Join Log in
Score:0
toondaey avatar Server

Failed to parse SPNEGO request

pk flag
toondaey

So I wanted to experiment with this smbprotocol in local docker (compose) network controlled environment and in all my attempts, I've been able to solve a lot of issues that always seem to return me to this issue. Here is my smb.conf:

[global]
workgroup = WORKGROUP
server string = Docker Samba Server
; server role = standalone server
server services = -dns, -nbt
server signing = default
server multi channel support = yes

log level = 5
;log file = /usr/local/samba/var/log.%m
;max log size = 50

hosts allow = 127.0.0.0/8 172.41.0.0/16
hosts deny = 0.0.0.0/0

security = domain
name resolve order = dns wins bcast
realm = EXAMPLE.COM
encrypt passwords = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
; security = user
guest account = nobody
pam password change = yes
map to guest = bad user
usershare allow guests = yes

create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
follow symlinks = yes
wide links = yes
unix extensions = no

printing = bsd
printcap name = /dev/null
disable spoolss = yes
disable netbios = yes
smb ports = 445

client ipc min protocol = default
client ipc max protocol = default

;wins support = yes
;wins server = w.x.y.z
;wins proxy = yes
dns proxy = no
socket options = TCP_NODELAY
strict locking = no
local master = no

winbind scan trusted domains = yes

vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:time machine = yes

force user = root
force group = root

[shared]
path = /shared/tests
browsable = yes
read only = no
guest ok = no
valid users = tester
write list = tester
veto files = /._*/.apdisk/.AppleDouble/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes

As for my kdc server, here's the script that sets it up:

#!/usr/bin/env bash

set -e -u

KDC_ADMIN_SERVER=$(hostname -f)
KADMIN_PRINCIPAL_FULL=$KADMIN_PRINCIPAL@$REALM

## Configure kerberos
tee /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = $REALM

[realms]
    $REALM = {
        kdc_ports = 88,750
        kadmind_port = 749
        kdc = $KDC_ADMIN_SERVER
        admin_server = $KDC_ADMIN_SERVER
    }
EOF

## Configure kerberos kdc
tee /etc/krb5kdc/kdc.conf <<EOF
[realms]
    $REALM = {
        acl_file = /etc/krb5kdc/kadm5.acl
        max_renewable_life = 7d 0h 0m 0s
        supported_enctypes = aes256-cts-hmac-sha1-96:normal
        default_principal_flags = +preauth
    }
EOF

## Configure default krb acl
tee /etc/krb5kdc/kadm5.acl <<EOF
$KADMIN_PRINCIPAL_FULL *
noPermissions@$REALM X
EOF

# Default realm
MASTER_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)
# This command also starts the krb5-kdc and krb5-admin-server services
krb5_newrealm <<EOF
$MASTER_PASSWORD
$MASTER_PASSWORD
EOF

# KADMIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)

kadmin.local -q "delprinc --force $KADMIN_PRINCIPAL_FULL"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD $KADMIN_PRINCIPAL_FULL"

kadmin.local -q "delprinc --force noPermissions@$REALM"
kadmin.local -q "addprinc -pw $KADMIN_PASSWORD noPermissions@$REALM"

kadmin.local -q "addprinc -randkey host/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/sshserver.keytab host/krb5-samba@$REALM"

kadmin.local -q "addprinc -randkey cifs/krb5-samba@$REALM"
kadmin.local -q "ktadd -k /secrets/cifsserver.keytab -e rc4-hmac:normal cifs/krb5-samba@$REALM"

kadmin.local -q "addprinc -randkey tester"
kadmin.local -q "ktadd -k /secrets/sshuser.keytab tester@$REALM"

# 127.0.0.1   krb5-samba
cat >> /etc/hosts <<EOL
172.41.0.2      krb5-samba
EOL

krb5kdc
kadmind -nofork

My smb server is setup this way:

#!/usr/bin/env bash

set -e -u

tee /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = EXAMPLE.COM
    forwardable = TRUE
[realms]
    EXAMPLE.COM = {
        kdc_ports = 88
        kadmind_port = 749
        kdc = kdc-server
        admin_server = kdc-server
    }
[domain_realm]
    kdc-server = EXAMPLE.COM
EOF

testparm -s

id -g 1000 &> /dev/null || id -gn testing &> /dev/null || groupadd --gid 1000 --system testing

id -u 1100 &> /dev/null || id -un tester &> /dev/null || useradd --system --uid 1100 -g testing tester

smbpasswd -a -s tester <<EOF
pa$$w0rd1
pa$$w0rd1
EOF

# 127.0.0.1   kdc-server
cat >> /etc/hosts <<EOL
172.41.0.1  kdc-server
EOL

chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

/usr/sbin/sshd

exec "$@"

I use docker volumes to map the created cifsserver.keytab from the kdc to the smb server.

Then I have a separate container hosting the python script using the package. I'm able to get a tgt ticket using the sshuser.keytab.

I've tried using mount -t cifs -o user=tester,sec=krb5 ... to mount the shared directory and that just never seems to work (always returns 'operation not supported(95)'. I've been on this for a couple of weeks now and I really need help here.

77
0 + 8
user1686 avatar
fr flag
user1686
I'm not seeing the part where you're actually using `smbprotocol`? Is it smbprotocol or is it Samba that's showing you the "failed to parse" error? And I have to ask, also, why are you specifying `-e rc4-hmac:normal` for the cifs service? (How old of a Samba installation are you setting up if you need rc4?)
0
Reply
toondaey avatar
pk flag
toondaey
The error is from the Samba logs. I read about the `-e` flag [here](https://help.ubuntu.com/community/Samba/Kerberos)
0
Reply
user1686 avatar
fr flag
user1686
That's a _very_ obsolete article; support for AES (the default) has been available in both Samba and Linux+cifs-utils for years now. I also noticed you have `security = domain`; is there actually an WinNT4 domain set up anywhere? If this is a standalone system, neither 'domain' nor 'ADS' parameters should be used.
0
Reply
user1686 avatar
fr flag
user1686
But on that note, if the Samba server is standalone, can you try setting the `+no_auth_data_required` flag on your cifs/ principal? (You'll need to kdestroy old tickets on the client for the changes to fully take effect.) This tells the KDC to not attach a PAC to the ticket.
0
Reply
toondaey avatar
pk flag
toondaey
I must've forgotten to revert that, the `security` is actually `ads` because I do have the kdc different from the samba server.
0
Reply
toondaey avatar
pk flag
toondaey
I'm actually now getting this error `fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(WORKGROUP) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO` with a warning on my `/etc/hosts` file. I have the kdc configured there as `172.41.0.1 kdc-server`. I'm not sure why that is failing.
0
Reply
toondaey avatar
pk flag
toondaey
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/146478/discussion-between-toonday-and-user1686).
0
Reply
user1686 avatar
fr flag
user1686
A plain MIT Kerberos KDC is **not** `security = ads`, because a KDC is not enough to make an AD domain controller. Can you try again with the default security mode instead?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.