[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

Tue Jun 20 15:54:09 UTC 2017

Hello thanks again for the help !

I have analysed samba logs more closely. I'am very worried. I have
three DC (fichdc, fichds01, fichds02) but here I talk just about
fichdc's logs.

-> Almost every times, "AS-REQ" fail for the 3 DCs with something like this :
----------------
  Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
from ipv4:172.16.0.20:59818 for
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: Client sent patypes: encrypted-timestamp
  Kerberos: Looking for PKINIT pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: Looking for ENC-TS pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: Failed to decrypt PA-DATA --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
  Kerberos: Failed to decrypt PA-DATA --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
----------------

-> Sometimes "AS-REQ" return "PREAUTH-REQUIRED" like this :
----------------
Kerberos: AS-REQ FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
from ipv4:172.16.0.21:36076 for
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: No preauth found, returning PREAUTH-REQUIRED --
FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
----------------

-> And sometimes, strangely, it works :
----------------
Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from
ipv4:172.16.0.20:43320 for
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: Client sent patypes: encrypted-timestamp, 149
  Kerberos: Looking for PKINIT pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: Looking for ENC-TS pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
  Kerberos: ENC-TS Pre-authentication succeeded --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using arcfour-hmac-md5
  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
  Kerberos: AS-REQ authtime: 2017-06-20T15:43:15 starttime: unset
endtime: 2017-06-21T01:43:15 renew till: 2017-06-21T15:43:15
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 20, 19, des3-cbc-sha1, 25,
26, using arcfour-hmac-md5/arcfour-hmac-md5
  Kerberos: Requested flags: renewable-ok
----------------

-> "TGS-REQ" always works :
----------------
 Kerberos: TGS-REQ FICHDS01$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
from ipv4:172.16.0.21:40972 for
ldap/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
[canonicalize, renewable]
  Kerberos: TGS-REQ authtime: 2017-06-20T15:43:39 starttime:
2017-06-20T15:43:39 endtime: 2017-06-21T01:43:39 renew till:
2017-06-21T15:43:39
----------------

-> And the most important. Bind to other DC always fail :
----------------
  Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
----------------

I someone have an Idea of the origin of the problem ? An Idea of what can I do ?

Baptiste.