<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;"><div>Sorry we didn't get to upload the trace. Joseph tried to upload a PCAP and it failed. </div><div><br></div><div>But for context others are seeing this as well at:</div><div><br></div><div><a href="https://twitter.com/fabian_bader/status/1590432854399676416"><a href="https://twitter.com/fabian_bader/status/1590432854399676416">https://twitter.com/fabian_bader/status/1590432854399676416</a></a></div><div><br></div><div>On Wed, 2022-11-09 at 17:21 +0000, Jeff McCashland (He/him) wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>[Michael to BCC]</pre><pre><br></pre><pre>Hi Andrew,</pre><pre><br></pre><pre>I will investigate this issue and let you know what I find. </pre><pre><br></pre><pre>Best regards,</pre><pre>Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team </pre><pre>Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</pre><pre>Local country phone number found here: </pre><a href="http://support.microsoft.com/globalenglish"><pre>http://support.microsoft.com/globalenglish</pre></a><pre> | Extension 1138300</pre><pre><br></pre><pre>-----Original Message-----</pre><pre>From: Michael Bowen <</pre><a href="mailto:Mike.Bowen@microsoft.com"><pre>Mike.Bowen@microsoft.com</pre></a><pre>> </pre><pre>Sent: Wednesday, November 9, 2022 8:39 AM</pre><pre>To: Andrew Bartlett <</pre><a href="mailto:abartlet@samba.org"><pre>abartlet@samba.org</pre></a><pre>></pre><pre>Cc: cifs-protocol mailing list <</pre><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre></a><pre>>; Joseph Sutton <</pre><a href="mailto:josephsutton@catalyst.net.nz"><pre>josephsutton@catalyst.net.nz</pre></a><pre>>; Microsoft Support <</pre><a href="mailto:supportmail@microsoft.com"><pre>supportmail@microsoft.com</pre></a><pre>></pre><pre>Subject: RE: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256</pre><pre><br></pre><pre>[DocHelp to bcc, Support mail to cc]</pre><pre><br></pre><pre>Hi Andrew,</pre><pre><br></pre><pre>Thanks for your inquiry. I've created case number 2211090040006256 to track this issue. In your correspondence, please leave the case number in the subject line and use reply all. One of our engineers will contact you soon</pre><pre><br></pre><pre>Best regards,</pre><pre>Mike Bowen</pre><pre>Escalation Engineer - Microsoft Open Specifications</pre><pre><br></pre><pre>-----Original Message-----</pre><pre>From: Andrew Bartlett <</pre><a href="mailto:abartlet@samba.org"><pre>abartlet@samba.org</pre></a><pre>></pre><pre>Sent: Tuesday, November 8, 2022 7:37 PM</pre><pre>To: Interoperability Documentation Help <</pre><a href="mailto:dochelp@microsoft.com"><pre>dochelp@microsoft.com</pre></a><pre>></pre><pre>Cc: cifs-protocol mailing list <</pre><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre></a><pre>>; Joseph Sutton <</pre><a href="mailto:josephsutton@catalyst.net.nz"><pre>josephsutton@catalyst.net.nz</pre></a><pre>></pre><pre>Subject: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch</pre><pre><br></pre><pre>Related but separate to 2211090040000278</pre><pre><br></pre><pre>We are running Windows 2019 with the Nov 2022 patches.</pre><pre><br></pre><pre>KrbtgtFullPacSignature has been set to 3 but we see the same behaviour at 0.</pre><pre><br></pre><pre>We create an account using Windows ADUC then set this account supports</pre><pre>AES128 and AES 256 in 'account options'.</pre><pre><br></pre><pre>With these values set, being 0x18 is msDS-SupportedEncryptionTypes, it is no longer possible to kinit to this account, even when the Kerberos client supports AES, and even if the kerberos client does not propose.</pre><pre><br></pre><pre>However, if we add the RC4 bit then it works, but given the security release is about disabling RC4 we are trying to avoid that.</pre><pre><br></pre><pre>We can supply network traces etc, please provide the link.</pre><pre><br></pre><pre>Thanks,</pre><pre><br></pre><pre>Andrew Bartlett</pre><pre><br></pre><pre>--</pre><pre>Andrew Bartlett (he/him) </pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0"><pre>https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0</pre></a><pre><br></pre><pre>Samba Team Member (since 2001) </pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0"><pre>https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0</pre></a><pre><br></pre><pre>Samba Team Lead, Catalyst IT </pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0"><pre>https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0</pre></a><pre><br></pre><pre><br></pre><pre>Samba Development and Support, Catalyst IT - Expert Open Source Solutions</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre></blockquote><div><span><pre>-- <br></pre><div style="width: 71ch;">Andrew Bartlett (he/him) <a href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a></div><div style="width: 71ch;">Samba Team Member (since 2001) <a href="https://samba.org">https://samba.org</a></div><div style="width: 71ch;">Samba Team Lead, Catalyst IT <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></div><div style="width: 71ch;"><br></div><div style="width: 71ch;">Samba Development and Support, Catalyst IT - Expert Open Source</div><div style="width: 71ch;">Solutions</div><div style="width: 71ch;"></div></span></div></body></html>