[cifs-protocol] [EXTERNAL] Kerberos kinit failures since Nov 2022 patch - TrackingID#2211090040006256

Mon Nov 14 21:44:37 UTC 2022

The kinit-fail-and-success-aes-nov-22.pcapng is all you need, I
reproduced from scratch after Joseph's failure uploading.
Anyway, this is all 
https://twitter.com/SteveSyfuhs/status/1590417822030917632 which seems
well known by now.   I can't find the reference right now but I'm saw
this also impacting SSSd users who had correctly selected AES only
rather than legacy ciphers.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-21H2#sign-in-failures-and-other-issues-related-to-kerberos-authentication
The two things we need are: * a notice as soon as a fixed windows is
available to we can confirm we have guessed the correct behaviour, 
 * before that detailed information on what the correct ticket
encryption type and session key selection behaviour should be, so we
can prepare our response to this security issue and try to end up at
the same point.

Thanks for any information you can give and we wish all the best to the
product team who I'm sure are having a hard time right now.
Andrew Bartlett
On Mon, 2022-11-14 at 21:26 +0000, Jeff McCashland (He/him) wrote:
> Hi Andrew,
>  
> I found ‘kinit-fail-and-success-aes-nov-22.pcapng’
>  on the workspace, but it appears ‘as_req_windows_server_2019.pcapng’
> did not upload fully to the workspace.
> 
>  
> Could you try uploading that again?
> 
>  
> 
> 
> 
> 
> Best regards,
> 
> Jeff McCashland (He/him)
> | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team
> 
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
> 08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://support.microsoft.com/globalenglish
>  | Extension 1138300
> 
> 
> 
> 
>  
> 
> 
> From: Andrew Bartlett <abartlet at samba.org> 
> 
> Sent: Friday, November 11, 2022 12:10 AM
> 
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> 
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Joseph Sutton <josephsutton at catalyst.net.nz>; Microsoft Support <
> supportmail at microsoft.com>
> 
> Subject: Re: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch
> - TrackingID#2211090040006256
> 
> 
>  
> 
> Very easy to reproduce, and I was able to upload the network trace
> (PCAPng), not sure why Joseph struggled.  It shows failure with
> AES128/256 is enabled in ADUC for user "andrew", and success
> otherwise (checkboxes cleared).
> 
> 
>  
> 
> 
> We are happy to try and install TTT to see the server side, but I bet
> there is an internal case on this well advanced by now. 
> 
> 
>  
> 
> 
> Andrew Bartlett
> 
> 
>  
> 
> 
> On Fri, 2022-11-11 at 20:27 +1300, Andrew Bartlett wrote:
> 
> > Sorry we didn't get to upload the trace.  Joseph tried to upload a
> > PCAP and it failed. 
> > 
> > 
> >  
> > 
> > 
> > But for context others are seeing this as well at:
> > 
> > 
> >  
> > 
> > 
> > https://twitter.com/fabian_bader/status/1590432854399676416
> > 
> > 
> >  
> > 
> > 
> > On Wed, 2022-11-09 at 17:21 +0000, Jeff McCashland (He/him) wrote:
> > 
> > > [Michael to BCC]
> > >  
> > > Hi Andrew,
> > >  
> > > I will investigate this issue and let you know what I find. 
> > >  
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team 
> > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > > (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here: 
> > > 
> > > http://support.microsoft.com/globalenglish
> > >  
> > >  | Extension 1138300
> > >  
> > > -----Original Message-----
> > > From: Michael Bowen <
> > > 
> > > Mike.Bowen at microsoft.com
> > >  
> > > > 
> > > Sent: Wednesday, November 9, 2022 8:39 AM
> > > To: Andrew Bartlett <
> > > 
> > > abartlet at samba.org
> > >  
> > > > 
