[cifs-protocol] [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827

Jeff McCashland (He/him) jeffm at microsoft.com
Thu Apr 14 18:44:56 UTC 2022 

Hi Metze,

I don't believe it will always need to get a fresh TGT, that only happens in the case of S4U2Self with a hub DC and an RODC TGT. The hub DC doesn't normally expect to get an RODC TGT. 

If an RODC cannot issue a requested ticket, it tells the client this.  The client then gets a hub TGT by relaying it through the RODC alongside a request flag in the PA-DATA asking that the request be forwarded to the hub.  It then uses that hub TGT any time it needs a service ticket that must come from the hub.  

If the RWDC is seeing RODC tickets, then the client must have now discovered the hub DC directly (such as the RODC is offline so we did discovery outside our site) and it should respond to the client with the TGT revoked error to trigger the client to discard it and get a new one.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Stacy Gray (stacygr), +1 (469) 775-4055

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Monday, April 11, 2022 3:44 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; Jeff McCashland <jeffm at microsoftsupport.com>
Subject: Re: [cifs-protocol] [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827

Hi Jeff,

that means that a service that tries to use S4U2Self always need to get a fresh TGT from the KDC it will send the S4U2Self request to?

Otherwise I can't see how the usage of an RODC would be transparent for the service.

metze

Am 08.04.22 um 18:12 schrieb Jeff McCashland (He/him) via cifs-protocol:
> Hi Andreas,
> 
> I was able to track down the error and get an explanation. The request is failing because RODC PAC data isn't trusted for authorization as it may be stale. The only thing meaningful you can do with an RODC account on a full DC is exchange the RODC TGT for a 'real' TGT.
> 
> Please let us know if you have any further questions on this issue.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.
> com%7Cbbdcae6902ae4d68eb2a08da1ba8431d%7C72f988bf86f141af91ab2d7cd011d
> b47%7C1%7C0%7C637852706754763911%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
> amp;sdata=B743ug%2FZadRF8q6tY5DngeHB4rB52yvVfh4sn89nQuI%3D&reserve
> d=0 | Extension 1138300 We value your feedback.  My manager is Stacy 
> Gray (stacygr), +1 (469) 775-4055
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Thursday, March 31, 2022 11:01 AM
> To: Andreas Schneider <asn at samba.org>
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland 
> <jeffm at microsoftsupport.com>
> Subject: RE: [EXTERNAL] S4U2Self and RODC - 
> TrackingID#2203240040008827
> 
> [adding support alias back to CC]
> 
> Hi Andreas,
> 
> Thank you for uploading the traces. I will analyze them and let you know what I find.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.
> com%7Cbbdcae6902ae4d68eb2a08da1ba8431d%7C72f988bf86f141af91ab2d7cd011d
> b47%7C1%7C0%7C637852706754763911%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
> amp;sdata=B743ug%2FZadRF8q6tY5DngeHB4rB52yvVfh4sn89nQuI%3D&reserve
> d=0 | Extension 1138300 We value your feedback.  My manager is Stacy 
> Gray (stacygr), +1 (469) 775-4055
> 
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Thursday, March 31, 2022 2:25 AM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: Re: [EXTERNAL] S4U2Self and RODC - 
> TrackingID#2203240040008827
> 
> On Monday, March 28, 2022 9:00:54 PM CEST Jeff McCashland (He/him) wrote:
>> Hi Andreas,
> 
> Hi Jeff,
> 
> I'm back from a short vacation.
> 
>> If the warning below is not an issue, then I would like to collect an 
>> LSASS trace from the server returning the error, along with a 
>> concurrent network capture from the same server.
> 
> The warning about the missing KDC checksum is a bug in MIT KRB5:
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fb5efdddd503020c2b64ccf9c30bb09117035f3
> ce&data=05%7C01%7Cjeffm%40microsoft.com%7Cbbdcae6902ae4d68eb2a08da
> 1ba8431d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6378527067547639
> 11%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lIW4pYa7DP3jgMOfwsaP
> jm3pIahThD8%2FcsT9Kpo8wWY%3D&reserved=0
> 
> It will be fixed with MIT Kerberos 1.20. Wireshark is linked to a Kerberos library without the fix.
> 
>> The LSASS trace can be quite large, but is highly compressible, so 
>> please add to a .zip archive before uploading (file transfer 
