[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Jan 7 10:38:36 UTC 2016 

>>
> Ole,
>
>     Sorry you are having so many issues. I've tried reading back 
> through this thread to verify everything that has been covered. Can 
> you try this command with the "PDC up and down? Reply with your findings.
>
> KRB5_TRACE=/dev/stdout kinit administrator
>

up:


[25392] 1452162640.959713: Getting initial credentials for 
administrator at my.domain.tld
[25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld
[25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld.
[25392] 1452162640.964554: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88
[25392] 1452162640.973243: Response was not from master KDC
[25392] 1452162640.973293: Received error from KDC: 
-1765328359/Additional pre-authentication required
[25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19
[25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt 
"my.domain.tldAdministrator", params "
Password for administrator at my.domain.tld:
[25392] 1452162654.272879: AS key obtained for encrypted timestamp: 
aes256-cts/000A
[25392] 1452162654.272939: Encrypted timestamp (for 1452162654.272886): 
plain 301AA011180F32303136303130373130333035345AA10502030429F6, 
encrypted 
0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D
[25392] 1452162654.272964: Preauth module encrypted_timestamp (2) 
(flags=1) returned: 0/Success
[25392] 1452162654.272970: Produced preauth for next request: 2
[25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld
[25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld.
[25392] 1452162654.276241: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88
[25392] 1452162654.293846: Response was not from master KDC
[25392] 1452162654.293884: Received error from KDC: -1765328332/Response 
too big for UDP, retry with TCP
[25392] 1452162654.293896: Request or response is too big for UDP; 
retrying with TCP
[25392] 1452162654.293905: Sending request (276 bytes) to my.domain.tld 
(tcp only)
[25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld.
[25392] 1452162654.295961: Initiating TCP connection to stream 
IP_of_1st_DC:88
[25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88
[25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88
[25392] 1452162654.307269: Response was not from master KDC
[25392] 1452162654.307329: Processing preauth types: 3
[25392] 1452162654.307338: Received salt "▒▒" via padata type 3
[25392] 1452162654.307346: Produced preauth for next request: (empty)
[25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A
[25392] 1452162654.307519: Decrypted AS reply; session key is: 
aes256-cts/CC03
[25392] 1452162654.307530: FAST negotiation: unavailable
[25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with 
default princ administrator at my.domain.tld
[25392] 1452162654.307878: Removing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
[25392] 1452162654.307896: Storing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500


down:


[25433] 1452162724.421830: Getting initial credentials for 
administrator at my.domain.tld
[25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld
[25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld.
[25433] 1452162739.441465: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld.
[25433] 1452162745.448521: Sending initial UDP request to dgram 
IP_of_2nd_DC:88
[25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88
[25433] 1452162750.463572: Response was not from master KDC
[25433] 1452162750.463632: Received error from KDC: 
-1765328359/Additional pre-authentication required
[25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19
[25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt 
"my.domain.tldAdministrator", params "
Password for administrator at my.domain.tld:
[25433] 1452162816.498918: AS key obtained for encrypted timestamp: 
aes256-cts/000A
[25433] 1452162816.498982: Encrypted timestamp (for 1452162816.498929): 
plain 301AA011180F32303136303130373130333333365AA1050203079CF1, 
encrypted 
92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0
[25433] 1452162816.499008: Preauth module encrypted_timestamp (2) 
(flags=1) returned: 0/Success
[25433] 1452162816.499014: Produced preauth for next request: 2
[25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld
[25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld.
[25433] 1452162831.517053: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld.
[25433] 1452162837.523435: Sending initial UDP request to dgram 
IP_of_2nd_DC:88
[25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88
[25433] 1452162842.548057: Response was not from master KDC
[25433] 1452162842.548097: Received error from KDC: -1765328332/Response 
too big for UDP, retry with TCP
[25433] 1452162842.548110: Request or response is too big for UDP; 
retrying with TCP
[25433] 1452162842.548119: Sending request (276 bytes) to my.domain.tld 
(tcp only)
[25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld.
[25433] 1452162852.560277: Initiating TCP connection to stream 
IP_of_1st_DC:88
[25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld.
[25433] 1452162858.567424: Initiating TCP connection to stream 
IP_of_2nd_DC:88
[25433] 1452162858.567481: Terminating TCP connection to stream 
IP_of_1st_DC:88
[25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88
[25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88
[25433] 1452162863.592199: Response was not from master KDC
[25433] 1452162863.592323: Processing preauth types: 3
[25433] 1452162863.592336: Received salt "▒▒" via padata type 3
[25433] 1452162863.592346: Produced preauth for next request: (empty)
[25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A
[25433] 1452162863.592512: Decrypted AS reply; session key is: 
aes256-cts/22DC
[25433] 1452162863.592521: FAST negotiation: unavailable
[25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with 
default princ administrator at my.domain.tld
[25433] 1452162863.592868: Removing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
[25433] 1452162863.592885: Storing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500


If you find any sensitive (un-sanitized) info, you can keep it. ;)

More information about the samba mailing list