No subject

Sat Sep 18 21:15:27 MDT 2010

"I have received an update from my SME on the data which has been provided =
to us. The problem is the name-type used for the TGT request is set to


133         2010-08-26 17:15:17.284157         x.x.x.x

x.x.x.x     KRB5      AS-REQ

Server Name (Unknown): krbtgt/EXAMPLE.COM

Name-type: Unknown (0)

Name: krbtgt


The name-type needs to be Service and Instance.  The reason why it works ag=
ainst the Writable DC=A1=A6s is because those DC=A1=A6s don=A1=A6t need to =
proxy the authentication, RODC=A1=A6s do.  In W2K8R2 there were additional =
checks in the Kerberos decryption code path which now exposes this problem.=
As I'm still a bit skeptical about this analysis of the problem -- I'm work=
ing on verifying the problem and performing further isolation.  I was also =
wondering if such a problem was uncovered in you testing as well.

I've attached the following to the mail:
Interactive winbindd debug 100 log
net ads status -machine-pass debug 10
a network capture from the samba server during the net ads status

Thanks for reading
Joshua Hawkinson

More information about the samba-technical mailing list