: Kraków
|
Posted: Wed Dec 21, 2022 11:55 am Post subject: |
|
|
Hello,
I can confirm that I have problems with clients on W11/W10 with 22H2 to login to the domain and add new hosts to the samba domain with version 4.15.12-r2.
To solve this I was forced to use 4.16.7-r2 but it's still not stable in porage.
I have a local domain with 200 clients, so that's a bit important to me.
Now clients can login to shares and I can add new hosts to the domain.
But I don't like to use unstable package on production.
Best regards
Rafal |
|
Back to top |
|
|
|