[Samba] Remote Desktop problem on samba 4.17.2

Andrew Bartlett abartlet at samba.org
Mon Oct 31 04:53:29 UTC 2022 

On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba wrote:
> On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote:
> > 
> > I'm also having problems with RDP sessions not authenticating against 
> > samba heimdal kdc.  What is odd is that the initial RDP connection 
> > (network level connection) works fine and authenticates me, but when I 
> > get to the desktop, I get access denied and that my password is wrong 
> > as if I used a wrong password at the console. If I put in the wrong 
> > password into the initial rdp session for network level connection, it 
> > immediately rejects me without letting me see the desktop.
> > 
> > Looking at wireshark under the covers, I suspect it's a kerberos 
> > issue, however all of my hosts have dns settings of samba domain 
> > controllers and my samba servers do appear to get AD updates.
> > 
> > I was running 4.16.4 but now I'm on 4.17.2 with no change.
> > 
> > I wonder if something changed on the windows side.   I see Jakob 
> > posted about a 22H2 update breaking this.  Anyone know the specific 
> > fix and how to roll it back?
> > 
> 
> Looking at this more, the 22H2 issue doesn't seem to be the same issue 
> I'm dealing with as Ralph and others mentioned that it goes away when 
> they upgrade to latest (which I'm on), also I'm not seeing the 
> KRB5KDC_ERR_TGT_REVOKED error.
> 
> Here is what I found in regard to my issue:
> 
> If I have a windows host with RDP authenticate against samba AD it 
> starts an RDP session, but then rejects the password when we get the 
> desktop.  Looking at the packet captures I see:
> 
> This part looks identical other than keys between the captures that work 
> against a real windows dc and captures that don't work against a SAMBA DC:
> 
>  From client: as-req
>  From server: KRB5KDC_ERR_PREAUTH_REQUIRED
>  From client: as-req
> 
> Now that we get to the as-rep we start to see differences:
> 
>  From Windows: as-rep->ticket->enc-part->etype 
> eTYPE-ARCFOUR-HMAC-MD5(23)    and    ap-rep->enc-part->etype 
> eTYPE-AES256-CTS-HMAC-SHA1-96(18)
>  From Samba: 
> as-rep->ticket->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)   
> and    ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> 
> Then we see the TGS-REQ and the client asks for a 
> eTYPE-AES256-CTS-HMAC-SHA1-96(18) from the samba AD and 
> eTYPE-ARCFOUR-HMAC-MD5(23) from the windows server otherwise identical.
> 
> Now the TGS-REP
> 
>  From Windows: tgs-rep->ticket->enc-part->etype 
> eTYPE-ARCFOUR-HMAC-MD5(23)    and    tgs-rep->enc-part->etype 
> eTYPE-ARCFOUR-HMAC-MD5(23)
>  From Samba: 
> tgs-rep->ticket->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)   
> and    tgs-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)
> 
> Basically, it appears that windows is using MD5 hashing and samba SHA1.
> 
> A this point there aren't any further kerberos interactions from the 
> client when authenticating to samba and the desktop shows password 
> failed.  When using the windows AD server we get another TGS-REQ/TGS-REP 
> for sname kRB5-NT-SRV-INST where it appears to authenticate for LDAP.
> 
> So, where to go from here?  Create a Heimdal bug?  Create a Samba bug?  
> Not having RDP is really causing issues for me.

I'm actively looking into this, as that doesn't seem right.  What is
the value of msDS-SupportedEncryptionTypes for the server account
involved?

Are both DCs for this comparison in the same domain?

Andrew Bartlett

-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

More information about the samba mailing list