[Samba] Remote Desktop problem on samba 4.17.2
abartlet at samba.org
Mon Oct 31 04:53:29 UTC 2022
On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba wrote:
> On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote:
> > I'm also having problems with RDP sessions not authenticating against
> > samba heimdal kdc. What is odd is that the initial RDP connection
> > (network level connection) works fine and authenticates me, but when I
> > get to the desktop, I get access denied and that my password is wrong
> > as if I used a wrong password at the console. If I put in the wrong
> > password into the initial rdp session for network level connection, it
> > immediately rejects me without letting me see the desktop.
> > Looking at wireshark under the covers, I suspect it's a kerberos
> > issue, however all of my hosts have dns settings of samba domain
> > controllers and my samba servers do appear to get AD updates.
> > I was running 4.16.4 but now I'm on 4.17.2 with no change.
> > I wonder if something changed on the windows side. I see Jakob
> > posted about a 22H2 update breaking this. Anyone know the specific
> > fix and how to roll it back?
> Looking at this more, the 22H2 issue doesn't seem to be the same issue
> I'm dealing with as Ralph and others mentioned that it goes away when
> they upgrade to latest (which I'm on), also I'm not seeing the
> KRB5KDC_ERR_TGT_REVOKED error.
> Here is what I found in regard to my issue:
> If I have a windows host with RDP authenticate against samba AD it
> starts an RDP session, but then rejects the password when we get the
> desktop. Looking at the packet captures I see:
> This part looks identical other than keys between the captures that work
> against a real windows dc and captures that don't work against a SAMBA DC:
> From client: as-req
> From server: KRB5KDC_ERR_PREAUTH_REQUIRED
> From client: as-req
> Now that we get to the as-rep we start to see differences:
> From Windows: as-rep->ticket->enc-part->etype
> eTYPE-ARCFOUR-HMAC-MD5(23) and ap-rep->enc-part->etype
> From Samba:
> as-rep->ticket->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> and ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> Then we see the TGS-REQ and the client asks for a
> eTYPE-AES256-CTS-HMAC-SHA1-96(18) from the samba AD and
> eTYPE-ARCFOUR-HMAC-MD5(23) from the windows server otherwise identical.
> Now the TGS-REP
> From Windows: tgs-rep->ticket->enc-part->etype
> eTYPE-ARCFOUR-HMAC-MD5(23) and tgs-rep->enc-part->etype
> From Samba:
> tgs-rep->ticket->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> and tgs-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> Basically, it appears that windows is using MD5 hashing and samba SHA1.
> A this point there aren't any further kerberos interactions from the
> client when authenticating to samba and the desktop shows password
> failed. When using the windows AD server we get another TGS-REQ/TGS-REP
> for sname kRB5-NT-SRV-INST where it appears to authenticate for LDAP.
> So, where to go from here? Create a Heimdal bug? Create a Samba bug?
> Not having RDP is really causing issues for me.
I'm actively looking into this, as that doesn't seem right. What is
the value of msDS-SupportedEncryptionTypes for the server account
Are both DCs for this comparison in the same domain?
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba