[cifs-protocol] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

Andrew Bartlett abartlet at samba.org
Tue Dec 13 22:35:10 MST 2011


Dochelp,

The issue I have is a very odd one.  I'm trying to import a new snapshot
of Heimdal into Samba4.  I do this every now and then, and it is
naturally good practice to ensure it continues to work with Windows.

It appears to work with Windows 7, but when I dcpromo from a Win2008R2
machine to a Samba4 domain, I get 'Logon Failure: the username or
password is incorrect'.

The error occurs in the reply to an AS-REQ, with error
KRB5KDC_ERR_PREAUTH_REQUIRED (25)

The big difference in this error packet between old and new versions is
the inclusion of FAST, but then I patched that back out and it still
fails.

I have prepared git branches in git://git.samba.org/abartlet/samba.git

import-lorikeet-1 is the old code, this works (good)
import-lorikeet-2 is the new code, and fails (bad)
import-lorikeet-3 is includes a patch that results in an identical
(timestamp aside) KRB-ERROR packet to import-lorikeet-1.  This also
fails.  (not-match)

I would suspect that the error is elsewhere, but I cannot find any other
interesting packets, and in the working case (packet 14), the kerberos
exchange continues to a clock skew (packet 23), and then a successful
AS-REP (32).

My question is:  How do I find out why the Windows 2008R2 client running
dcpromo is convinced that the error is 'username or password is
incorrect'?  No password is ever presented, and the same underlying
Samba DB is used, so I know this is not the problem...

I've CC'ed Love, the Heimdal maintainer in case he has any clues.

