[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
Kacper Wirski
k.wirski at babkamedica.pl
Sat Mar 18 22:10:01 UTC 2017
After reviewing logs I found that my previous assumption was wrong.
Situation: - i'm trying to start live migration from hyper-v host A
(BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as
user from DOMAIN ADMINS group).
Kerberos constrained delegation is set in accordnance to microsoft
instructions with proper SPN's set (well, proper as in with the
workaround I wrote earlier).
Below logs from wireshark and Samba 4 DC (the one that handled request).
kacper_wirski user, that belongs to DOMAIN ADMINS group is the one
"giving" the command. I tried already with different user, also tried
the other way round (from host B -> to host A when logged into host B).
Same errors. Tried with different Hyper-V host C, same error
I have bar to none experience with troubleshooting kerberos (up untli
now everything was working flawlessly) but reading from the logs I
understand that generated ticket request from Host A seems ok: it wants
to "impersonate" kacper_wirski in order to get to SPN on Host B, but
request fails.
I admit that I already googled this error and wasted a lot of hours,
but I really don't know how to handle this situation - wether it's
kerberos error, or samba error, or microsoft Hyper-V was just built
that way that it simply will work ONLY with microsoft AD?
Every bit of advice/tip is greatly appreciated, as I feel i'm running
out of ideas or options.
/etc/krb5.conf is basic generated ad DC promo. Overall no issues in the
domain using kerberos so far (over 6 months now), also used SSO for
apache so kerberos overall seems ok.
Logs below (tried my best to trim down).
Samba 4 log from DC that Host A contacted (one of 3 DC's in domain):
Log level 5
Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from
ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ
[canonicalize, renewable, forwardable]
[2017/03/18 22:00:03.656232, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating
kacper_wirski at MYDOMAIN.COM.XYZ to service
bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable]
[2017/03/18 22:00:03.656262, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime:
2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till:
2017-03-25T21:39:30
[2017/03/18 22:00:03.657328, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.657340, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/03/18 22:00:03.658763, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt enc-authorization-data
[2017/03/18 22:00:03.658776, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932
[2017/03/18 22:00:03.658911, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.658920, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Wireshark relevant output:
TGS-REQ (host A -> Samba 4 AD DC):
Kerberos
msg-type: krb-ap-req (14)
ticket
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: MYDOMAIN.COM.XYZ
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
authenticator
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
PA-DATA PA-FOR-USER
padata-type: kRB5-PADATA-S4U2SELF (129)
name
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
name-string: 1 item
KerberosString: kacper_wirski
realm: MYDOMAIN.COM.XYZ
cksum
cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
auth: Kerberos
req-body
Padding: 0
kdc-options: 40810000 (forwardable, renewable, canonicalize)
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 1 item
SNameString: bmsrv4-hyperv$
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
TGS-REP KDC -> HOST A
tgs-rep
msg-type: krb-tgs-rep (13)
crealm: MYDOMAIN.COM.XYZ
cname
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
cname-string: 1 item
CNameString: kacper_wirski
ticket
tkt-vno: 5
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 1 item
SNameString: bmsrv4-hyperv$
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno: 1
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
TGS-REQ (Host A -> KDC)
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 2 items
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
ticket
tkt-vno: 5
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: MYDOMAIN.COM.XYZ
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno: 1
authenticator
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
PA-DATA Unknown:167
padata-type: Unknown (167)
padata-value: 3009a00703050010000000
req-body
Padding: 0
kdc-options: 40830000 (forwardable, renewable,
request-anonymous, canonicalize)
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: Microsoft Virtual System Migration Service
SNameString: BM-SRV-5
till: 2017-03-18 21:15:03 (UTC)
nonce: 478023267
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
enc-authorization-data
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2...
additional-tickets: 1 item
Ticket
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
SNameString: bmsrv4-hyperv$
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno:
and final TGS-REP (KDC -> HOST A)
krb-error
pvno: 5
msg-type: krb-error (30)
ctime: 2017-03-18 21:00:03 (UTC)
cusec: 481
stime: 2017-03-18 21:00:03 (UTC)
susec: 658781
error-code: eRR-BAD-INTEGRITY (31)
realm: <unspecified realm>
sname
name-type: kRB5-NT-UNKNOWN (0)
sname-string: 0 items
More information about the samba
mailing list