[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Jan 7 10:40:41 UTC 2016 


Am 07.01.2016 um 11:38 schrieb Ole Traupe:
>
>>>
>> Ole,
>>
>>     Sorry you are having so many issues. I've tried reading back 
>> through this thread to verify everything that has been covered. Can 
>> you try this command with the "PDC up and down? Reply with your 
>> findings.
>>
>> KRB5_TRACE=/dev/stdout kinit administrator
>>
>
> up:
>
>
> [25392] 1452162640.959713: Getting initial credentials for 
> administrator at my.domain.tld
> [25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld
> [25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162640.964554: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88
> [25392] 1452162640.973243: Response was not from master KDC
> [25392] 1452162640.973293: Received error from KDC: 
> -1765328359/Additional pre-authentication required
> [25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19
> [25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt 
> "my.domain.tldAdministrator", params "
> Password for administrator at my.domain.tld:
> [25392] 1452162654.272879: AS key obtained for encrypted timestamp: 
> aes256-cts/000A
> [25392] 1452162654.272939: Encrypted timestamp (for 
> 1452162654.272886): plain 
> 301AA011180F32303136303130373130333035345AA10502030429F6, encrypted 
> 0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D
> [25392] 1452162654.272964: Preauth module encrypted_timestamp (2) 
> (flags=1) returned: 0/Success
> [25392] 1452162654.272970: Produced preauth for next request: 2
> [25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld
> [25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162654.276241: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88
> [25392] 1452162654.293846: Response was not from master KDC
> [25392] 1452162654.293884: Received error from KDC: 
> -1765328332/Response too big for UDP, retry with TCP
> [25392] 1452162654.293896: Request or response is too big for UDP; 
> retrying with TCP
> [25392] 1452162654.293905: Sending request (276 bytes) to 
> my.domain.tld (tcp only)
> [25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162654.295961: Initiating TCP connection to stream 
> IP_of_1st_DC:88
> [25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88
> [25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88
> [25392] 1452162654.307269: Response was not from master KDC
> [25392] 1452162654.307329: Processing preauth types: 3
> [25392] 1452162654.307338: Received salt "▒▒" via padata type 3
> [25392] 1452162654.307346: Produced preauth for next request: (empty)
> [25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A
> [25392] 1452162654.307519: Decrypted AS reply; session key is: 
> aes256-cts/CC03
> [25392] 1452162654.307530: FAST negotiation: unavailable
> [25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with 
> default princ administrator at my.domain.tld
> [25392] 1452162654.307878: Removing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
> [25392] 1452162654.307896: Storing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500
>
>
> down:
>
>
> [25433] 1452162724.421830: Getting initial credentials for 
> administrator at my.domain.tld
> [25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld
> [25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162739.441465: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162745.448521: Sending initial UDP request to dgram 
> IP_of_2nd_DC:88
> [25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88
> [25433] 1452162750.463572: Response was not from master KDC
> [25433] 1452162750.463632: Received error from KDC: 
> -1765328359/Additional pre-authentication required
> [25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19
> [25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt 
> "my.domain.tldAdministrator", params "
> Password for administrator at my.domain.tld:
> [25433] 1452162816.498918: AS key obtained for encrypted timestamp: 
> aes256-cts/000A
> [25433] 1452162816.498982: Encrypted timestamp (for 
> 1452162816.498929): plain 
> 301AA011180F32303136303130373130333333365AA1050203079CF1, encrypted 
> 92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0
> [25433] 1452162816.499008: Preauth module encrypted_timestamp (2) 
> (flags=1) returned: 0/Success
> [25433] 1452162816.499014: Produced preauth for next request: 2
> [25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld
> [25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162831.517053: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162837.523435: Sending initial UDP request to dgram 
> IP_of_2nd_DC:88
> [25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88
> [25433] 1452162842.548057: Response was not from master KDC
> [25433] 1452162842.548097: Received error from KDC: 
> -1765328332/Response too big for UDP, retry with TCP
> [25433] 1452162842.548110: Request or response is too big for UDP; 
> retrying with TCP
> [25433] 1452162842.548119: Sending request (276 bytes) to 
> my.domain.tld (tcp only)
> [25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162852.560277: Initiating TCP connection to stream 
> IP_of_1st_DC:88
> [25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162858.567424: Initiating TCP connection to stream 
> IP_of_2nd_DC:88
> [25433] 1452162858.567481: Terminating TCP connection to stream 
> IP_of_1st_DC:88
> [25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88
> [25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88
> [25433] 1452162863.592199: Response was not from master KDC
> [25433] 1452162863.592323: Processing preauth types: 3
> [25433] 1452162863.592336: Received salt "▒▒" via padata type 3
> [25433] 1452162863.592346: Produced preauth for next request: (empty)
> [25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A
> [25433] 1452162863.592512: Decrypted AS reply; session key is: 
> aes256-cts/22DC
> [25433] 1452162863.592521: FAST negotiation: unavailable
> [25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with 
> default princ administrator at my.domain.tld
> [25433] 1452162863.592868: Removing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
> [25433] 1452162863.592885: Storing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500
>
>
> If you find any sensitive (un-sanitized) info, you can keep it. ;)

This is without the timeout adjustments to resolv.conf we discussed earlier.

More information about the samba mailing list