[Samba] MS Remote Desktop issue related to Samba 4 ?

Andreas Oster aoster at novanetwork.de
Wed May 14 01:03:04 MDT 2014


Am 13.05.2014 18:27, schrieb Marc Muehlfeld:
> Hello Andreas,
> 
> Am 13.05.2014 15:55, schrieb Andreas Oster:
>> I am currently struggling with an odd MS Remote Desktop issue which
>> might be related to our Samba4 AD (version: 4.2.0pre1-GIT-d7c22d5
>> domain/forest-level 2008_R2) setup.
>>
>> We are unable to connect to Win7 machines (all available latest patches
>> installed) via RDP after they have been joined to the domain. We have
>> made sure, that RDP is enabled and the firewall exceptions are in place.
>> We actually tried with firewall turned off, also. When trying to connect
>> with an AD account we get to the welcome screen but not further. The
>> physical screen of the machine does not get locked. When doing the same,
>> using a local admin account we can successfully log in via RDP.
>>
>> Does anybody have an idea what could be the cause of this issue ?
>>
>> I tested the same at home in my small samba4 domain, without any
>> modified GPOs, and face the same issue.
> 
> My first guess was that, a GPO or a local policy could cause that. But
> if you have already checked this, it might something else.
> 
> Anything interesting in the Windows Eventlog / Samba Logfiles?
> 
> I only can say, that at work I have a Samba 4.1.7 AD, and it's no
> problem to RDP to machines joined to the domain with domain accounts.
> 
> 
> Regards,
> Marc
> 
Hello Marc,

I get the following error messages in log.samba with log level 3:

[2014/05/14 08:57:10.819598,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ testuser at SAMDOM from ipv4:10.2.1.80:60451 for
krbtgt/SAMDOM at SAMDOM
[2014/05/14 08:57:10.832282,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2014/05/14 08:57:10.834478,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM
[2014/05/14 08:57:10.835805,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM
[2014/05/14 08:57:10.837196,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- testuser at SAMDOM
[2014/05/14 08:57:10.847356,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:10.850914,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:10.853423,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ testuser at SAMDOM from ipv4:10.2.1.80:60452 for
krbtgt/SAMDOM at SAMDOM
[2014/05/14 08:57:10.863694,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2014/05/14 08:57:10.865276,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM
[2014/05/14 08:57:10.866585,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM
[2014/05/14 08:57:10.867957,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- testuser at SAMDOM using
arcfour-hmac-md5
[2014/05/14 08:57:10.895223,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2014-05-14T08:57:10 starttime: unset
endtime: 2014-05-14T18:57:10 renew till: 2014-05-21T08:57:10
[2014/05/14 08:57:10.896842,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2014/05/14 08:57:10.898042,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2014/05/14 08:57:10.901065,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:10.902744,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:10.907818,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ testuser at SAMDOMNETWORK.LOC from ipv4:10.2.1.80:60453
for TERMSRV/SAMDOMws01 at SAMDOMNETWORK.LOC [canonicalize, renewable,
forwardable]
[2014/05/14 08:57:10.911137,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for SAMDOMws01
[2014/05/14 08:57:10.912879,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database:
TERMSRV/SAMDOMws01 at SAMDOMNETWORK.LOC: No such entry in the database
[2014/05/14 08:57:10.914183,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:10.2.1.80:60453
[2014/05/14 08:57:10.918462,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:10.925388,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:13.630864,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ testuser at SAMDOM from ipv4:10.2.1.80:60455 for
krbtgt/SAMDOM at SAMDOM
[2014/05/14 08:57:13.640691,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2014/05/14 08:57:13.641264,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM
[2014/05/14 08:57:13.642531,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM
[2014/05/14 08:57:13.643066,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- testuser at SAMDOM
[2014/05/14 08:57:13.644782,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:13.645892,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:13.648746,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ testuser at SAMDOM from ipv4:10.2.1.80:60456 for
krbtgt/SAMDOM at SAMDOM
[2014/05/14 08:57:13.658425,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2014/05/14 08:57:13.659371,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM
[2014/05/14 08:57:13.660064,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM
[2014/05/14 08:57:13.661464,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- testuser at SAMDOM using
arcfour-hmac-md5
[2014/05/14 08:57:13.684422,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2014-05-14T08:57:13 starttime: unset
endtime: 2014-05-14T18:57:13 renew till: 2014-05-21T08:57:13
[2014/05/14 08:57:13.686132,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2014/05/14 08:57:13.687011,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2014/05/14 08:57:13.689839,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:13.690662,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:20.753481,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'wbsrv: wbsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:20.754339,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[wbsrv: wbsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2014/05/14 08:57:24.898127,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ntp_signd_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2014/05/14 08:57:24.899229,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ntp_signd_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]


Unfortunately I have no clue what this means. Do you have an idea what
could be the cause ?

Thank you for your kind help

best regards

Andreas


More information about the samba mailing list