Hi Andreas, I'm analyzing the traces to see why you're getting the error.
In the meantime, did you notice the expert warning in Wireshark on your request in frame 571? It says that the Ticket in the request is missing the KDC checksum in the Authorization data. Is this expected, or might it be causing the error? Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 We value your feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055 -----Original Message----- From: Jeff McCashland (He/him) Sent: Thursday, March 24, 2022 3:41 PM To: Andreas Schneider <a...@samba.org> Cc: cifs-protocol@lists.samba.org; Jeff McCashland <je...@microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827 [Tom to BCC] Hi Andreas, I will research your question and let you know what I find. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 We value your feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055 -----Original Message----- From: Tom Jebo <tomj...@microsoft.com> Sent: Thursday, March 24, 2022 1:24 PM To: Andreas Schneider <a...@samba.org> Cc: cifs-protocol@lists.samba.org; Tom Jebo <tomj...@microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827 [dochelp to bcc] Hi Andreas, Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN. One of the Open Specifications support team members will follow up shortly to begin assisting you. In the meantime, I've created the case 2203240040008827 to track this issue. Please leave this number in the subject line when communicating with us about the issue. Best regards, Tom Jebo Microsoft Open Specifications Support -----Original Message----- From: Andreas Schneider <a...@samba.org> Sent: Thursday, March 24, 2022 3:09 AM To: Interoperability Documentation Help <doch...@microsoft.com> Cc: cifs-protocol@lists.samba.org Subject: [EXTERNAL] S4U2Self and RODC Hello Dochelp Team, we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when attempting to use S4U2Self with a TGT from an RODC. We wonder why it returns KDC_ERR_C_PRINCIPAL_UNKNOWN in this case. The test can be run with this command: SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE DOMAIN=EARTH SERVER=win-dc01.earth.milkyway.site DC_SERVER=win-dc01.earth.milkyway.site SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0 FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0 TKT_SIG_SUPPORT=1 EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0 PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bin/python python3 -m samba.subunit.run samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC account on the DC. Attached is a capture of the above test which shows that the S4U2Self request fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you please clarify why it fails with this error? Thank you very much for your help. I'm looking forward to hear from you. Best regards Andreas -- Andreas Schneider a...@samba.org Samba Team https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cddd95905704d43b14b8d08da0dd43362%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637837502300894421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7HR%2BCiVlFIAzMurJ9ngLMi2f8KgSfZe8YyB58emud0A%3D&reserved=0 GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
