[Samba] Domain trust and browsing users and groups problem

Tino Müller tmu at spreadshirt.net
Fri Jun 22 09:00:37 UTC 2018

Hi list,

we have a forest trust of two domains. One domain in US (us.root.prv)
running exclusively on Windows 2012 R2 and one in EU
(spreadshirt.private) running exclusively Sernet Samba 4.8.2-11. Both
domains run functional level "2008 R2". The trust validates successful
using "samba-tool domain trust validate" and in "Domains and trusts".

My problem is: I can't browse users and groups of the EU domain on a
domain member of the US domain, when I try to give EU users permissions
on resources in the US domain. The other way does work.

For example:
At a server in the US domain (actually the DC with all FSMO roles of the
US domain), I right-click a folder on disk -> Properties -> Security ->
"Add..." -> "Locations..." -> select forest "spreadshirt.private" -> OK
-> "Advanced..." -> "Find now".

Search results below show "Searching..." for a short time and then the
message: "The following error prevented the display of any items: The
system cannot contact a domain controller to service the authentication
request. Please try again later."

Doing the same in the EU domain to find users and groups in the US
domain, lists all users and groups as expected.

To track down, what happens, I do a tcpdump at one of the DCs in EU
(ad07), which get the requests from the US server. This is, what I find
(as I think the relevant part):

The krb5 req packet:
  pvno: 5
  msg-type: krb-tgs-req (12)
   kdc-options: 40810000 (forwardable, renewable, canonicalize)
    name-type: kRB5-NT-SRV-INST (2)
    sname-string: 3 items
     SNameString: ldap
     SNameString: ad07.spreadshirt.private
     SNameString: spreadshirt.private
   etype: 5 items
    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
    cipher: f1cab9899b2402be5267e58829e2573f875f03e4fc1fc04b...

The answer:
  pvno: 5
  msg-type: krb-error (30)
  ctime: 2018-06-22 07:49:57 (UTC)
  cusec: 4986
  stime: 2018-06-22 07:49:57 (UTC)
  susec: 828326
  error-code: eRR-GENERIC (60)
  realm: <unspecified realm>
   name-type: kRB5-NT-UNKNOWN (0)
   sname-string: 0 items
  e-text: No next enctype 18 for hdb-entry

This "No next enctype 18 for hdb-entry" seems to be the problem. AFAIK
is enctype 18 the encryption type AES256-CTS-HMAC-SHA1-96 as seen in the
request packet. After this packet, the connection is ended by the US server.

What does this error mean and how do I solve this?
Without this, we can't add permissions to EU users in US domain.


Additional info:
ad07 is the DC with all FSMO roles in EU. It was used to establish the
trust to the US domain by "samba-tool domain trust create" command.
# kinit -c ./cache administrator at US.ROOT.PRV
# samba-tool domain trust create US.ROOT.PRV --type=forest
--direction=both -k yes --krb5-ccache=./cache --create-location=both

smb.conf of ad07:
# Global parameters
        netbios name = AD07
        server role = active directory domain controller
        workgroup = SPREADSHIRT
        log level = 2 auth_audit:2 auth_json_audit:2
        idmap_ldb:use rfc2307 = yes
        ntlm auth = yes
        ldap server require strong auth = allow_sasl_over_tls

        path = /var/lib/samba/sysvol/spreadshirt.private/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

"ntlm auth = yes" and "ldap server require strong auth =
allow_sasl_over_tls" are needed for freeradius and third-party software.
Removing them and restarting samba services didn't help.

secrets.keytab entries at ad07:
# ktutil -k /var/lib/samba/private/secrets.keytab list

Vno  Type                     Principal

  2  des-cbc-crc              HOST/ad07 at SPREADSHIRT.PRIVATE

  2  des-cbc-crc
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
  2  des-cbc-crc              AD07$@SPREADSHIRT.PRIVATE

  2  des-cbc-md5              HOST/ad07 at SPREADSHIRT.PRIVATE

  2  des-cbc-md5
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
  2  des-cbc-md5              AD07$@SPREADSHIRT.PRIVATE

  2  arcfour-hmac-md5         HOST/ad07 at SPREADSHIRT.PRIVATE

  2  arcfour-hmac-md5
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
  2  arcfour-hmac-md5         AD07$@SPREADSHIRT.PRIVATE

  2  aes128-cts-hmac-sha1-96  HOST/ad07 at SPREADSHIRT.PRIVATE

  2  aes128-cts-hmac-sha1-96
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
  2  aes128-cts-hmac-sha1-96  AD07$@SPREADSHIRT.PRIVATE

  2  aes256-cts-hmac-sha1-96  HOST/ad07 at SPREADSHIRT.PRIVATE

  2  aes256-cts-hmac-sha1-96
HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE
  2  aes256-cts-hmac-sha1-96  AD07$@SPREADSHIRT.PRIVATE

Ticket cache at US server (rosen):

Current LogonId is 0:0x607f290

Cached Tickets: (2)

#0>     Client: atmueller @ US.ROOT.PRV
        Server: krbtgt/SPREADSHIRT.PRIVATE @ US.ROOT.PRV
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent
ok_as_delegate name_canonicalize
        Start Time: 6/22/2018 3:46:44 (local)
        End Time:   6/22/2018 13:35:57 (local)
        Renew Time: 6/29/2018 3:35:57 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: ROSEN

#1>     Client: atmueller @ US.ROOT.PRV
        Server: krbtgt/US.ROOT.PRV @ US.ROOT.PRV
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial
pre_authent name_canonicalize
        Start Time: 6/22/2018 3:35:57 (local)
        End Time:   6/22/2018 13:35:57 (local)
        Renew Time: 6/29/2018 3:35:57 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: ROSEN

The whole communication is done for this connection between rosen and
ad07. Full tcpdump trace is available.
In short (US server requests, answered by EU server):
- DNS requests for GC
- CLDAP search for DC capabilities
- LDAP search base <ROOT> at GC port 3268
- Kerberos request as above
- unbind from GC

Any help is appreciated. Thank you.


More information about the samba mailing list