[cifs-protocol] [REG: 111121459051600] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

Edgar Olougouna edgaro at microsoft.com
Wed Dec 14 09:29:07 MST 2011

[Dochelp to bcc]
[Added case number in subject]

Thanks for submitting this Kerberos issue in the context of dcpromo. I have opened the case number 111121459051600 for this inquiry. One of our engineers will follow-up soon.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, December 13, 2011 11:35 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; Love Hörnquist Åstrand
Subject: Puzzled: Heimdal upgrade breaks Win2k8 dcpromo


The issue I have is a very odd one.  I'm trying to import a new snapshot of Heimdal into Samba4.  I do this every now and then, and it is naturally good practice to ensure it continues to work with Windows.

It appears to work with Windows 7, but when I dcpromo from a Win2008R2 machine to a Samba4 domain, I get 'Logon Failure: the username or password is incorrect'.

The error occurs in the reply to an AS-REQ, with error KRB5KDC_ERR_PREAUTH_REQUIRED (25)

The big difference in this error packet between old and new versions is the inclusion of FAST, but then I patched that back out and it still fails.

I have prepared git branches in git://git.samba.org/abartlet/samba.git

import-lorikeet-1 is the old code, this works (good)
import-lorikeet-2 is the new code, and fails (bad)
import-lorikeet-3 is includes a patch that results in an identical (timestamp aside) KRB-ERROR packet to import-lorikeet-1.  This also fails.  (not-match)

I would suspect that the error is elsewhere, but I cannot find any other interesting packets, and in the working case (packet 14), the kerberos exchange continues to a clock skew (packet 23), and then a successful AS-REP (32).

My question is:  How do I find out why the Windows 2008R2 client running dcpromo is convinced that the error is 'username or password is incorrect'?  No password is ever presented, and the same underlying Samba DB is used, so I know this is not the problem...

I've CC'ed Love, the Heimdal maintainer in case he has any clues.

I've included the good, bad and 'not-match' (my attempt to revert only the change in the KRB-ERROR AS-REP packet) packets in various formats as attachments.  Also I include the pcap trace.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list