[Samba] Login not possible / machine account issues

Izan Díez Sánchez ids at empre.es
Fri Jun 24 09:58:44 UTC 2016


Hi,

 

Did you find any solution?

 

I am facing exactly the same scenario.

-CentOS 6.7

-Samba Version 4.4.3

-BIND_DLZ 9.9.8

 

Some workstations suddenly are unable to login, unless I reboot or rejoin
the domain. The only odd event I see in the client is the one already said:





Log Name:      System

Source:        Microsoft-Windows-Security-Kerberos

Event ID:      4

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      workstation.sub.domain.tld

Description:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the

server "workstation$". The target name used was "WORKSTATION$". This

indicates that the target server failed to decrypt the ticket provided

by the client. This can occur when the target server principal name

(SPN) is registered on an account other than the account the target

service is using. Ensure that the target SPN is only registered on the

account used by the server. This error can also happen if the target

service account password is different than what is configured on the

Kerberos Key Distribution Center for that target service. Ensure that

the service on the server and the KDC are both configured to use the

same password. If the server name is not fully qualified, and the

target domain (SUB.DOMAIN.TLD) is different from the client domain

(SUB.DOMAIN.TLD), check if there are identically named server accounts

in these two domains, or use the fully-qualified name to identify the

server.

 

Searching in the logs, apparently the domain controller is granting the
ticket: 

 

[2016/06/24 10:35:23.082573,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for
krbtgt/mydomain at mydomain

[2016/06/24 10:35:23.088584,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client sent patypes: 128

[2016/06/24 10:35:23.088624,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for PKINIT pa-data -- myuser at mydomain

[2016/06/24 10:35:23.088640,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain

[2016/06/24 10:35:23.088670,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- myuser at mydomain

[2016/06/24 10:35:23.089174,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'

[2016/06/24 10:35:23.089214,  3]
../source4/smbd/process_single.c:114(single_terminate)

  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]

[2016/06/24 10:35:23.090052,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for
krbtgt/mydomain at mydomain

[2016/06/24 10:35:23.095400,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client sent patypes: encrypted-timestamp, 128

[2016/06/24 10:35:23.095437,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for PKINIT pa-data -- myuser at mydomain

[2016/06/24 10:35:23.095467,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain

[2016/06/24 10:35:23.095526,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain using
arcfour-hmac-md5

[2016/06/24 10:35:23.095557,  4]
../source4/auth/sam.c:182(authsam_account_ok)

  authsam_account_ok: Checking SMB password for user myuser at mydomain

[2016/06/24 10:35:23.095719,  5] ../source4/auth/sam.c:116(logon_hours_ok)

  logon_hours_ok: No hours restrictions for user myuser at mydomain

[2016/06/24 10:35:23.095774,  5]
../source4/auth/sam.c:820(authsam_logon_success_accounting)

  lastLogonTimestamp is 131110567801968850

[2016/06/24 10:35:23.095937,  5]
../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)

  sync interval is 14

[2016/06/24 10:35:23.095973,  5]
../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)

  randomised sync interval is 12 (-2)

[2016/06/24 10:35:23.095993,  5]
../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)

  old timestamp is 131110567801968850, threshold 131101941230958000, diff
8626571010850

[2016/06/24 10:35:23.122089,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime:
2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23

[2016/06/24 10:35:23.122204,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/aes256-cts-hmac-sha1-96

[2016/06/24 10:35:23.122242,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable

[2016/06/24 10:35:23.122933,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)

  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'

[2016/06/24 10:35:23.122968,  3]
../source4/smbd/process_single.c:114(single_terminate)

  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]

[2016/06/24 10:35:23.124716,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

  Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 for
host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, renewable,
forwardable]

 

I’ve troubleshot DNS and resolution is working fine for domain controllers
(including services) and “windows7machine.mydomain.ea”. It looks like the
machine has renewed its Kerberos password and the domain controller (KDC)
didn’t notice. Although wouldn’t match with pure AD behavior according to
<https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwo
rd-process-2/>
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwor
d-process-2/

 

My kerberos configuration is as simple as:

[libdefaults]

        default_realm = MYDOMAIN.LOCAL

        dns_lookup_realm = false

        dns_lookup_kdc = true

 

I’m not Kerberos expert and maybe could be tuned to avoid this behavior in
the active directory. It’s hard to believe no one has experienced something
similar.

 

Regards,

 

Izan Díez Sánchez 
 <mailto:ids at empre.es> ids at empre.es


---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based 
on this message or any information herein. If you have received this 
message by mistake, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es

Este mensaje puede contener datos confidenciales o privilegiados.
Si Vd. no es el destinatario ni ha sido autorizado por el mismo para 
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar 
ninguna medida basada en este mensaje o en los datos que 
contiene. Si Vd. ha recibido este mensaje por error, avise de 
forma inmediata al remitente por email y borre el 
mensaje. Gracias por su ayuda.
Visite nuestra web: www.empre.es
---------------------------------------------------------------------

Please, Do not print this message unless it is necessary. 
Our environment is in our hands.
Antes de imprimir este mensaje, piense si es realmente necesario.
El medio ambiente depende de nosotros.


More information about the samba mailing list