[cifs-protocol] [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256

Fri Nov 11 03:10:39 UTC 2022

Hi,

Could you please upload the time travel debugging tracer tool to the 
workspace?

Regards,
Joseph

On 11/11/22 6:47 am, Jeff McCashland (He/him) wrote:
> Hi Andrew,
>
> I have created a file transfer workspace for uploading traces related to this issue.
>
> Log in as: 2211090040006256_andrew at dtmxfer.onmicrosoft.com
> 1-time: |91(t5d7
>
> Workspace link: https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiYjAwMTEwOTQtZDI0YS00ZTI4LWJlMWUtNGU2NzI0MDc3ODlkIiwic3IiOiIyMjExMDkwMDQwMDA2MjU2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiIzOTg1MTJhNy1mMTAzLTRjZWEtOWJjMi0yOTUwMjJkNWY0MjEiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NzU4NzgzMjAsIm5iZiI6MTY2ODEwMjMyMH0.dz1IqEH0QLZJu6La_5QMb6GPGrj-xYI-jTizGjbQ5EzSUeoTxGfhxQOCJkB4G7JRwfxMSgtno3JiJxlkowVN6WIRL6MIH529ZIdk8rMrJR2_0dxHOrruTIliuwRqnjv3Bd3UFHGwjgL8ofaT3SQqwZELpZEeZFdxlwPXJqorpBBB37PNKGphMiolT6BCnsdrE9W6Dm-cYoA0_tTYobtd7Q2qF_9WymQtpEn5j1Xb0NewDi_7Q4wGqWErA9jXHIjsMPmY5ygTp7k1-RkTt6Q957WnGc7mWv4ZiryVZfYbG3nn6LGOZXEh_GjemN0jJQLfbV3ghtc_7BJ5hiXKl_YrhA&wid=b0011094-d24a-4e28-be1e-4e672407789d
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Wednesday, November 9, 2022 9:22 AM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Joseph Sutton <josephsutton at catalyst.net.nz>; Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256
>
> [Michael to BCC]
>
> Hi Andrew,
>
> I will investigate this issue and let you know what I find.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
>
> -----Original Message-----
> From: Michael Bowen <Mike.Bowen at microsoft.com>
> Sent: Wednesday, November 9, 2022 8:39 AM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Joseph Sutton <josephsutton at catalyst.net.nz>; Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256
>
> [DocHelp to bcc, Support mail to cc]
>
> Hi Andrew,
>
> Thanks for your inquiry. I've created case number 2211090040006256 to track this issue. In your correspondence, please leave the case number in the subject line and use reply all. One of our engineers will contact you soon
>
> Best regards,
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
>
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> Sent: Tuesday, November 8, 2022 7:37 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Joseph Sutton <josephsutton at catalyst.net.nz>
> Subject: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch
>
> Related but separate to 2211090040000278
>
> We are running Windows 2019 with the Nov 2022 patches.
>
> KrbtgtFullPacSignature has been set to 3 but we see the same behaviour at 0.
>
> We create an account using Windows ADUC then set this account supports
> AES128 and AES 256 in 'account options'.
>
> With these values set, being 0x18 is msDS-SupportedEncryptionTypes, it is no longer possible to kinit to this account, even when the Kerberos client supports AES, and even if the kerberos client does not propose.
>
> However, if we add the RC4 bit then it works, but given the security release is about disabling RC4 we are trying to avoid that.
>
> We can supply network traces etc, please provide the link.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him)       https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0
> Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0
> Samba Team Lead, Catalyst IT   https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0
>
> Samba Development and Support, Catalyst IT - Expert Open Source Solutions
>
>
>
>
>
-- 
Joseph Sutton
Samba Developer
Catalyst IT - Expert Open Source Solutions

Catalyst.Net Ltd - a Catalyst IT group company
www.catalyst.net.nz

CONFIDENTIALITY NOTICE: This email is intended for the named recipients only.
It may contain privileged, confidential or copyright information. If you are not
the named recipient, any use, reliance upon, disclosure or copying of this email
or its attachments is unauthorised. If you have received this email in error,
please reply via email or call +64 4 499 2267.