Failed to parse SPNEGO request

Question

So I wanted to experiment with this smbprotocol in local docker (compose) network controlled environment and in all my attempts, I've been able to solve a lot of issues that always seem to return me to this issue. Here is my smb.conf:

[global]
workgroup = WORKGROUP
server string = Docker Samba Server
; server role = standalone server
server services = -dns, -nbt
server signing = default
server multi channel support = yes

log level = 5
;log file = /usr/local/samba/var/log.%m
;max log size = 50

hosts allow = 127.0.0.0/8 172.41.0.0/16
hosts deny = 0.0.0.0/0

security = domain
name resolve order = dns wins bcast
realm = EXAMPLE.COM
encrypt passwords = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
; security = user
guest account = nobody
pam password change = yes
map to guest = bad user
usershare allow guests = yes

create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
follow symlinks = yes
wide links = yes
unix extensions = no

printing = bsd
printcap name = /dev/null
disable spoolss = yes
disable netbios = yes
smb ports = 445

client ipc min protocol = default
client ipc max protocol = default

;wins support = yes
;wins server = w.x.y.z
;wins proxy = yes
dns proxy = no
socket options = TCP_NODELAY
strict locking = no
local master = no

winbind scan trusted domains = yes

vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:time machine = yes

force user = root
force group = root

[shared]
path = /shared/tests
browsable = yes
read only = no
guest ok = no
valid users = tester
write list = tester
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes

As for my kdc server, here's the script that sets it up:

#!/usr/bin/env bash

set -e -u

KDC_ADMIN_SERVER=$(hostname -f)
KADMIN_PRINCIPAL_FULL=$KADMIN_PRINCIPAL@$REALM

## Configure kerberos
tee /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = $REALM

[realms]
    $REALM = {
        kdc_ports = 88,750
        kadmind_port = 749
        kdc = $KDC_ADMIN_SERVER
        admin_server = $KDC_ADMIN_SERVER
    }
EOF

## Configure kerberos kdc
tee /etc/krb5kdc/kdc.conf <<EOF
[realms]
    $REALM = {
        acl_file = /etc/krb5kdc/kadm5.acl
        max_renewable_life = 7d 0h 0m 0s
        supported_enctypes = aes256-cts-hmac-sha1-96:normal
        default_principal_flags = +preauth
    }
EOF

## Configure default krb acl
tee /etc/krb5kdc/kadm5.acl <<EOF
$KADMIN_PRINCIPAL_FULL *
noPermissions@$REALM X
EOF

# Default realm
MASTER_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)
# This command also starts the krb5-kdc and krb5-admin-server services
krb5_newrealm <<EOF
$MASTER_PASSWORD
$MASTER_PASSWORD
EOF

# KADMIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)

kadmin.local -q "delprinc --force $KADMIN_PRINCIPAL_FULL"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD $KADMIN_PRINCIPAL_FULL"

kadmin.local -q "delprinc --force noPermissions@$REALM"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD noPermissions@$REALM"

kadmin.local -q "addprinc -randkey host/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/sshserver.keytab host/krb5-samba@$REALM"

kadmin.local -q "addprinc -randkey cifs/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/cifsserver.keytab -e rc4-hmac:normal cifs/krb5-samba@$REALM"

kadmin.local -q "addprinc -randkey tester"
kadmin.local -q "ktadd -k /secrets/sshuser.keytab tester@$REALM"

# 127.0.0.1   krb5-samba
cat >> /etc/hosts <<EOL
172.41.0.2      krb5-samba
EOL

krb5kdc
kadmind -nofork

My smb server is setup this way:

#!/usr/bin/env bash

set -e -u

tee /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = EXAMPLE.COM
    forwardable = TRUE
[realms]
    EXAMPLE.COM = {
        kdc_ports = 88
        kadmind_port = 749
        kdc = kdc-server
        admin_server = kdc-server
    }
[domain_realm]
    kdc-server = EXAMPLE.COM
EOF

testparm -s

id -g 1000 &> /dev/null || id -gn testing &> /dev/null || groupadd --gid 1000 --system testing

id -u 1100 &> /dev/null || id -un tester &> /dev/null || useradd --system --uid 1100 -g testing tester

smbpasswd -a -s tester <<EOF
pa$$w0rd1
pa$$w0rd1
EOF

# 127.0.0.1   kdc-server
cat >> /etc/hosts <<EOL
172.41.0.1  kdc-server
EOL

chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

/usr/sbin/sshd

exec "$@"

I use docker volumes to map the created cifsserver.keytab from the kdc to the smb server.

Then I have a separate container hosting the python script using the package. I'm able to get a tgt ticket using the sshuser.keytab.

I've tried using mount -t cifs -o user=tester,sec=krb5 ... to mount the shared directory and that just never seems to work (always returns 'operation not supported(95)'. I've been on this for a couple of weeks now and I really need help here.

I'm not seeing the part where you're actually using `smbprotocol`? Is it smbprotocol or is it Samba that's showing you the "failed to parse" error? And I have to ask, also, why are you specifying `-e rc4-hmac:normal` for the cifs service? (How old of a Samba installation are you setting up if you need rc4?) — user1686, Jun 05 '23 at 05:02
The error is from the Samba logs. I read about the `-e` flag [here](https://help.ubuntu.com/community/Samba/Kerberos) — toonday, Jun 05 '23 at 06:53
That's a _very_ obsolete article; support for AES (the default) has been available in both Samba and Linux+cifs-utils for years now. I also noticed you have `security = domain`; is there actually an WinNT4 domain set up anywhere? If this is a standalone system, neither 'domain' nor 'ADS' parameters should be used. — user1686, Jun 05 '23 at 08:03
But on that note, if the Samba server is standalone, can you try setting the `+no_auth_data_required` flag on your cifs/ principal? (You'll need to kdestroy old tickets on the client for the changes to fully take effect.) This tells the KDC to not attach a PAC to the ticket. — user1686, Jun 05 '23 at 08:05
I must've forgotten to revert that, the `security` is actually `ads` because I do have the kdc different from the samba server. — toonday, Jun 05 '23 at 09:04
I'm actually now getting this error `fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(WORKGROUP) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO` with a warning on my `/etc/hosts` file. I have the kdc configured there as `172.41.0.1 kdc-server`. I'm not sure why that is failing. — toonday, Jun 05 '23 at 09:06
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/146478/discussion-between-toonday-and-user1686). — toonday, Jun 05 '23 at 10:15
A plain MIT Kerberos KDC is **not** `security = ads`, because a KDC is not enough to make an AD domain controller. Can you try again with the default security mode instead? — user1686, Jun 05 '23 at 10:29

Failed to parse SPNEGO request

0 Answers0