Samba4 kerberos constrained delegation issue on machine-authentication

Enrico Ehrhardt intruder0815 at googlemail.com
Tue Dec 13 03:31:07 MST 2011 

Sorry, my attachments got the wrong mimetype... I forgot to mention the
version of samba, it´s 4.0.0alpha18-GIT-08019a0

2011/12/13 Enrico Ehrhardt <intruder0815 at googlemail.com>

> I´ve setup a windows pdc according to
> http://wiki.samba.org/index.php/Samba4/HOWTO. It´s working fine, except
> of machine authentication via kerberos, which prevents all machines from
> applying GPOs.
>
> User accounts authenticate without errors and GPOs are applied as
> expected. I´ve added my configurations and logs below. I would really
> appreciate your help. Thanks in advance!
>
-------------- next part --------------
[libdefaults]

        default_realm = BILDUNG.BTH-GMBH.DOM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        forwardable = yes
        ticket_lifetime = 24h


[realms]

        BILDUNG.BTH-GMBH.DOM = {
                kdc = pdc-bildung.bildung.bth-gmbh.dom:88
                admin_server = pdc-bildung.bth-gmbh.dom:749
                default_domain = bildung.bth-gmbh.dom
        }

[domain_realm]

        bildung.bth-gmbh.dom = BILDUNG.BTH-GMBH.DOM
	.bildung.bth-gmbh.dom = BILDUNG.BTH-GMBH.DOM
-------------- next part --------------
Kerberos: AS-REQ b6-001ws03$@bildung.bth-gmbh.dom from ipv4:192.168.20.163:49164 for krbtgt/bildung.bth-gmbh.dom at bildung.bth-gmbh.dom
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- b6-001ws03$@bildung.bth-gmbh.dom
Kerberos: Looking for ENC-TS pa-data -- b6-001ws03$@bildung.bth-gmbh.dom
Kerberos: ENC-TS Pre-authentication succeeded -- b6-001ws03$@bildung.bth-gmbh.dom using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2011-12-13T10:20:07 starttime: unset endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des-cbc-md5, des-cbc-crc, 24, -135, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49165 for ldap/pdc-bildung.bildung.bth-gmbh.dom/bildung.bth-gmbh.dom at BILDUNG.BTH-GMBH.DOM [renewable, forwardable]
Kerberos: TGS-REQ authtime: 2011-12-13T10:20:07 starttime: 2011-12-13T10:20:07 endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49167 for krbtgt/BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM
Kerberos: Looking for ENC-TS pa-data -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49168 for krbtgt/BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM
Kerberos: Looking for ENC-TS pa-data -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM
Kerberos: ENC-TS Pre-authentication succeeded -- b6-001ws03$@BILDUNG.BTH-GMBH.DOM using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2011-12-13T10:20:07 starttime: unset endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des-cbc-md5, des-cbc-crc, 24, -135, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49169 for LDAP/pdc-bildung.bildung.bth-gmbh.dom/bildung.bth-gmbh.dom at BILDUNG.BTH-GMBH.DOM [renewable, forwardable]
Kerberos: TGS-REQ authtime: 2011-12-13T10:20:07 starttime: 2011-12-13T10:20:07 endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Warning: 60 extra bytes in incoming RPC request
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49172 for LDAP/pdc-bildung.bildung.bth-gmbh.dom at BILDUNG.BTH-GMBH.DOM [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2011-12-13T10:20:07 starttime: 2011-12-13T10:20:07 endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Warning: 60 extra bytes in incoming RPC request
Modified 1 SPNs on CN=B6-001WS03,OU=G6-R001,OU=Clients,DC=bildung,DC=bth-gmbh,DC=dom
Modified 1 SPNs on CN=B6-001WS03,OU=G6-R001,OU=Clients,DC=bildung,DC=bth-gmbh,DC=dom
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49174 for B6-001WS03$@BILDUNG.BTH-GMBH.DOM [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2011-12-13T10:20:07 starttime: 2011-12-13T10:20:11 endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49175 for b6-001ws03$\@BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2011-12-13T10:20:07 starttime: 2011-12-13T10:20:11 endtime: 2011-12-13T20:20:07 renew till: 2011-12-20T10:20:07
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49176 for b6-001ws03$\@BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM [canonicalize, request-anonymous, renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from b6-001ws03$@BILDUNG.BTH-GMBH.DOM (b6-001ws03$@BILDUNG.BTH-GMBH.DOM) as b6-001ws03$@BILDUNG.BTH-GMBH.DOM to b6-001ws03$\@BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.20.163:49176
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
using SPNEGO
Selected protocol [5][NT LM 0.12]
Kerberos: TGS-REQ b6-001ws03$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.163:49179 for cifs/bildung.bth-gmbh.dom at BILDUNG.BTH-GMBH.DOM [canonicalize, renewable, forwardable]
Kerberos: Searching referral for bildung.bth-gmbh.dom
Kerberos: Server not found in database: cifs/bildung.bth-gmbh.dom at BILDUNG.BTH-GMBH.DOM: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.20.163:49179
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[B6-001WS03] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[B6-001WS03]
auth_check_password_send: mapped user is: [BILDUNG]\[]@[B6-001WS03]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088205
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
using SPNEGO
Selected protocol [5][NT LM 0.12]
Kerberos: TGS-REQ b6-001ws12$@BILDUNG.BTH-GMBH.DOM from ipv4:192.168.20.195:50063 for cifs/BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM [canonicalize, renewable, forwardable]
Kerberos: Searching referral for BILDUNG.BTH-GMBH.DOM
Kerberos: Returning a referral to realm BTH-GMBH.DOM for server cifs/BILDUNG.BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM that was not found
Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=BTH-GMBH.DOM)(trustPartner=BTH-GMBH.DOM))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/BTH-GMBH.DOM at BILDUNG.BTH-GMBH.DOM: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.20.195:50063
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[B6-001WS12] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[B6-001WS12]
auth_check_password_send: mapped user is: [BILDUNG]\[]@[B6-001WS12]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088205
using SPNEGO
Selected protocol [5][NT LM 0.12]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[B6-001WS08] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[B6-001WS08]
auth_check_password_send: mapped user is: [BILDUNG]\[]@[B6-001WS08]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088205
using SPNEGO
Selected protocol [5][NT LM 0.12]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[WSUS-SERVER] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[WSUS-SERVER]
auth_check_password_send: mapped user is: [BILDUNG]\[]@[WSUS-SERVER]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088205
ipv4:192.168.20.254:1261 closed connection to service IPC$
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
using SPNEGO
Selected protocol [5][NT LM 0.12]
Got NTLMSSP neg_flags=0xe2088297
Got user=[] domain=[] workstation=[WSUS-SERVER] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[WSUS-SERVER]
auth_check_password_send: mapped user is: [BILDUNG]\[]@[WSUS-SERVER]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xe2088205
ipv4:192.168.20.254:1262 closed connection to service IPC$
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'NT_STATUS_CONNECTION_RESET'
Terminating connection - 'NT_STATUS_CONNECTION_RESET'
single_terminate: reason[NT_STATUS_CONNECTION_RESET]
using SPNEGO
Selected protocol [5][NT LM 0.12]
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
ipv4:192.168.20.163:49155 closed connection to service IPC$
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
ipv4:192.168.20.195:50062 closed connection to service IPC$
ipv4:192.168.20.195:50062 closed connection to service sysvol
ipv4:192.168.20.163:49178 closed connection to service IPC$
ipv4:192.168.20.231:49594 closed connection to service IPC$
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
ipv4:192.168.20.254:1263 closed connection to service IPC$
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]

More information about the samba-technical mailing list