[cifs-protocol] [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256
Andrew Bartlett
abartlet at samba.org
Fri Nov 11 08:09:56 UTC 2022
Very easy to reproduce, and I was able to upload the network trace
(PCAPng), not sure why Joseph struggled. It shows failure with
AES128/256 is enabled in ADUC for user "andrew", and success otherwise
(checkboxes cleared).
We are happy to try and install TTT to see the server side, but I bet
there is an internal case on this well advanced by now.
Andrew Bartlett
On Fri, 2022-11-11 at 20:27 +1300, Andrew Bartlett wrote:
> Sorry we didn't get to upload the trace. Joseph tried to upload a
> PCAP and it failed.
> But for context others are seeing this as well at:
> https://twitter.com/fabian_bader/status/1590432854399676416
> On Wed, 2022-11-09 at 17:21 +0000, Jeff McCashland (He/him) wrote:
> > [Michael to BCC]
> > Hi Andrew,
> > I will investigate this issue and let you know what I find.
> > Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer
> > | Microsoft Protocol Open Specifications Team Phone: +1 (425) 703-
> > 8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time
> > (US and Canada)Local country phone number found here:
> > http://support.microsoft.com/globalenglish | Extension 1138300
> > -----Original Message-----From: Michael Bowen <
> > Mike.Bowen at microsoft.com> Sent: Wednesday, November 9, 2022 8:39
> > AMTo: Andrew Bartlett <abartlet at samba.org>Cc: cifs-protocol mailing
> > list <cifs-protocol at lists.samba.org>; Joseph Sutton <
> > josephsutton at catalyst.net.nz>; Microsoft Support <
> > supportmail at microsoft.com>Subject: RE: [EXTERNAL] Kerberos kinit
> > failures since Nov 2022 patch - TrackingID#2211090040006256
> > [DocHelp to bcc, Support mail to cc]
> > Hi Andrew,
> > Thanks for your inquiry. I've created case number 2211090040006256
> > to track this issue. In your correspondence, please leave the case
> > number in the subject line and use reply all. One of our engineers
> > will contact you soon
> > Best regards,Mike BowenEscalation Engineer - Microsoft Open
> > Specifications
> > -----Original Message-----From: Andrew Bartlett <abartlet at samba.org
> > >Sent: Tuesday, November 8, 2022 7:37 PMTo: Interoperability
> > Documentation Help <dochelp at microsoft.com>Cc: cifs-protocol mailing
> > list <cifs-protocol at lists.samba.org>; Joseph Sutton <
> > josephsutton at catalyst.net.nz>Subject: [EXTERNAL] Kerberos kinit
> > failures since Nov 2022 patch
> > Related but separate to 2211090040000278
> > We are running Windows 2019 with the Nov 2022 patches.
> > KrbtgtFullPacSignature has been set to 3 but we see the same
> > behaviour at 0.
> > We create an account using Windows ADUC then set this account
> > supportsAES128 and AES 256 in 'account options'.
> > With these values set, being 0x18 is msDS-SupportedEncryptionTypes,
> > it is no longer possible to kinit to this account, even when the
> > Kerberos client supports AES, and even if the kerberos client does
> > not propose.
> > However, if we add the RC4 bit then it works, but given the
> > security release is about disabling RC4 we are trying to avoid
> > that.
> > We can supply network traces etc, please provide the link.
> > Thanks,
> > Andrew Bartlett
> > --Andrew Bartlett (he/him)
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0
> > Samba Team Member (since 2001)
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0
> > Samba Team Lead, Catalyst IT
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> >
> >
> >
> >
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team
> Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT
> https://catalyst.net.nz/services/samba
> Samba Development and Support, Catalyst IT - Expert Open
> SourceSolutions
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221111/1be4a47d/attachment.htm>
More information about the cifs-protocol
mailing list