>> workspace credentials are below). Please log into the workspace and 
>> find PartnerTTDRecorder_x86_x64.zip available for download. The x64 
>> tool can be staged onto the Windows server in any location 
>> (instructions below assume C:\TTD).
> 
> I've collected the traces you asked for. I've and uploaded them to the workspace.
> 
> 
> Best regards
> 
> 
> 	Andreas
> 
>>
>> To collect the needed traces:
>> 	1. From an elevated command prompt, execute: tasklist /FI "IMAGENAME
> eq
>> lsass.exe" 2. Note the PID of the lsass process from the output of 
>> the above command. 3. Execute: C:\TTD\TTTracer.exe -attach PID, where 
>> PID is the number from above. 4. Wait for a little window to pop up 
>> in top left corner of your screen, titled "lsass01.run" 5. start a 
>> network trace on the Server side
>> 	6. Repro the attempted operation
>> 	7. Stop the network trace and save it
>> 	8. CAREFULLY: uncheck the checkbox next to "Tracing" in the small 
>> "lsass01.run" window. Do not close or exit the small window or you 
>> will need to reboot. 9. The TTTracer.exe process will generate a 
>> trace file, then print out the name and location of the file. 
>> Compress the *.run file into a .zip archive before uploading with the matching network trace.
>>
>> Log in as: 2203240040008827_andreas at dtmxfer.onmicrosoft.com
>> 1-Time: 1zUrbA5^
>>
>> Workspace link:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
>> p 
>> ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
>> & 
>> amp;data=04%7C01%7Cjeffm%40microsoft.com%7C421a1a4ce2394f140fec08da12
>> f 
>> 85405%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637843155021335208
>> % 
>> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
>> k 
>> 1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mwoNpxWCZliaIM6Ox0gNepMiWG0eOMF
>> E
>> zr0fXYf9s2I%3D&reserved=0
>> zI1NiJ9.eyJ3c2lkIjoiNTRhNWIzZmUtY2IwMS00OTIyLWE2MWEtOWJmNWJmMzgwZTJhI
>> i
>> wic3Ii
>> OiIyMjAzMjQwMDQwMDA4ODI3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzO
>> C
>> 1lYTNi
>> ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJlZDNmM2IyM
>> C
>> 1jMDcy
>> LTQ3ZDYtOWJlOS0yOTVhYThmODExNzAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1b
>> G
>> EubWlj
>> cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NTYyNjk0MTcsIm5iZ
>> i
>> I6MTY0
>> ODQ5MzQxN30.c0XHYuoanP8OZZnuFuCHEdL8WdbEk3oau8TtJSB1Z_c2cQy1A181bs8V2
>> B
>> V-s_a3
>> RX5RVabyhHVofo7FQCT0C7mjqpbWTFQTtj4L-6yhtg9tx8W-iW6WMuX9nJ3plwGz2-ldJ
>> x
>> 8hLch4
>> G3veiakDRlbtsQm6dfrgzxPzAov72eTdMmq_Fjru8LgBhJEi69Ipxb6toVHean1QZ0VyT
>> k
>> QliNXa
>> PiwuOFgnULRN-gdoLYL38yoiliSvXnfznMu6JjtEGO9ft33PdqXPdmPzAvxbwMKy4WA_3
>> h
>> KDTuzI
>> wcjRJ24VjTfoQe8E6Qkt2s1d3Gl9qXDJABnY11NMUdryAtp2nQ&wid=54a5b3fe-cb01-
>> 4
>> 922-a6
>> 1a-9bf5bf380e2a
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
>> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) 
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o 
>> rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
>> com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011
>> d 
>> b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
>> L 
>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdat
>> a
>> =l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 | 
>> Extension
>> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr),
>> +1
>> (469) 775-4055
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him)
>> Sent: Friday, March 25, 2022 11:38 AM
>> To: 'Andreas Schneider' <asn at samba.org>
>> Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; 
>> 'Jeff McCashland' <jeffm at microsoftsupport.com> Subject: RE: 
>> [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
>>
>> Hi Andreas,
>>
>> I'm analyzing the traces to see why you're getting the error.
>>
>> In the meantime, did you notice the expert warning in Wireshark on 
>> your request in frame 571? It says that the Ticket in the request is 
>> missing the KDC checksum in the Authorization data.
>>
>> Is this expected, or might it be causing the error?
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
>> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) 
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o 
>> rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
>> com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011
>> d 
>> b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
>> L 
>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdat
>> a
