Hi Jeff,
that means that a service that tries to use S4U2Self always need to get a fresh
TGT from the KDC
it will send the S4U2Self request to?
Otherwise I can't see how the usage of an RODC would be transparent for the
service.
metze
Am 08.04.22 um 18:12 schrieb Jeff McCashland (He/him) via cifs-protocol:
Hi Andreas,
I was able to track down the error and get an explanation. The request is
failing because RODC PAC data isn't trusted for authorization as it may be
stale. The only thing meaningful you can do with an RODC account on a full DC
is exchange the RODC TGT for a 'real' TGT.
Please let us know if you have any further questions on this issue.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
Pacific Time (US and Canada)
Local country phone number found here:
http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Thursday, March 31, 2022 11:01 AM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol@lists.samba.org; Jeff McCashland <je...@microsoftsupport.com>
Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
[adding support alias back to CC]
Hi Andreas,
Thank you for uploading the traces. I will analyze them and let you know what I
find.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
Pacific Time (US and Canada) Local country phone number found here:
http://support.microsoft.com/globalenglish | Extension 1138300 We value your
feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055
-----Original Message-----
From: Andreas Schneider <a...@samba.org>
Sent: Thursday, March 31, 2022 2:25 AM
To: Jeff McCashland (He/him) <je...@microsoft.com>
Cc: cifs-protocol@lists.samba.org
Subject: Re: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
On Monday, March 28, 2022 9:00:54 PM CEST Jeff McCashland (He/him) wrote:
Hi Andreas,
Hi Jeff,
I'm back from a short vacation.
If the warning below is not an issue, then I would like to collect an
LSASS trace from the server returning the error, along with a
concurrent network capture from the same server.
The warning about the missing KDC checksum is a bug in MIT KRB5:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fb5efdddd503020c2b64ccf9c30bb09117035f3ce&data=04%7C01%7Cjeffm%40microsoft.com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L9PbOaFPomCsurGH4Z7X8nJh3C5WElgxYPVTh8MMOzQ%3D&reserved=0
It will be fixed with MIT Kerberos 1.20. Wireshark is linked to a Kerberos
library without the fix.
The LSASS trace can be quite large, but is highly compressible, so
please add to a .zip archive before uploading (file transfer workspace
credentials are below). Please log into the workspace and find
PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool
can be staged onto the Windows server in any location (instructions
below assume C:\TTD).
I've collected the traces you asked for. I've and uploaded them to the
workspace.
Best regards
Andreas
To collect the needed traces:
1. From an elevated command prompt, execute: tasklist /FI "IMAGENAME
eq
lsass.exe" 2. Note the PID of the lsass process from the output of the
above command. 3. Execute: C:\TTD\TTTracer.exe -attach PID, where PID
is the number from above. 4. Wait for a little window to pop up in top
left corner of your screen, titled "lsass01.run" 5. start a network
trace on the Server side
6. Repro the attempted operation
7. Stop the network trace and save it
8. CAREFULLY: uncheck the checkbox next to "Tracing" in the small
"lsass01.run" window. Do not close or exit the small window or you
will need to reboot. 9. The TTTracer.exe process will generate a trace
file, then print out the name and location of the file. Compress the
*.run file into a .zip archive before uploading with the matching network trace.
