[cifs-protocol] [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256

Andrew Bartlett abartlet at samba.org
Fri Nov 11 07:27:17 UTC 2022 

Sorry we didn't get to upload the trace.  Joseph tried to upload a PCAP
and it failed. 
But for context others are seeing this as well at:
https://twitter.com/fabian_bader/status/1590432854399676416
On Wed, 2022-11-09 at 17:21 +0000, Jeff McCashland (He/him) wrote:
> [Michael to BCC]
> Hi Andrew,
> I will investigate this issue and let you know what I find. 
> Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer |
> Microsoft Protocol Open Specifications Team Phone: +1 (425) 703-8300
> x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> Canada)Local country phone number found here: 
> http://support.microsoft.com/globalenglish | Extension 1138300
> -----Original Message-----From: Michael Bowen <
> Mike.Bowen at microsoft.com> Sent: Wednesday, November 9, 2022 8:39
> AMTo: Andrew Bartlett <abartlet at samba.org>Cc: cifs-protocol mailing
> list <cifs-protocol at lists.samba.org>; Joseph Sutton <
> josephsutton at catalyst.net.nz>; Microsoft Support <
> supportmail at microsoft.com>Subject: RE: [EXTERNAL] Kerberos kinit
> failures since Nov 2022 patch - TrackingID#2211090040006256
> [DocHelp to bcc, Support mail to cc]
> Hi Andrew,
> Thanks for your inquiry. I've created case number 2211090040006256 to
> track this issue. In your correspondence, please leave the case
> number in the subject line and use reply all. One of our engineers
> will contact you soon
> Best regards,Mike BowenEscalation Engineer - Microsoft Open
> Specifications
> -----Original Message-----From: Andrew Bartlett <abartlet at samba.org>S
> ent: Tuesday, November 8, 2022 7:37 PMTo: Interoperability
> Documentation Help <dochelp at microsoft.com>Cc: cifs-protocol mailing
> list <cifs-protocol at lists.samba.org>; Joseph Sutton <
> josephsutton at catalyst.net.nz>Subject: [EXTERNAL] Kerberos kinit
> failures since Nov 2022 patch
> Related but separate to 2211090040000278
> We are running Windows 2019 with the Nov 2022 patches.
> KrbtgtFullPacSignature has been set to 3 but we see the same
> behaviour at 0.
> We create an account using Windows ADUC then set this account
> supportsAES128 and AES 256 in 'account options'.
> With these values set, being 0x18 is msDS-SupportedEncryptionTypes,
> it is no longer possible to kinit to this account, even when the
> Kerberos client supports AES, and even if the kerberos client does
> not propose.
> However, if we add the RC4 bit then it works, but given the security
> release is about disabling RC4 we are trying to avoid that.
> We can supply network traces etc, please provide the link.
> Thanks,
> Andrew Bartlett
> --Andrew Bartlett (he/him)       
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0
> Samba Team Member (since 2001) 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0
> Samba Team Lead, Catalyst IT   
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0
> 
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
> 
> 
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221111/b081e494/attachment.htm>

More information about the cifs-protocol mailing list