[cifs-protocol] S4U2Self and RODC
Andreas Schneider
asn at samba.org
Thu Mar 24 10:08:53 UTC 2022
Hello Dochelp Team,
we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when attempting to
use S4U2Self with a TGT from an RODC. We wonder why it returns
KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.
The test can be run with this command:
SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE DOMAIN=EARTH
SERVER=win-dc01.earth.milkyway.site DC_SERVER=win-dc01.earth.milkyway.site
SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator
ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0 TKT_SIG_SUPPORT=1
EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0
PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bin/python
python3 -m samba.subunit.run
samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC account on
the DC.
Attached is a capture of the above test which shows that the S4U2Self request
fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you please clarify
why it fails with this error?
Thank you very much for your help. I'm looking forward to hear from you.
Best regards
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win-dc01.keytab
Type: application/octet-stream
Size: 5198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20220324/fadcbc89/win-dc01.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_s4u2self_rodc_revealed_win_srv_2022.pcapng
Type: application/x-pcapng
Size: 219092 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20220324/fadcbc89/test_s4u2self_rodc_revealed_win_srv_2022.bin>
More information about the cifs-protocol
mailing list