Log in as: 2203240040008827_andr...@dtmxfer.onmicrosoft.com
1-Time: 1zUrbA5^
Workspace link:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU&
amp;data=04%7C01%7Cjeffm%40microsoft.com%7C421a1a4ce2394f140fec08da12f
85405%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637843155021335208%
7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mwoNpxWCZliaIM6Ox0gNepMiWG0eOMFE
zr0fXYf9s2I%3D&reserved=0
zI1NiJ9.eyJ3c2lkIjoiNTRhNWIzZmUtY2IwMS00OTIyLWE2MWEtOWJmNWJmMzgwZTJhIi
wic3Ii
OiIyMjAzMjQwMDQwMDA4ODI3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC
1lYTNi
ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJlZDNmM2IyMC
1jMDcy
LTQ3ZDYtOWJlOS0yOTVhYThmODExNzAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bG
EubWlj
cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NTYyNjk0MTcsIm5iZi
I6MTY0
ODQ5MzQxN30.c0XHYuoanP8OZZnuFuCHEdL8WdbEk3oau8TtJSB1Z_c2cQy1A181bs8V2B
V-s_a3
RX5RVabyhHVofo7FQCT0C7mjqpbWTFQTtj4L-6yhtg9tx8W-iW6WMuX9nJ3plwGz2-ldJx
8hLch4
G3veiakDRlbtsQm6dfrgzxPzAov72eTdMmq_Fjru8LgBhJEi69Ipxb6toVHean1QZ0VyTk
QliNXa
PiwuOFgnULRN-gdoLYL38yoiliSvXnfznMu6JjtEGO9ft33PdqXPdmPzAvxbwMKy4WA_3h
KDTuzI
wcjRJ24VjTfoQe8E6Qkt2s1d3Gl9qXDJABnY11NMUdryAtp2nQ&wid=54a5b3fe-cb01-4
922-a6
1a-9bf5bf380e2a
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here:
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011d
b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
=l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 |
Extension
1138300 We value your feedback. My manager is Stacy Gray (stacygr),
+1
(469) 775-4055
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Friday, March 25, 2022 11:38 AM
To: 'Andreas Schneider' <a...@samba.org>
Cc: 'cifs-protocol@lists.samba.org' <cifs-protocol@lists.samba.org>;
'Jeff McCashland' <je...@microsoftsupport.com> Subject: RE: [EXTERNAL]
S4U2Self and RODC - TrackingID#2203240040008827
Hi Andreas,
I'm analyzing the traces to see why you're getting the error.
In the meantime, did you notice the expert warning in Wireshark on
your request in frame 571? It says that the Ticket in the request is
missing the KDC checksum in the Authorization data.
Is this expected, or might it be causing the error?
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here:
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011d
b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
=l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 |
Extension
1138300 We value your feedback. My manager is Stacy Gray (stacygr),
+1
(469) 775-4055
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Thursday, March 24, 2022 3:41 PM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol@lists.samba.org; Jeff McCashland
<je...@microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self and RODC
-
TrackingID#2203240040008827
[Tom to BCC]
Hi Andreas,
I will research your question and let you know what I find.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here:
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011d
b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
=l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 |
Extension
1138300 We value your feedback. My manager is Stacy Gray (stacygr),
+1
(469) 775-4055
-----Original Message-----
From: Tom Jebo <tomj...@microsoft.com>
Sent: Thursday, March 24, 2022 1:24 PM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol@lists.samba.org; Tom Jebo
<tomj...@microsoftsupport.com>
Subject: RE: [EXTERNAL] S4U2Self and RODC -
TrackingID#2203240040008827
[dochelp to bcc]
Hi Andreas,
Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN.
One of the Open Specifications support team members will follow up
shortly to begin assisting you. In the meantime, I've created the case
2203240040008827 to track this issue. Please leave this number in the
subject line when communicating with us about the issue.
Best regards,
Tom Jebo
Microsoft Open Specifications Support
-----Original Message-----
From: Andreas Schneider <a...@samba.org>
Sent: Thursday, March 24, 2022 3:09 AM
To: Interoperability Documentation Help <doch...@microsoft.com>
Cc: cifs-protocol@lists.samba.org
Subject: [EXTERNAL] S4U2Self and RODC
Hello Dochelp Team,
we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when
attempting to use S4U2Self with a TGT from an RODC. We wonder why it
returns KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.
The test can be run with this command:
SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE
DOMAIN=EARTH SERVER=win-dc01.earth.milkyway.site
DC_SERVER=win-dc01.earth.milkyway.site
SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator
ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0
TKT_SIG_SUPPORT=1
EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0
PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bi
n/pyt
hon python3 -m samba.subunit.run
samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC
account on the DC.
Attached is a capture of the above test which shows that the S4U2Self
request fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you
please clarify why it fails with this error?
Thank you very much for your help. I'm looking forward to hear from you.
Best regards
Andreas
--
Andreas Schneider a...@samba.org
Samba Team
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XLFbWXr%2BE3nVee2Y%2FiDG33ExC%2Bm0mSA4Ee7CWjsF0SI%3D&reserved=0.
org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cddd95905704d43b14b8d
08da0d
d43362%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637837502300894421
%7CUnk
nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
iLCJXV
CI6Mn0%3D%7C3000&sdata=7HR%2BCiVlFIAzMurJ9ngLMi2f8KgSfZe8YyB58emud0A%3D&
amp;reserved=0 GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