I've included the good, bad and 'not-match' (my attempt to revert only
the change in the KRB-ERROR AS-REP packet) packets in various formats as
attachments.  Also I include the pcap trace.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad-as-rep
Type: application/octet-stream
Size: 349 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad-as-rep.dump
Type: application/octet-stream
Size: 349 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad-error.dump
Type: application/octet-stream
Size: 125 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0011.obj>
-------------- next part --------------
   0  123: SEQUENCE {
   2    9:   SEQUENCE {
   4    3:     [1] {
   6    1:       INTEGER 16
         :       }
   9    2:     [2] {
  11    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  13    9:   SEQUENCE {
  15    3:     [1] {
  17    1:       INTEGER 15
         :       }
  20    2:     [2] {
  22    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  24    9:   SEQUENCE {
  26    3:     [1] {
  28    1:       INTEGER 2
         :       }
  31    2:     [2] {
  33    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  35   10:   SEQUENCE {
  37    4:     [1] {
  39    2:       INTEGER 138
         :       }
  43    2:     [2] {
  45    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  47   10:   SEQUENCE {
  49    4:     [1] {
  51    2:       INTEGER 136
         :       }
  55    2:     [2] {
  57    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  59   64:   SEQUENCE {
  61    3:     [1] {
  63    1:       INTEGER 19
         :       }
  66   57:     [2] {
  68   55:       OCTET STRING, encapsulates {
  70   53:         SEQUENCE {
  72   51:           SEQUENCE {
  74    3:             [0] {
  76    1:               INTEGER 18
         :               }
  79   36:             [1] {
  81   34:               GeneralString 'S4.HOWTO.ABARTLET.NETAdministrator'
         :               }
 117    6:             [2] {
 119    4:               OCTET STRING 00 00 10 00
         :               }
         :             }
         :           }
         :         }
         :       }
         :     }
         :   }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: good-as-rep
Type: application/octet-stream
Size: 325 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0012.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: good-as-rep.dump
Type: application/octet-stream
Size: 325 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0013.obj>
-------------- next part --------------
00000000: 0000 0141 7e82 013d 3082 0139 a003 0201  ...A~..=0..9....
00000010: 05a1 0302 011e a411 180f 3230 3131 3132  ..........201112
00000020: 3134 3032 3537 3338 5aa5 0502 030b f677  14025738Z......w
00000030: a603 0201 19a7 171b 1573 342e 686f 7774  .........s4.howt
00000040: 6f2e 6162 6172 746c 6574 2e6e 6574 a81a  o.abartlet.net..
00000050: 3018 a003 0201 01a1 1130 0f1b 0d61 646d  0........0...adm
00000060: 696e 6973 7472 6174 6f72 a917 1b15 7334  inistrator....s4
00000070: 2e68 6f77 746f 2e61 6261 7274 6c65 742e  .howto.abartlet.
00000080: 6e65 74aa 2a30 28a0 0302 0102 a121 301f  net.*0(......!0.
00000090: 1b06 6b72 6274 6774 1b15 7334 2e68 6f77  ..krbtgt..s4.how
000000a0: 746f 2e61 6261 7274 6c65 742e 6e65 74ab  to.abartlet.net.
000000b0: 2b1b 294e 6565 6420 746f 2075 7365 2050  +.)Need to use P
000000c0: 412d 454e 432d 5449 4d45 5354 414d 502f  A-ENC-TIMESTAMP/
000000d0: 5041 2d50 4b2d 4153 2d52 4551 ac67 0465  PA-PK-AS-REQ.g.e
000000e0: 3063 3009 a103 0201 02a2 0204 0030 09a1  0c0..........0..
000000f0: 0302 0110 a202 0400 3009 a103 0201 0fa2  ........0.......
00000100: 0204 0030 40a1 0302 0113 a239 0437 3035  ...0 at ......9.705
00000110: 3033 a003 0201 12a1 241b 2253 342e 484f  03......$."S4.HO
00000120: 5754 4f2e 4142 4152 544c 4554 2e4e 4554  WTO.ABARTLET.NET
00000130: 4164 6d69 6e69 7374 7261 746f 72a2 0604  Administrator...
00000140: 0400 0010 00                             .....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: good-error.dump
Type: application/octet-stream
Size: 101 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0014.obj>
-------------- next part --------------
   0   99: SEQUENCE {
   2    9:   SEQUENCE {
   4    3:     [1] {
   6    1:       INTEGER 2
         :       }
   9    2:     [2] {
  11    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  13    9:   SEQUENCE {
  15    3:     [1] {
  17    1:       INTEGER 16
         :       }
  20    2:     [2] {
  22    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  24    9:   SEQUENCE {
  26    3:     [1] {
  28    1:       INTEGER 15
         :       }
  31    2:     [2] {
  33    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  35   64:   SEQUENCE {
  37    3:     [1] {
  39    1:       INTEGER 19
         :       }
  42   57:     [2] {
  44   55:       OCTET STRING, encapsulates {
  46   53:         SEQUENCE {
  48   51:           SEQUENCE {
  50    3:             [0] {
  52    1:               INTEGER 18
         :               }
  55   36:             [1] {
  57   34:               GeneralString 'S4.HOWTO.ABARTLET.NETAdministrator'
         :               }
  93    6:             [2] {
  95    4:               OCTET STRING 00 00 10 00
         :               }
         :             }
         :           }
         :         }
         :       }
         :     }
         :   }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not-match-as-rep.dump
Type: application/octet-stream
Size: 325 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0015.obj>
-------------- next part --------------
00000000: 0000 0141 7e82 013d 3082 0139 a003 0201  ...A~..=0..9....
00000010: 05a1 0302 011e a411 180f 3230 3131 3132  ..........201112
00000020: 3134 3033 3039 3133 5aa5 0502 0309 8e13  14030913Z.......
00000030: a603 0201 19a7 171b 1573 342e 686f 7774  .........s4.howt
00000040: 6f2e 6162 6172 746c 6574 2e6e 6574 a81a  o.abartlet.net..
00000050: 3018 a003 0201 01a1 1130 0f1b 0d61 646d  0........0...adm
00000060: 696e 6973 7472 6174 6f72 a917 1b15 7334  inistrator....s4
00000070: 2e68 6f77 746f 2e61 6261 7274 6c65 742e  .howto.abartlet.
00000080: 6e65 74aa 2a30 28a0 0302 0102 a121 301f  net.*0(......!0.
00000090: 1b06 6b72 6274 6774 1b15 7334 2e68 6f77  ..krbtgt..s4.how
000000a0: 746f 2e61 6261 7274 6c65 742e 6e65 74ab  to.abartlet.net.
000000b0: 2b1b 294e 6565 6420 746f 2075 7365 2050  +.)Need to use P
000000c0: 412d 454e 432d 5449 4d45 5354 414d 502f  A-ENC-TIMESTAMP/
000000d0: 5041 2d50 4b2d 4153 2d52 4551 ac67 0465  PA-PK-AS-REQ.g.e
000000e0: 3063 3009 a103 0201 02a2 0204 0030 09a1  0c0..........0..
000000f0: 0302 0110 a202 0400 3009 a103 0201 0fa2  ........0.......
00000100: 0204 0030 40a1 0302 0113 a239 0437 3035  ...0 at ......9.705
00000110: 3033 a003 0201 12a1 241b 2253 342e 484f  03......$."S4.HO
00000120: 5754 4f2e 4142 4152 544c 4554 2e4e 4554  WTO.ABARTLET.NET
00000130: 4164 6d69 6e69 7374 7261 746f 72a2 0604  Administrator...
00000140: 0400 0010 00                             .....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not-match-error.dump
Type: application/octet-stream
Size: 101 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0016.obj>
-------------- next part --------------
   0   99: SEQUENCE {
   2    9:   SEQUENCE {
   4    3:     [1] {
   6    1:       INTEGER 2
         :       }
   9    2:     [2] {
  11    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  13    9:   SEQUENCE {
  15    3:     [1] {
  17    1:       INTEGER 16
         :       }
  20    2:     [2] {
  22    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  24    9:   SEQUENCE {
  26    3:     [1] {
  28    1:       INTEGER 15
         :       }
  31    2:     [2] {
  33    0:       OCTET STRING
         :         Error: Object has zero length.
         :       }
         :     }
  35   64:   SEQUENCE {
  37    3:     [1] {
  39    1:       INTEGER 19
         :       }
  42   57:     [2] {
  44   55:       OCTET STRING, encapsulates {
  46   53:         SEQUENCE {
  48   51:           SEQUENCE {
  50    3:             [0] {
  52    1:               INTEGER 18
         :               }
  55   36:             [1] {
  57   34:               GeneralString 'S4.HOWTO.ABARTLET.NETAdministrator'
         :               }
  93    6:             [2] {
  95    4:               OCTET STRING 00 00 10 00
         :               }
         :             }
         :           }
         :         }
         :       }
         :     }
         :   }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: heimdal-upgrade-weird.cap
Type: application/octet-stream
Size: 13536 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111214/a320ee60/attachment-0017.obj>


More information about the cifs-protocol mailing list