[cifs-protocol] [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827

Andreas Schneider asn at samba.org
Thu Mar 31 09:24:56 UTC 2022


On Monday, March 28, 2022 9:00:54 PM CEST Jeff McCashland (He/him) wrote:
> Hi Andreas,

Hi Jeff,

I'm back from a short vacation.

> If the warning below is not an issue, then I would like to collect an LSASS
> trace from the server returning the error, along with a concurrent network
> capture from the same server.

The warning about the missing KDC checksum is a bug in MIT KRB5:

https://github.com/krb5/krb5/commit/b5efdddd503020c2b64ccf9c30bb09117035f3ce

It will be fixed with MIT Kerberos 1.20. Wireshark is linked to a Kerberos 
library without the fix.

> The LSASS trace can be quite large, but is
> highly compressible, so please add to a .zip archive before uploading (file
> transfer workspace credentials are below). Please log into the workspace
> and find PartnerTTDRecorder_x86_x64.zip available for download. The x64
> tool can be staged onto the Windows server in any location (instructions
> below assume C:\TTD).

I've collected the traces you asked for. I've and uploaded them to the 
workspace.


Best regards


	Andreas

> 
> To collect the needed traces:
> 	1. From an elevated command prompt, execute: tasklist /FI "IMAGENAME 
eq
> lsass.exe" 2. Note the PID of the lsass process from the output of the
> above command. 3. Execute: C:\TTD\TTTracer.exe -attach PID, where PID is
> the number from above. 4. Wait for a little window to pop up in top left
> corner of your screen, titled "lsass01.run" 5. start a network trace on the
> Server side
> 	6. Repro the attempted operation
> 	7. Stop the network trace and save it
> 	8. CAREFULLY: uncheck the checkbox next to "Tracing" in the small
> "lsass01.run" window. Do not close or exit the small window or you will
> need to reboot. 9. The TTTracer.exe process will generate a trace file,
> then print out the name and location of the file. Compress the *.run file
> into a .zip archive before uploading with the matching network trace.
> 
> Log in as: 2203240040008827_andreas at dtmxfer.onmicrosoft.com
> 1-Time: 1zUrbA5^
> 
> Workspace link:
> https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSU
> zI1NiJ9.eyJ3c2lkIjoiNTRhNWIzZmUtY2IwMS00OTIyLWE2MWEtOWJmNWJmMzgwZTJhIiwic3Ii
> OiIyMjAzMjQwMDQwMDA4ODI3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNi
> ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJlZDNmM2IyMC1jMDcy
> LTQ3ZDYtOWJlOS0yOTVhYThmODExNzAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWlj
> cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NTYyNjk0MTcsIm5iZiI6MTY0
> ODQ5MzQxN30.c0XHYuoanP8OZZnuFuCHEdL8WdbEk3oau8TtJSB1Z_c2cQy1A181bs8V2BV-s_a3
> RX5RVabyhHVofo7FQCT0C7mjqpbWTFQTtj4L-6yhtg9tx8W-iW6WMuX9nJ3plwGz2-ldJx8hLch4
> G3veiakDRlbtsQm6dfrgzxPzAov72eTdMmq_Fjru8LgBhJEi69Ipxb6toVHean1QZ0VyTkQliNXa
> PiwuOFgnULRN-gdoLYL38yoiliSvXnfznMu6JjtEGO9ft33PdqXPdmPzAvxbwMKy4WA_3hKDTuzI
> wcjRJ24VjTfoQe8E6Qkt2s1d3Gl9qXDJABnY11NMUdryAtp2nQ&wid=54a5b3fe-cb01-4922-a6
> 1a-9bf5bf380e2a
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr), +1
> (469) 775-4055
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Friday, March 25, 2022 11:38 AM
> To: 'Andreas Schneider' <asn at samba.org>
> Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; 'Jeff
> McCashland' <jeffm at microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self
> and RODC - TrackingID#2203240040008827
> 
> Hi Andreas,
> 
> I'm analyzing the traces to see why you're getting the error.
> 
> In the meantime, did you notice the expert warning in Wireshark on your
> request in frame 571? It says that the Ticket in the request is missing the
> KDC checksum in the Authorization data.
> 
> Is this expected, or might it be causing the error?
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr), +1
> (469) 775-4055
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Thursday, March 24, 2022 3:41 PM
> To: Andreas Schneider <asn at samba.org>
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland
> <jeffm at microsoftsupport.com> Subject: RE: [EXTERNAL] S4U2Self and RODC -
> TrackingID#2203240040008827
> 
> [Tom to BCC]
> 
> Hi Andreas,
> 
> I will research your question and let you know what I find.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300 We value your feedback.  My manager is Stacy Gray (stacygr), +1
> (469) 775-4055
> 
> -----Original Message-----
> From: Tom Jebo <tomjebo at microsoft.com>
> Sent: Thursday, March 24, 2022 1:24 PM
> To: Andreas Schneider <asn at samba.org>
> Cc: cifs-protocol at lists.samba.org; Tom Jebo <tomjebo at microsoftsupport.com>
> Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
> 
> [dochelp to bcc]
> 
> Hi Andreas,
> 
> Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN.
> One of the Open Specifications support team members will follow up shortly
> to begin assisting you. In the meantime, I've created the case
> 2203240040008827 to track this issue. Please leave this number in the
> subject line when communicating with us about the issue.
> 
> Best regards,
> Tom Jebo
> Microsoft Open Specifications Support
> 
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Thursday, March 24, 2022 3:09 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] S4U2Self and RODC
> 
> Hello Dochelp Team,
> 
> we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when attempting to
> use S4U2Self with a TGT from an RODC. We wonder why it returns
> KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.
> 
> The test can be run with this command:
> 
> SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE DOMAIN=EARTH
> SERVER=win-dc01.earth.milkyway.site DC_SERVER=win-dc01.earth.milkyway.site
> SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator
> ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
> FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0 TKT_SIG_SUPPORT=1
> EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0
> PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bin/pyt
> hon python3 -m samba.subunit.run
> samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
> 
> win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC account
> on the DC.
> 
> Attached is a capture of the above test which shows that the S4U2Self
> request fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you
> please clarify why it fails with this error?
> 
> Thank you very much for your help. I'm looking forward to hear from you.
> 
> 
> Best regards
> 
> 
>         Andreas
> 
> 
> --
> Andreas Schneider                      asn at samba.org
> Samba Team                            
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.
> org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cddd95905704d43b14b8d08da0d
> d43362%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637837502300894421%7CUnk
> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
> CI6Mn0%3D%7C3000&sdata=7HR%2BCiVlFIAzMurJ9ngLMi2f8KgSfZe8YyB58emud0A%3D&
> amp;reserved=0 GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D





More information about the cifs-protocol mailing list