[Samba] issue joining domain and now logging in
Diego Franchini
diego.tartol at gmail.com
Fri Oct 14 19:06:59 UTC 2022
Hi.
So, I've set up a second dc with samba 4.16.5 and I've added it to the
domain.
I have an issue transferring FSMO though as when I try, I get this error:
root at SMBDC1:~# samba-tool fsmo transfer --role=all
schema_load_del_transaction: transaction mismatch
ERROR: Transfer of 'rid' role failed: operations error at
../../source4/dsdb/samdb/ldb_modules/rootdse.c:1502
To be honest, after some frustrating fiddling and countless attempts, I
wasn't able to restore my samba 4.15.9 disk image to SD correctly (even if
it has worked in the past) as the pi won't boot it. So, I had to revert to
restoring the CD using the backup file, which I finally managed to make it
work.
The DC is now up and running with all the users and computers restored, but
it'ss acting weird. For example, sometimes it work calling it "example" but
not "example.net" and other waring messages using window's AD dsa.msc. I
guess the transfer of ownership error could be related to this?
Diego
Il giorno gio 13 ott 2022 alle ore 08:02 Andrew Bartlett <abartlet at samba.org>
ha scritto:
> Backup/restore is for catastrophic failures:
>
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
>
> However as your current DC is working, you can just join a new DC on the
> new host and transfer the FSMO roles.
>
> Andrew Bartlett
>
> On Thu, 2022-10-13 at 07:54 +0200, Diego Franchini wrote:
>
> I tried to look and it seems a bit out of my league from what I can gather
> on my own...
>
> I think my best bet is to install Armbian Sid instead of Focal, which
> would be based on Debian Sid as I understand, which would be the only OS to
> have an official Samba 4.16.5 package available according to this (
> https://pkgs.org/download/samba).
>
> The problem now is different then.
> I have backed up my original AD DC to a file using "sudo samba-tool domain
> backup offline --targetdir=<output-dir>".
> If I do a clean install, how will I restore it?
> I tried with "samba-tool domain backup restore" while experimenting, but
> it crashed in between...
>
> Couldn't find much detailed information online on restoring a backup. Do I
> need a domain already setup, do i need to restore it before configuring
> samba after a fresh install?
> Perhaps I just searched with the wrong keywords?
>
>
> On Thu, 13 Oct 2022, 02:49 Andrew Bartlett, <abartlet at samba.org> wrote:
>
> Yes, you will need to find a third-party packager or speak with your
> vendor.
>
> I do hope to release patches to address this issue in the older
> version, not as a Samba.org release (Samba.org is no longer supporting
> this version), but thanks to my employer's commercial customers and to
> support the community, who we know can't move as fast as we would like.
>
> In the meantime accept the bugzilla invite I've just sent you and CC
> yourself to the bug for updates.
>
> Andrew Bartlett
>
> On Thu, 2022-10-13 at 01:12 +0200, Diego Franchini via samba wrote:
> > don't mind the misspells.
> > The issue is another one now...
> >
> > Thanks to @abarlet at samba.org <abarlet at samba.org> I was able to find an
> old
> > 21h2 windows 11 PC and add it to the domain perfectly, indeed confirming
> > the issue to be this one here
> > <https://bugzilla.samba.org/show_bug.cgi?id=15197>.
> >
> > I tried to update the software but the latest version I'm able to install
> > is "Samba 4.15.9-Ubuntu" on "Armbian 22.08.4 Jammy with Linux
> > 5.15.72-sunxi".
> >
> > How can I upgrade to Samba 4.16, do I just have to wait for an update in
> > some future? Am I doomed?
> >
> > Il giorno mer 12 ott 2022 alle ore 20:54 Rowland Penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> > >
> > >
> > > On 12/10/2022 19:21, Diego Franchini via samba wrote:
> > > > this is an extract from my post on superuser and serverfault. I've
> been
> > > > suggested to seek help here too.
> > > >
> > > > I'm constantly trying new solutions, literally anything I can find
> > > online,
> > > > but to this day nothing has completely fixed it.
> > > >
> > > >
> > > > *DISCLAMER:*
> > > > I'm still trying to fully learn and understand how to properly
> maintain a
> > > > samba domain controller.
> > > >
> > > > *The Problem:*
> > > >
> > > > I had a working samba installation with AD controlle but now, just a
> > > month
> > > > after my last computer join, it won't work anymore. On Windows it
> says
> > > > "unknown user or password" but I've checked them to be correct.