> > > Cc: cifs-protocol mailing list <
> > > 
> > > cifs-protocol at lists.samba.org
> > >  
> > > >; Joseph Sutton <
> > > 
> > > josephsutton at catalyst.net.nz
> > >  
> > > >; Microsoft Support <
> > > 
> > > supportmail at microsoft.com
> > >  
> > > > 
> > > Subject: RE: [EXTERNAL] Kerberos kinit failures since Nov 2022
> > > patch - TrackingID#2211090040006256
> > >  
> > > [DocHelp to bcc, Support mail to cc]
> > >  
> > > Hi Andrew,
> > >  
> > > Thanks for your inquiry. I've created case number
> > > 2211090040006256 to track this issue. In your correspondence,
> > > please leave the case number in the subject line and use reply
> > > all. One of our engineers will contact you soon
> > >  
> > > Best regards,
> > > Mike Bowen
> > > Escalation Engineer - Microsoft Open Specifications
> > >  
> > > -----Original Message-----
> > > From: Andrew Bartlett <
> > > 
> > > abartlet at samba.org
> > >  
> > > > 
> > > Sent: Tuesday, November 8, 2022 7:37 PM
> > > To: Interoperability Documentation Help <
> > > 
> > > dochelp at microsoft.com
> > >  
> > > > 
> > > Cc: cifs-protocol mailing list <
> > > 
> > > cifs-protocol at lists.samba.org
> > >  
> > > >; Joseph Sutton <
> > > 
> > > josephsutton at catalyst.net.nz
> > >  
> > > > 
> > > Subject: [EXTERNAL] Kerberos kinit failures since Nov 2022 patch
> > >  
> > > Related but separate to 2211090040000278
> > >  
> > > We are running Windows 2019 with the Nov 2022 patches.
> > >  
> > > KrbtgtFullPacSignature has been set to 3 but we see the same
> > > behaviour at 0.
> > >  
> > > We create an account using Windows ADUC then set this account
> > > supports
> > > AES128 and AES 256 in 'account options'.
> > >  
> > > With these values set, being 0x18 is msDS-
> > > SupportedEncryptionTypes, it is no longer possible to kinit to
> > > this account, even when the Kerberos client supports AES, and
> > > even if the kerberos client does not propose.
> > >  
> > > However, if we add the RC4 bit then it works, but given the
> > > security release is about disabling RC4 we are trying to avoid
> > > that.
> > >  
> > > We can supply network traces etc, please provide the link.
> > >  
> > > Thanks,
> > >  
> > > Andrew Bartlett
> > >  
> > > --
> > > Andrew Bartlett (he/him)       
> > > 
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JxBOQuaWzl6ieEEwdMhwnjIXZJwoCmgXccCF5qs0pbc%3D&reserved=0
> > >  
> > > Samba Team Member (since 2001) 
> > > 
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8m7MhEvZDcod%2FhNjCdbXmSHca9LM%2FPkq5zejXu2ifdA%3D&reserved=0
> > >  
> > > Samba Team Lead, Catalyst IT   
> > > 
> > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C38db7855d3b545a7059f08dac270ecef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036087524102222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3bJ68yAiIFy85prngjtaKfZuF33lqLtirgF20jklgKY%3D&reserved=0
> > >  
> > > Samba Development and Support, Catalyst IT - Expert Open Source
> > > Solutions
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > -- 
> >  
> > 
> > Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> > 
> > 
> > Samba Team Member (since 2001) 
> > https://samba.org
> > 
> > 
> > Samba Team Lead, Catalyst IT   
> > https://catalyst.net.nz/services/samba
> > 
> > 
> >  
> > 
> > 
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > 
> > 
> > Solutions
> > 
> > 
> 
> -- 
> 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> 
> 
> Samba Team Member (since 2001) 
> https://samba.org
> 
> 
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> 
> 
>  
> 
> 
> Samba Development and Support, Catalyst IT - Expert Open Source
> 
> 
> Solutions
> 
> 
> 
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221115/b6dfcd6a/attachment.htm>