[cifs-protocol] [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827

Tom Jebo tomjebo at microsoft.com
Thu Mar 24 20:23:43 UTC 2022 

[dochelp to bcc]

Hi Andreas, 

Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN. One of the Open Specifications support team members will follow up shortly to begin assisting you. In the meantime, I've created the case 2203240040008827 to track this issue. Please leave this number in the subject line when communicating with us about the issue.

Best regards,
Tom Jebo
Microsoft Open Specifications Support

-----Original Message-----
From: Andreas Schneider <asn at samba.org> 
Sent: Thursday, March 24, 2022 3:09 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] S4U2Self and RODC

Hello Dochelp Team,

we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when attempting to use S4U2Self with a TGT from an RODC. We wonder why it returns KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.

The test can be run with this command:

SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE DOMAIN=EARTH SERVER=win-dc01.earth.milkyway.site DC_SERVER=win-dc01.earth.milkyway.site
SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0 TKT_SIG_SUPPORT=1
EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0 PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bin/python
python3 -m samba.subunit.run
samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed

win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC account on the DC.

Attached is a capture of the above test which shows that the S4U2Self request fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you please clarify why it fails with this error?

Thank you very much for your help. I'm looking forward to hear from you.


Best regards


	Andreas


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Ctomjebo%40microsoft.com%7Cd16b9d14f77444de83a108da0d7e5ff8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637837133679154667%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BIAXKEEoHNchhmcR%2FJhESV7KKbT0drv0yMDvCgiPepk%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list