Bug 50727 - Без наличие в обратной зоне PTR записи о контроллере домена не работает подключение к службам Samba AD через GSS API
Summary: Без наличие в обратной зоне PTR записи о контроллере домена не работает подкл...
Status: NEW
Alias: None
Product: Альт Сервер
Classification: Distributions
Component: Ошибки работы (show other bugs)
Version: 10.2
Hardware: x86_64 Linux
: P5 normal
Assignee: Evgeny Sinelnikov
QA Contact: qa-p8@altlinux.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-23 17:45 MSK by Ярослав Белых
Modified: 2024-06-23 17:47 MSK (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ярослав Белых 2024-06-23 17:45:24 MSK 
Добрый день.

Развернут контроллер домена alt-samba.loc.
100.100.0.4 - dc04.alt-samba.loc
100.100.0.5 - dc02.alt-samba.loc

kinit admin@ALT-SAMBA.LOC проходит успешно.

Но при попытке выполнить "ldapsearch -b dc=alt-samba,dc=loc -h dc02.alt-samba.loc" с использованием GSS API, получаю ошибку
"ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)"
Так же есть проблемы с регистрацией записи в DNS для вводимого в домен АРМ. Так же невозможно подключиться оснасткой RSAT к DNS-серверу.
Однако, если создать обратную зону 0.100.100.in-addr.arpa и там создать запись для данного контроллера домена
samba-tool dns add $(hostname) 0.100.100.in-addr.arpa 5 PTR dc02.alt-samba.loc -P
ошибка уходит.

Как воспроизвести.
1. Развернуть два контроллера домена, согласно АльтВики https://www.altlinux.org/ActiveDirectory/DC#Создание_нового_домена 
2. На любом клиенте в домене, или с первого КД выполнить подключение к ldap с помощью GSS API, предварительно получив билет керберос и включив дебаг KRB5.

kinit admin@ALT-SAMBA.LOC
export KRB5_TRACE=/dev/stdout
ldapsearch -b dc=alt-samba,dc=loc -h dc02.alt-samba.loc