>> =l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 | 
>> Extension
>> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr),
>> +1
>> (469) 775-4055
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him)
>> Sent: Thursday, March 24, 2022 3:41 PM
>> To: Andreas Schneider <asn at samba.org>
>> Cc: cifs-protocol at lists.samba.org; Jeff McCashland 
>> <jeffm at microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self and 
>> RODC
>> -
>> TrackingID#2203240040008827
>>
>> [Tom to BCC]
>>
>> Hi Andreas,
>>
>> I will research your question and let you know what I find.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
>> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) 
>> Local country phone number found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o 
>> rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
>> com%7C421a1a4ce2394f140fec08da12f85405%7C72f988bf86f141af91ab2d7cd011
>> d 
>> b47%7C1%7C0%7C637843155021335208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
>> L 
>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdat
>> a
>> =l6FzCVVY8Juq71HWiobPnLSqRy8cbwtb0iM9%2FUp9HmQ%3D&reserved=0 | 
>> Extension
>> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr),
>> +1
>> (469) 775-4055
>>
>> -----Original Message-----
>> From: Tom Jebo <tomjebo at microsoft.com>
>> Sent: Thursday, March 24, 2022 1:24 PM
>> To: Andreas Schneider <asn at samba.org>
>> Cc: cifs-protocol at lists.samba.org; Tom Jebo 
>> <tomjebo at microsoftsupport.com>
>> Subject: RE: [EXTERNAL] S4U2Self and RODC -
>> TrackingID#2203240040008827
>>
>> [dochelp to bcc]
>>
>> Hi Andreas,
>>
>> Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN.
>> One of the Open Specifications support team members will follow up 
>> shortly to begin assisting you. In the meantime, I've created the 
>> case
>> 2203240040008827 to track this issue. Please leave this number in the 
>> subject line when communicating with us about the issue.
>>
>> Best regards,
>> Tom Jebo
>> Microsoft Open Specifications Support
>>
>> -----Original Message-----
>> From: Andreas Schneider <asn at samba.org>
>> Sent: Thursday, March 24, 2022 3:09 AM
>> To: Interoperability Documentation Help <dochelp at microsoft.com>
>> Cc: cifs-protocol at lists.samba.org
>> Subject: [EXTERNAL] S4U2Self and RODC
>>
>> Hello Dochelp Team,
>>
>> we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when 
>> attempting to use S4U2Self with a TGT from an RODC. We wonder why it 
>> returns KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.
>>
>> The test can be run with this command:
>>
>> SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE 
>> DOMAIN=EARTH SERVER=win-dc01.earth.milkyway.site
>> DC_SERVER=win-dc01.earth.milkyway.site
>> SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator 
>> ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
>> FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0
>> TKT_SIG_SUPPORT=1
>> EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0 
>> PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/b
>> i
>> n/pyt
>> hon python3 -m samba.subunit.run
>> samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_reveale
>> d
>>
>> win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC 
>> account on the DC.
>>
>> Attached is a capture of the above test which shows that the S4U2Self 
>> request fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could 
>> you please clarify why it fails with this error?
>>
>> Thank you very much for your help. I'm looking forward to hear from you.
>>
>>
>> Best regards
>>
>>
>>          Andreas
>>
>>
>> --
>> Andreas Schneider                      asn at samba.org
>> Samba Team
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba%2F&data=05%7C01%7Cjeffm%40microsoft.com%7Cbbdcae6902ae4d68eb2a08da1ba8431d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637852706754763911%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w74WecNJuPM46hZCly%2BBzvlzfsOw0tCox97KurGbR%2Bg%3D&reserved=0.
>> org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cddd95905704d43b14b8
>> d
>> 08da0d
>> d43362%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63783750230089442
>> 1
>> %7CUnk
>> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
>> w
>> iLCJXV
>> CI6Mn0%3D%7C3000&sdata=7HR%2BCiVlFIAzMurJ9ngLMi2f8KgSfZe8YyB58emud0A%3D&
>> amp;reserved=0 GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> 
>

More information about the cifs-protocol mailing list