[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)

Kacper Wirski k.wirski at babkamedica.pl
Sat Mar 18 22:10:01 UTC 2017


After reviewing logs I found that my previous assumption was wrong.

Situation: - i'm trying to start live migration from hyper-v host A 
(BMSRV4-HYPERV) to hyper-v host B  (BM-SRV-5) from host B (logged in as 
user from DOMAIN ADMINS group).

Kerberos constrained delegation is set in accordnance to microsoft 
instructions with proper SPN's set (well, proper as in with the 
workaround I wrote earlier).

Below logs from wireshark and Samba 4 DC (the one that handled request).
kacper_wirski user, that belongs to DOMAIN ADMINS group is the one 
"giving" the command. I tried already with different user, also tried 
the other way round (from host B -> to  host A when logged into host B). 
Same errors. Tried with different Hyper-V host C, same error

I have bar to none experience with troubleshooting kerberos (up untli 
now everything was working flawlessly) but reading from the logs I 
understand that generated ticket request from Host A seems ok: it wants 
to "impersonate" kacper_wirski in order to get to SPN on Host B, but 
request fails.
I admit that I already googled this error and wasted a  lot of hours, 
but I really don't know how to handle this situation - wether it's 
kerberos error, or samba  error, or microsoft Hyper-V was  just built  
that way that it simply will work  ONLY with microsoft AD?

Every bit of advice/tip is greatly appreciated, as I feel i'm running 
out of ideas or options.

/etc/krb5.conf is basic generated ad DC promo. Overall no issues in the 
domain using kerberos so far (over 6 months now), also used SSO for 
apache so kerberos overall seems ok.

Logs below (tried my best to trim down).

Samba 4 log from  DC that Host A contacted (one of 3 DC's in domain):

Log level 5
   Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from 
ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ 
[canonicalize, renewable, forwardable]
[2017/03/18 22:00:03.656232,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating 
kacper_wirski at MYDOMAIN.COM.XYZ to service 
bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable]
[2017/03/18 22:00:03.656262,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime: 
2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till: 
2017-03-25T21:39:30
[2017/03/18 22:00:03.657328,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.657340,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/03/18 22:00:03.658763,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed to decrypt enc-authorization-data
[2017/03/18 22:00:03.658776,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932
[2017/03/18 22:00:03.658911,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.658920,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]


Wireshark relevant output:

TGS-REQ (host A -> Samba 4 AD DC):
Kerberos
                             msg-type: krb-ap-req (14)

                             ticket
                                 realm: MYDOMAIN.COM.XYZ
                                 sname
                                     name-type: kRB5-NT-SRV-INST (2)
                                     sname-string: 2 items
                                         SNameString: krbtgt
                                         SNameString: MYDOMAIN.COM.XYZ
                                 enc-part
                                     etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                             authenticator
                                 etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
             PA-DATA PA-FOR-USER
                 padata-type: kRB5-PADATA-S4U2SELF (129)
                         name
                             name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
                             name-string: 1 item
                                 KerberosString: kacper_wirski
                         realm: MYDOMAIN.COM.XYZ
                         cksum
                             cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
                         auth: Kerberos
         req-body
             Padding: 0
             kdc-options: 40810000 (forwardable, renewable, canonicalize)
             realm: MYDOMAIN.COM.XYZ
             sname
                 name-type: kRB5-NT-PRINCIPAL (1)
                 sname-string: 1 item
                     SNameString: bmsrv4-hyperv$
             etype: 5 items
                 ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                 ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)

TGS-REP KDC -> HOST  A

     tgs-rep
            msg-type: krb-tgs-rep (13)
         crealm: MYDOMAIN.COM.XYZ
         cname
             name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
             cname-string: 1 item
                 CNameString: kacper_wirski
         ticket
             tkt-vno: 5
             realm: MYDOMAIN.COM.XYZ
             sname
                 name-type: kRB5-NT-PRINCIPAL (1)
                 sname-string: 1 item
                     SNameString: bmsrv4-hyperv$
             enc-part
                 etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                 kvno: 1
         enc-part
             etype: eTYPE-ARCFOUR-HMAC-MD5 (23)

TGS-REQ (Host A -> KDC)

     tgs-req
         pvno: 5
         msg-type: krb-tgs-req (12)
         padata: 2 items
             PA-DATA PA-TGS-REQ
                 padata-type: kRB5-PADATA-TGS-REQ (1)
                          ticket
                                 tkt-vno: 5
                                 realm: MYDOMAIN.COM.XYZ
                                 sname
                                     name-type: kRB5-NT-SRV-INST (2)
                                     sname-string: 2 items
                                         SNameString: krbtgt
                                         SNameString: MYDOMAIN.COM.XYZ
                                 enc-part
                                     etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                     kvno: 1
                                authenticator
                                 etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
             PA-DATA Unknown:167
                 padata-type: Unknown (167)
                     padata-value: 3009a00703050010000000
         req-body
             Padding: 0
             kdc-options: 40830000 (forwardable, renewable, 
request-anonymous, canonicalize)
             realm: MYDOMAIN.COM.XYZ
             sname
                 name-type: kRB5-NT-SRV-INST (2)
                 sname-string: 2 items
                     SNameString: Microsoft Virtual System Migration Service
                     SNameString: BM-SRV-5
             till: 2017-03-18 21:15:03 (UTC)
             nonce: 478023267
             etype: 5 items
                 ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                 ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
                 ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
             enc-authorization-data
                 etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                 cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2...
             additional-tickets: 1 item
                 Ticket
                     realm: MYDOMAIN.COM.XYZ
                     sname
                         name-type: kRB5-NT-PRINCIPAL (1)
                             SNameString: bmsrv4-hyperv$
                     enc-part
                         etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                         kvno:
and final TGS-REP (KDC -> HOST A)
     krb-error
         pvno: 5
         msg-type: krb-error (30)
         ctime: 2017-03-18 21:00:03 (UTC)
         cusec: 481
         stime: 2017-03-18 21:00:03 (UTC)
         susec: 658781
         error-code: eRR-BAD-INTEGRITY (31)
         realm: <unspecified realm>
         sname
             name-type: kRB5-NT-UNKNOWN (0)
             sname-string: 0 items






More information about the samba mailing list