Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

[Joshua Hawkinson]

Hello everyone,

Well here is a quick update -- By setting the Microsoft recommended setting ((2) service and instance, or KRB5_NT_SRV_INST (as defined in the krb5 code)) into the Kerberos libs on system seems to have worked.  Unfortunately it seems that the current krb5 code both Heimdal and MIT have this value statically assigned to name-type (1) and (0) respectively (or principal and unknown).  Microsoft seems to be a bit slicker about setting the name-type in different situations.  At any rate other than specifying a "password server" parameter in the smb.conf to the writable DC there does not seem to be a good work around.  We're testing the static (2) setting to see what -- if anything -- it breaks in our environment...

Samba folks,
As this seems to be a more generic krb5 issue; should I enter a defect into bugzilla? 

--Josh

-----Original Message-----
From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Joshua Hawkinson
Sent: Thursday, September 16, 2010 5:12 PM
To: samba-technical at lists.samba.org
Subject: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Hi guys,

I seem to have uncovered a defect in the latest stable version of samba (3.5.5) where I'm unable to authenticate through Kerberos to a 2008 R2 read only domain controller (RODC).  I've been digging in on this issue for about a couple of days and I've found that the problem only seems to occur during TGS-REQ to the RODC.  The RODC seems to reject this request (with error 31 decrypt integrity check failed) without forwarding it on to the writeable DC. If I replace the 2008 R2 RODC with a standard 2008 RODC the problem does not occur.  Also if I set the samba server to directly authenticate to the writeable DC no problems occur (obviously).  I've received word from an engineer at Microsoft that the problem is due to.... Well I'll paste in his message