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
byv@ALT-SAMBA.LOC -> ldap/100.100.0.5@ using ccache FILE:/tmp/krb5cc_0
[328102] 1719151448.681897: Retrieving admin@ALT-SAMBA.LOC -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[328102] 1719151448.681898: Retrieving admin@ALT-SAMBA.LOC -> ldap/100.100.0.5@ from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[328102] 1719151448.681899: Retrying admin@ALT-SAMBA.LOC -> ldap/100.100.0.5@ALT-SAMBA.LOC with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[328102] 1719151448.681900: Server has referral realm; starting with ldap/100.100.0.5@ALT-SAMBA.LOC
[328102] 1719151448.681901: Retrieving admin@ALT-SAMBA.LOC -> krbtgt/ALT-SAMBA.LOC@ALT-SAMBA.LOC from FILE:/tmp/krb5cc_0 with result: 0/Success
[328102] 1719151448.681902: Starting with TGT for client realm: admin@ALT-SAMBA.LOC -> krbtgt/ALT-SAMBA.LOC@ALT-SAMBA.LOC
[328102] 1719151448.681903: Requesting tickets for ldap/100.100.0.5@ALT-SAMBA.LOC, referrals on
[328102] 1719151448.681904: Generated subkey for TGS request: aes256-cts/F3C0
[328102] 1719151448.681905: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[328102] 1719151448.681907: Encoding request body and padata into FAST request
[328102] 1719151448.681908: Sending request (1733 bytes) to ALT-SAMBA.LOC
[328102] 1719151448.681909: Sending DNS URI query for _kerberos.ALT-SAMBA.LOC.
[328102] 1719151448.681910: No URI records found
[328102] 1719151448.681911: Sending DNS SRV query for _kerberos._udp.ALT-SAMBA.LOC.
[328102] 1719151448.681912: SRV answer: 0 100 88 "dc01.alt-samba.loc."
[328102] 1719151448.681913: SRV answer: 0 100 88 "dc02.alt-samba.loc."
[328102] 1719151448.681914: Sending DNS SRV query for _kerberos._tcp.ALT-SAMBA.LOC.
[328102] 1719151448.681915: SRV answer: 0 100 88 "dc02.alt-samba.loc."
[328102] 1719151448.681916: SRV answer: 0 100 88 "dc01.alt-samba.loc."
[328102] 1719151448.681917: Resolving hostname dc01.alt-samba.loc.
[328102] 1719151448.681918: Resolving hostname dc02.alt-samba.loc.
[328102] 1719151448.681919: Resolving hostname dc02.alt-samba.loc.
[328102] 1719151448.681920: Initiating TCP connection to stream 100.100.0.5:88
[328102] 1719151448.681921: Sending TCP request to stream 100.100.0.5:88
[328102] 1719151448.681922: Received answer (392 bytes) from stream 100.100.0.5:88
[328102] 1719151448.681923: Terminating TCP connection to stream 100.100.0.5:88
[328102] 1719151448.681924: Sending DNS URI query for _kerberos.ALT-SAMBA.LOC.
[328102] 1719151448.681925: No URI records found
[328102] 1719151448.681926: Sending DNS SRV query for _kerberos-master._tcp.ALT-SAMBA.LOC.
[328102] 1719151448.681927: No SRV records found
[328102] 1719151448.681928: Response was not from primary KDC
[328102] 1719151448.681929: Decoding FAST response
[328102] 1719151448.681930: TGS request result: -1765328377/Server not found in Kerberos database
[328102] 1719151448.681931: Requesting tickets for ldap/100.100.0.5@ALT-SAMBA.LOC, referrals off
[328102] 1719151448.681932: Generated subkey for TGS request: aes256-cts/A90F
[328102] 1719151448.681933: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[328102] 1719151448.681935: Encoding request body and padata into FAST request
[328102] 1719151448.681936: Sending request (1733 bytes) to ALT-SAMBA.LOC
[328102] 1719151448.681937: Sending DNS URI query for _kerberos.ALT-SAMBA.LOC.
[328102] 1719151448.681938: No URI records found
[328102] 1719151448.681939: Sending DNS SRV query for _kerberos._udp.ALT-SAMBA.LOC.
[328102] 1719151448.681940: SRV answer: 0 100 88 "dc02.alt-samba.loc."
[328102] 1719151448.681941: SRV answer: 0 100 88 "dc01.alt-samba.loc."
[328102] 1719151448.681942: Sending DNS SRV query for _kerberos._tcp.ALT-SAMBA.LOC.
[328102] 1719151448.681943: SRV answer: 0 100 88 "dc01.alt-samba.loc."
[328102] 1719151448.681944: SRV answer: 0 100 88 "dc02.alt-samba.loc."
[328102] 1719151448.681945: Resolving hostname dc02.alt-samba.loc.
[328102] 1719151448.681946: Resolving hostname dc01.alt-samba.loc.
[328102] 1719151448.681947: Resolving hostname dc01.alt-samba.loc.
[328102] 1719151448.681948: Initiating TCP connection to stream 100.100.0.4:88
[328102] 1719151448.681949: Sending TCP request to stream 100.100.0.4:88
[328102] 1719151448.681950: Received answer (392 bytes) from stream 100.100.0.4:88
[328102] 1719151448.681951: Terminating TCP connection to stream 100.100.0.4:88
[328102] 1719151448.681952: Sending DNS URI query for _kerberos.ALT-SAMBA.LOC.
[328102] 1719151448.681953: No URI records found
[328102] 1719151448.681954: Sending DNS SRV query for _kerberos-master._tcp.ALT-SAMBA.LOC.
[328102] 1719151448.681955: No SRV records found
[328102] 1719151448.681956: Response was not from primary KDC
[328102] 1719151448.681957: Decoding FAST response
[328102] 1719151448.681958: TGS request result: -1765328377/Server not found in Kerberos database

3. Создать обратную зону для сети контроллеров домена и в ней создать PTR запись для КД
samba-tool dns add $(hostname) 0.100.100.in-addr.arpa 5 PTR dc02.alt-samba.loc -P
Повторно выполнить подключение к ldap
export KRB5_TRACE=/dev/stdout
ldapsearch -b dc=alt-samba,dc=loc -h dc02.alt-samba.loc
SASL username: admin@ALT-SAMBA.LOC
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=arm,dc=loc> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

...

Подключение работает.
Comment 1 Ярослав Белых 2024-06-23 17:47:22 MSK 
Воспроизведение ошибки проверялось на следующих версиях Samba
4.10.14
4.16.11
4.19.4
4.19.6