> > > >
> > > > I tried setting the log level to 3 in "smb.conf" and while trying to
> > > join a
> > > > computer this gets logged:
> > > >
> > > > [2022/10/04 12:11:58.018256, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ admuser at example.net from ipv4:172.27.2.58:50124
> for
> > > > krbtgt/example.net at example.net
> > > > [2022/10/04 12:11:58.039839, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/04 12:11:58.040080, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > > > [2022/10/04 12:11:58.040191, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > > > [2022/10/04 12:11:58.040341, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > admuser at example.net
> > > > [2022/10/04 12:11:58.043598, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/04 12:11:58.054880, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ admuser at example.net from ipv4:172.27.2.58:50125
> for
> > > > krbtgt/example.net at example.net
> > > > [2022/10/04 12:11:58.076255, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/04 12:11:58.076483, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > > > [2022/10/04 12:11:58.076587, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > > > [2022/10/04 12:11:58.077527, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> admuser at example.net
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.077840, 3]
> > > > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[admuser at example.net] at [Tue, 04 Oct 2022 12:11:58.077747
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.58:50125] became
> > > > [EXAMPLE]\[admuser] [S-1-5-21-578677625-3635414378-1858279571-1104].
> > > > local host [NULL]
> > > > {"timestamp": "2022-10-04T12:11:58.086113+0200", "type":
> > > > "Authentication", "Authentication": {"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId": "c61be2b0d84a3e12", "logonType": 3,
> > > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.58:50125", "serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "admuser at example.net", "workstation": null,
> > > > "becameAccount": "admuser", "becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1104", "mappedAccount":
> > > > "admuser", "mappedDomain": "EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> > > > "passwordType": "aes256-cts-hmac-sha1-96", "duration": 31663}}
> > > > [2022/10/04 12:11:58.160727, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime: unset
> > > > endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
> > > > [2022/10/04 12:11:58.161033, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.161206, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> > > forwardable
> > > > [2022/10/04 12:11:58.165799, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/04 12:11:58.178036, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum: Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.178282, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.58:50126
> > > >
> > > > As you can see, the authentication here is reported to be successful.
> > >
> > > Yes, the authentication for admuser is successful, but unless you have
> > > changed the Administrator name to 'admuser', the join will not work,
> > > have you tried a join with 'Administrator' ?
> > >
> > > So
> > > > far it's the same issue as here
> > > > <
> > >
> https://www.claudiokuenzler.com/blog/1065/windows-client-unable-join-domain-samba-4-domain-controller-logon-failure-unknown-user-name
> > > > ,
> > > > so I tried the following commands:
> > > >
> > > > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > > > _ldap._tcp.example.net has SRV record 0 100 389
> smbdc1.example.net.
> > > > root at SMBDC1:~# host -t SRV _kerebros._udp.example.net
> > >
> > > Is that exactly what you typed ? If so, for the third time, it is
> > > 'kerberos' not 'kerebros'.
> > >
> > > > Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
> > > > root at SMBDC1:~# host -t A focal.exapmle.net
> > >
> > > 'example' not 'exapmle'
> > >
> > >
> > > > Host focal.example.net not found: 3(NXDOMAIN)
> > > >
> > > > root at SMBDC1:~# dig -t SRV _kerebros._udp.frankini.net
> > > >
> > > > ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV _kerebros._
> udp.frankini.net
> > >
> > > 'kerebros' again.
> > >
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 138
> > > > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> > > ADDITIONAL: 0
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;_kerebros._udp.frankini.net. IN SRV
> > > >
> > > > ;; AUTHORITY SECTION:
> > > > frankini.net. 3600 IN SOA
> > > > smbdc1.frankini.net. hostmaster. frankini.net. 55 900
> 600
> > > 86400 3600
> > > >
> > > > ;; Query time: 3 msec
> > > > ;; SERVER: 172.27.1.1#53(172.27.1.1)
> > > > ;; WHEN: Fri Oct 07 21:44:12 CEST 2022
> > > > ;; MSG SIZE rcvd: 99
> > > >
> > > > This originally worked but now i get "*Host not found*"... what could
> > > have
> > > > changed?
> > > >
> > > > *My setup*
> > > >
> > > > router: 172.27.0.1
> > > > smbdc: 172.27.1.1
> > > > dns: 172.27.1.2
> > > >
> > > > dhcp range: 172.27.2.2 - 172.27.2.254
> > > >
> > > > Samba runs on an Orange Pi Zero and I connect to it through Putty and
> > > FileZilla
> > > >
> > > > I route communication between the xxx.xxx.0.xxx, xxx.xxx.1.xxx and
> > > > xxx.xxx.2.xxx ip ranges and set the network mask to be 255.255.0.0
> > > >
> > > > *System*
> > > >
> > > > OS: Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
> > > > SAMBA: Samba version 4.13.17-Ubuntu
> > > >
> > > > *smb.conf*
> > > >
> > > > # Global parameters
> > > > [global]
> > > > dns forwarder = 172.27.1.2
> > > > netbios name = SMBDC1
> > > > realm = EXAMPLE.NET <http://example.net/>
> > > > server role = active directory domain controller
> > > > workgroup = EXAMPLE
> > > > idmap_ldb:use rfc2307 = yes
> > > > host msdfs = yes
> > > > log level = 3
> > > >
> > > > [sysvol]
> > > > path = /var/lib/samba/sysvol
> > > > read only = No
> > > >
> > > > [netlogon]
> > > > path = /var/lib/samba/sysvol/example.net/scripts
> > > > read only = No
> > > >
> > > > *UPDATE:*
> > > >
> > > > I made an image of the disk as a backup, then did a bunch of tests
> with
> > > no
> > > > success. so I finally reverted the image to the disk as it was, and
> now
> > > > suddenly these commands work:
> > > >
> > > > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > > > _ldap._tcp.example.net has SRV record 0 100 389
> smbdc1.example.net.
