[cifs-protocol] [REG:111121459051600] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

Bryan Burgin bburgin at microsoft.com
Wed Dec 14 14:51:20 MST 2011

[Dochelp to bcc]
[Adding case number to title & casemail]

Hi Andrew,

We made case 111121459051600 to track this issue.  I did a quick review of KDC_ERR_PREAUTH_REQUIRED (25).

I think the best way to dig into this issue is to capture a Time Travel Trace of the process LSASS on the Windows 2008 R2 machine while you are attempting this transaction.  The server-side code you are triggering is bound within LSASS.

I will send you the x64 tool to do this (a .msi), instructions and I'll also make you a file upload workspace to get the results in separate mail.

As you gather the Time Travel Trace, I'll review the materials you sent in more detail.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, December 13, 2011 9:35 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; Love Hörnquist Åstrand
Subject: Puzzled: Heimdal upgrade breaks Win2k8 dcpromo


The issue I have is a very odd one.  I'm trying to import a new snapshot of Heimdal into Samba4.  I do this every now and then, and it is naturally good practice to ensure it continues to work with Windows.

It appears to work with Windows 7, but when I dcpromo from a Win2008R2 machine to a Samba4 domain, I get 'Logon Failure: the username or password is incorrect'.

The error occurs in the reply to an AS-REQ, with error KRB5KDC_ERR_PREAUTH_REQUIRED (25)

The big difference in this error packet between old and new versions is the inclusion of FAST, but then I patched that back out and it still fails.

I have prepared git branches in git://git.samba.org/abartlet/samba.git

import-lorikeet-1 is the old code, this works (good)
import-lorikeet-2 is the new code, and fails (bad)
import-lorikeet-3 is includes a patch that results in an identical (timestamp aside) KRB-ERROR packet to import-lorikeet-1.  This also fails.  (not-match)

I would suspect that the error is elsewhere, but I cannot find any other interesting packets, and in the working case (packet 14), the kerberos exchange continues to a clock skew (packet 23), and then a successful AS-REP (32).

My question is:  How do I find out why the Windows 2008R2 client running dcpromo is convinced that the error is 'username or password is incorrect'?  No password is ever presented, and the same underlying Samba DB is used, so I know this is not the problem...

I've CC'ed Love, the Heimdal maintainer in case he has any clues.

I've included the good, bad and 'not-match' (my attempt to revert only the change in the KRB-ERROR AS-REP packet) packets in various formats as attachments.  Also I include the pcap trace.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list