[cifs-protocol] [REG:111121459051600] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

Bryan Burgin bburgin at microsoft.com
Wed Dec 14 23:07:46 MST 2011 

Andrew,

Attached is the x64 Time Travel Trace utility (rename to .msi and install).  It will create the folder c:\debuggers\ttt.  From an elevated command prompt (run CMD as an Administrator), do:

-- Tasklist
-- Locate the task lsass and note its process number (PID)
-- Do "TTTracer -dumpfull -attach <lsass_pid>"
-- It will complain that you're not running the current version; just ignore that warning. 
-- In 30-60 seconds a small dialog box will appear in the upper-left corner of the screen.  This means that recording has begun.
-- Repro your issue
-- In the dialog, un-tick the checkbox that says it is logging/tracing.  This will stop the trace.  Do NOT press the Exit Application button -- that will terminate LSASS and crash the system.
-- In c:\debuggers\ttt there will be two files: lsass01.run and lsass01.out.  I need both those files (zipped, please).

You can upload the trace to https://sftus.one.microsoft.com/choosetransfer.aspx?key=a3e97d98-9cb8-4822-b0b8-6ad81e99653a.

I'll send a second password with the upload workspace's password.

B.

-----Original Message-----
From: Bryan Burgin 
Sent: Wednesday, December 14, 2011 1:51 PM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org; Love Hörnquist Åstrand; MSSolve Case Email
Subject: [REG:111121459051600] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

[Dochelp to bcc]
[Adding case number to title & casemail]

Hi Andrew,

We made case 111121459051600 to track this issue.  I did a quick review of KDC_ERR_PREAUTH_REQUIRED (25).

I think the best way to dig into this issue is to capture a Time Travel Trace of the process LSASS on the Windows 2008 R2 machine while you are attempting this transaction.  The server-side code you are triggering is bound within LSASS.

I will send you the x64 tool to do this (a .msi), instructions and I'll also make you a file upload workspace to get the results in separate mail.

As you gather the Time Travel Trace, I'll review the materials you sent in more detail.

Bryan

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, December 13, 2011 9:35 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; Love Hörnquist Åstrand
Subject: Puzzled: Heimdal upgrade breaks Win2k8 dcpromo

Dochelp,

The issue I have is a very odd one.  I'm trying to import a new snapshot of Heimdal into Samba4.  I do this every now and then, and it is naturally good practice to ensure it continues to work with Windows.

It appears to work with Windows 7, but when I dcpromo from a Win2008R2 machine to a Samba4 domain, I get 'Logon Failure: the username or password is incorrect'.

The error occurs in the reply to an AS-REQ, with error KRB5KDC_ERR_PREAUTH_REQUIRED (25)

The big difference in this error packet between old and new versions is the inclusion of FAST, but then I patched that back out and it still fails.

I have prepared git branches in git://git.samba.org/abartlet/samba.git

import-lorikeet-1 is the old code, this works (good)
import-lorikeet-2 is the new code, and fails (bad)
import-lorikeet-3 is includes a patch that results in an identical (timestamp aside) KRB-ERROR packet to import-lorikeet-1.  This also fails.  (not-match)

I would suspect that the error is elsewhere, but I cannot find any other interesting packets, and in the working case (packet 14), the kerberos exchange continues to a clock skew (packet 23), and then a successful AS-REP (32).

My question is:  How do I find out why the Windows 2008R2 client running dcpromo is convinced that the error is 'username or password is incorrect'?  No password is ever presented, and the same underlying Samba DB is used, so I know this is not the problem...

I've CC'ed Love, the Heimdal maintainer in case he has any clues.

I've included the good, bad and 'not-match' (my attempt to revert only the change in the KRB-ERROR AS-REP packet) packets in various formats as attachments.  Also I include the pcap trace.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TTTSetup_AMD64_external.m_s_i
Type: application/octet-stream
Size: 1392128 bytes
Desc: TTTSetup_AMD64_external.m_s_i
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20111215/78d22bb6/attachment-0001.obj>

More information about the cifs-protocol mailing list