> > > > root at SMBDC1:~# host -t SRV _kerberos._udp.example.net
> > > > _kerberos._udp.example.net has SRV record 0 100 88
> > > smbdc1.example.net.
> > >
> > > How can something that is spelt wrong work ?
> > >
> > > Rowland
> > >
> > > > root at SMBDC1:~# host -t A SMBDC1.example.net <
> http://smbdc1.example.net/>
> > > > SMBDC1.example.net <http://smbdc1.example.net/> has address
> > > 172.27.1.4
> > > >
> > > > So the situation now is as follows:
> > > >
> > > > I added the computer "*TESTING-W11*" to the domain with my domain
> admin
> > > > user, not with 'administrator'. It works only if i do "
> user at example.net"
> > > > and not "user", which used to work before. and if someone asks, yes I
> > > also
> > > > tried with administrator and it only work as "
> administrator at example.com"
> > > >
> > > > after the computer rebooted I tried to login but it says wrong user
> or
> > > > password.
> > > >
> > > > this is the log file of login attempt:
> > > >
> > > > [2022/10/12 19:39:25.980185, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50574 for
> > > > krbtgt/EXAMPLE at EXAMPLE
> > > > [2022/10/12 19:39:26.008882, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.009229, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.009433, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.009709, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.013190, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.024021, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50575 for
> > > > krbtgt/EXAMPLE at EXAMPLE
> > > > [2022/10/12 19:39:26.051743, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.052093, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.052302, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.052948, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded -- user2 at EXAMPLE
> using
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.053349, 3]
> > > > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\
> > > > [user2 at EXAMPLE] at [Wed, 12 Oct 2022 19:39:26.053205 CEST] with
> > > > [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
> > > > remote host [ipv4:172.27.2.26:50575] became [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> > > > {"timestamp": "2022-10-12T19:39:26.053767+0200", "type":
> > > > "Authentication", "Authentication": {"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId": "d3433331ec6a5bf7", "logonType": 3,
> > > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50575", "serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE", "workstation": null,
> > > > "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount":
> > > > "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> > > > "passwordType": "aes256-cts-hmac-sha1-96", "duration": 30203}}
> > > > [2022/10/12 19:39:26.089947, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.090338, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.090474, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.097520, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.106943, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum: Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.107170, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50576
> > > > [2022/10/12 19:39:26.110456, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.114239, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50577
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127198, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.127410, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127580, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127768, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.130816, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.140450, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50578
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.152897, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.153102, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.153210, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.153583, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.153816, 3]
> > > > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.153732
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50578] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> > > > {"timestamp": "2022-10-12T19:39:26.154039+0200", "type":
> > > > "Authentication", "Authentication": {"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId": "869dfe1fc68f82a8", "logonType": 3,
> > > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50578", "serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET", "workstation": null,
> > > > "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount":
> > > > "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> > > > "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13913}}
> > > > [2022/10/12 19:39:26.182189, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.182483, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.182612, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.187831, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.197162, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum: Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.197385, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50579
> > > > [2022/10/12 19:39:26.202216, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.206268, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50580
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.218896, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.219112, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.219220, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.219367, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.226212, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.236585, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50581
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249060, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.249272, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249377, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249842, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.250084, 3]
> > > > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.250002
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50581] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> > > > {"timestamp": "2022-10-12T19:39:26.250309+0200", "type":
> > > > "Authentication", "Authentication": {"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId": "b111aea5f91526ac", "logonType": 3,
> > > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50581", "serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET", "workstation": null,
> > > > "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount":
> > > > "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> > > > "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13999}}
> > > > [2022/10/12 19:39:26.278425, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.278721, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.278850, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.284069, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.293333, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum: Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.293567, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50582
> > > > [2022/10/12 19:39:26.297119, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.301280, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50583
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314043, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.314253, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314361, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314507, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.317995, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.328064, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50584
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.340620, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.340832, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.340934, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.341304, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.341534, 3]
> > > > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.341453
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50584] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> > > > {"timestamp": "2022-10-12T19:39:26.341761+0200", "type":
> > > > "Authentication", "Authentication": {"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId": "4baa7d35daccf446", "logonType": 3,
> > > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50584", "serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET", "workstation": null,
> > > > "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount":
> > > > "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> > > > "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13987}}
> > > > [2022/10/12 19:39:26.369985, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.370274, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.370405, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.375775, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.385121, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum: Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.385343, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50585
> > > > [2022/10/12 19:39:26.388686, 3]
> > > > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > >
> > > > is there something wrong in the log file?
> > > >
> > > >
> > > > Thank you,
> > > >
> > > > Diego
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
More information about the samba
mailing list