[Samba] Kerberos Authentication Problem with MacOS
Stefan Schäfer
ml at fsproductions.de
Tue May 17 06:54:39 UTC 2022
Hi List,
we've just build Samba (version 4.16.1+git.235.f435da606f7) with
internal Heimdal Kerberos (version 8pre) for use as AD-DC.
With Windows clients (joined to domain) everything works fine. Trying to
access the samba server (which act as DC and fileserver) with MacOS,
authentication fails with some Kerberos problems. Log file attached.
MaOS only tells that something went wrong. No further informations (I'm
not a MacOS crack)
Disabling Fast-Support, as mentioned in samba changelog (kdc enable fast
= no) didn't change anything.
I've not tried to join the domain with this MacOS client yet.
With older Samba versions we had no problems with MacOS.
Any ideas, what went wrong?
Stefan
--
www.invis-server.org
Stefan Schäfer
Vogelsbergstr. 118
63679 Schotten
-------------- next part --------------
[2022/05/16 13:00:28.544383, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.544503, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/05/16 13:00:28.544551, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49573 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
[2022/05/16 13:00:28.549897, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: REQ-ENC-PA-REP
[2022/05/16 13:00:28.549926, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=REQ-ENC-PA-REP
[2022/05/16 13:00:28.549932, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549938, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549958, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549964, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for GSS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.549993, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2022/05/16 13:00:28.550008, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: as-req: sending error: -1765328359 to client
[2022/05/16 13:00:28.550028, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2022/05/16 13:00:28.550095, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.005732
[2022/05/16 13:00:28.550104, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
[2022/05/16 13:00:28.550110, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:172.18.200.20:49573 milli at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC client-pa=REQ-ENC-PA-REP e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.005732
[2022/05/16 13:00:28.550756, 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.556964, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.556995, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/05/16 13:00:28.557006, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49574 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC
[2022/05/16 13:00:28.558360, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
[2022/05/16 13:00:28.558378, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,REQ-ENC-PA-REP
[2022/05/16 13:00:28.558385, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(ietf) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558390, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for PK-INIT(win2k) pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558396, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558403, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] pa=ENC-TS
[2022/05/16 13:00:28.558455, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- milli at GALERIE-NET.LOC using aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.558464, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair pa-etype=18
[2022/05/16 13:00:28.558470, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=6
[2022/05/16 13:00:28.558476, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: ENC-TS pre-authentication succeeded -- milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.558489, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=1
[2022/05/16 13:00:28.558502, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=2
[2022/05/16 13:00:28.559762, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.559808, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair auth=1652698828
[2022/05/16 13:00:28.559817, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair end=1652734828
[2022/05/16 13:00:28.559827, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2022-05-16T13:00:28 starttime: unset endtime: 2022-05-16T23:00:28 renew till: unset
[2022/05/16 13:00:28.559838, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,17,16,23
[2022/05/16 13:00:28.559844, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.559858, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] etype=18/18
[2022/05/16 13:00:28.559865, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Requested flags: canonicalize
[2022/05/16 13:00:28.559871, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] flags=canonicalize
[2022/05/16 13:00:28.563842, 3] ../../auth/auth_log.c:665(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[milli at GALERIE-NET.LOC] at [Mon, 16 May 2022 13:00:28.563825 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.18.200.20:49574] became [GALERIE-NET]\[milli] [S-1-5-21-3614744284-231420111-3803705986-1114]. local host [NULL]
{"timestamp": "2022-05-16T13:00:28.563913+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "9d7655cad5280d7a", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.18.200.20:49574", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "milli at GALERIE-NET.LOC", "workstation": null, "becameAccount": "milli", "becameDomain": "GALERIE-NET", "becameSid": "S-1-5-21-3614744284-231420111-3803705986-1114", "mappedAccount": "milli", "mappedDomain": "GALERIE-NET", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 6968}}
[2022/05/16 13:00:28.564040, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.007078
[2022/05/16 13:00:28.564054, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ SUCCESS ipv4:172.18.200.20:49574 milli at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC pa=ENC-TS etype=18/18 canon_client_name=milli at GALERIE-NET.LOC pac_attributes=2 pa-etype=18 client-pa=ENC-TS,REQ-ENC-PA-REP end=1652734828 auth=1652698828 etypes=18,17,16,23 elapsed=0.007078 flags=canonicalize
[2022/05/16 13:00:28.564591, 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.578204, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.578277, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for TGS-REQ
[2022/05/16 13:00:28.579997, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/05/16 13:00:28.580083, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49575 for cifs/invis.galerie-net.loc at GALERIE-NET.LOC [canonicalize]
[2022/05/16 13:00:28.585572, 2] ../../source4/kdc/db-glue.c:716(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 3
[2022/05/16 13:00:28.585627, 2] ../../source4/kdc/db-glue.c:716(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 1
[2022/05/16 13:00:28.594772, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair auth=1652698828
[2022/05/16 13:00:28.594820, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair start=1652698828
[2022/05/16 13:00:28.594863, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair end=1652734828
[2022/05/16 13:00:28.594905, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2022-05-16T13:00:28 starttime: 2022-05-16T13:00:28 endtime: 2022-05-16T23:00:28 renew till: unset
[2022/05/16 13:00:28.594935, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=milli at GALERIE-NET.LOC
[2022/05/16 13:00:28.594962, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=2
[2022/05/16 13:00:28.595310, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,17,16,23
[2022/05/16 13:00:28.595347, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/16 13:00:28.595372, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] etype=18/18
[2022/05/16 13:00:28.595395, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Requested flags: canonicalize
[2022/05/16 13:00:28.595417, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] flags=canonicalize
[2022/05/16 13:00:28.595621, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.017434
[2022/05/16 13:00:28.595657, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ SUCCESS ipv4:172.18.200.20:49575 milli at GALERIE-NET.LOC cifs/invis.galerie-net.loc at GALERIE-NET.LOC etype=18/18 pac_attributes=2 canon_client_name=milli at GALERIE-NET.LOC end=1652734828 auth=1652698828 etypes=18,17,16,23 elapsed=0.017434 flags=canonicalize start=1652698828
[2022/05/16 13:00:28.596440, 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/05/16 13:00:28.600379, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/05/16 13:00:28.600451, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for TGS-REQ
[2022/05/16 13:00:28.602045, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/05/16 13:00:28.602110, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ milli at GALERIE-NET.LOC from ipv4:172.18.200.20:49576 for krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC [forwarded]
[2022/05/16 13:00:28.611953, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddreason(): adding reason Request to forward non-forwardable ticket
[2022/05/16 13:00:28.612048, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:172.18.200.20:49576
[2022/05/16 13:00:28.612093, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: tgs-req: sending error: -1765328371 to client
[2022/05/16 13:00:28.612119, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2022/05/16 13:00:28.612286, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.011923
[2022/05/16 13:00:28.612338, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ ERR_BADOPTION ipv4:172.18.200.20:49576 milli at GALERIE-NET.LOC krbtgt/GALERIE-NET.LOC at GALERIE-NET.LOC elapsed=0.011923 reason=Request to forward non-forwardable ticket
[2022/05/16 13:00:28.612876, 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
More information about the samba
mailing list