[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

[Rowland Penny]

On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
> Hello,
> 
> Recently we added new DC to existing samba domain. It was supposed to
> be 
> start of the process of migrating our centos-7 based AD-DC to
> Debian.  
> Samba was installed from default repo (samba-ad-dc), it's version 
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
> 4.11.4 and one new 4.13.13
> 
> Everything seems to working fine with the new DC except for this 
> error/warning that occasionally pops up:
> 
> samba[15490]: [2022/08/16 16:07:18.885749,  1] 
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
> 
> It's mostly corresponding to a java 1.8 application that is using 
> kerberos (keytab) to re-authenticate to a database. It's not that
> java 
> is unable to authenticate, just every few or so minutes (let's say 
> 20-ish) I see this error, but not every time. We've had the setup 
> running for last 4 years and it's the first time I see issue.
> 
> I would be glad for some pointers, I'm not sure what exactly does
> this 
> error/warning mean and what's causing it? Obviously it's related to 
> kerberos. On my other 2 DC's I've never seen this and googling
> doesn't 
> help me much either.
> 
> I read that in 4.13.14 there was a security change that seems
> related, 
> but I don't "get" why it mostly works only sometimes I see this 
> warning/error.

That error will be coming from your new DC (it is the only one that
will have that piece of code), but whatever is causing it will not be
using the new DC exclusively, it will use any of the DC's in a round
robin fashion.

I suggest you read this:
https://www.samba.org/samba/security/CVE-2020-25719.html

Rowland