[Samba] Remote Desktop problem on samba 4.17.2

Andrew Bartlett abartlet at samba.org
Mon Oct 31 23:31:50 UTC 2022 

On Mon, 2022-10-31 at 17:53 +1300, Andrew Bartlett wrote:
> On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba
> wrote:
> > On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote:
> > > I'm also having problems with RDP sessions not authenticating
> > > against samba heimdal kdc.  What is odd is that the initial RDP
> > > connection (network level connection) works fine and
> > > authenticates me, but when I get to the desktop, I get access
> > > denied and that my password is wrong as if I used a wrong
> > > password at the console. If I put in the wrong password into the
> > > initial rdp session for network level connection, it immediately
> > > rejects me without letting me see the desktop.
> > > Looking at wireshark under the covers, I suspect it's a kerberos
> > > issue, however all of my hosts have dns settings of samba domain
> > > controllers and my samba servers do appear to get AD updates.
> > > I was running 4.16.4 but now I'm on 4.17.2 with no change.
> > > I wonder if something changed on the windows side.   I see Jakob
> > > posted about a 22H2 update breaking this.  Anyone know the
> > > specific fix and how to roll it back?
> > 
> > Looking at this more, the 22H2 issue doesn't seem to be the same
> > issue I'm dealing with as Ralph and others mentioned that it goes
> > away when they upgrade to latest (which I'm on), also I'm not
> > seeing the KRB5KDC_ERR_TGT_REVOKED error.
> > Here is what I found in regard to my issue:
> > If I have a windows host with RDP authenticate against samba AD it
> > starts an RDP session, but then rejects the password when we get
> > the desktop.  Looking at the packet captures I see:
> > This part looks identical other than keys between the captures that
> > work against a real windows dc and captures that don't work against
> > a SAMBA DC:
> >  From client: as-req From server: KRB5KDC_ERR_PREAUTH_REQUIRED From
> > client: as-req
> > Now that we get to the as-rep we start to see differences:
> >  From Windows: as-rep->ticket->enc-part->etype eTYPE-ARCFOUR-HMAC-
> > MD5(23)    and    ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-
> > SHA1-96(18) From Samba: as-rep->ticket->enc-part->etype eTYPE-
> > AES256-CTS-HMAC-SHA1-96(18)   and    ap-rep->enc-part->etype eTYPE-
> > AES256-CTS-HMAC-SHA1-96(18)
> > Then we see the TGS-REQ and the client asks for a eTYPE-AES256-CTS-
> > HMAC-SHA1-96(18) from the samba AD and eTYPE-ARCFOUR-HMAC-MD5(23)
> > from the windows server otherwise identical.
> > Now the TGS-REP
> >  From Windows: tgs-rep->ticket->enc-part->etype eTYPE-ARCFOUR-HMAC-
> > MD5(23)    and    tgs-rep->enc-part->etype eTYPE-ARCFOUR-HMAC-
> > MD5(23) From Samba: tgs-rep->ticket->enc-part->etype eTYPE-AES256-
> > CTS-HMAC-SHA1-96(18)   and    tgs-rep->enc-part->etype eTYPE-
> > AES256-CTS-HMAC-SHA1-96(18)
> > Basically, it appears that windows is using MD5 hashing and samba
> > SHA1.
> > A this point there aren't any further kerberos interactions from
> > the client when authenticating to samba and the desktop shows
> > password failed.  When using the windows AD server we get another
> > TGS-REQ/TGS-REP for sname kRB5-NT-SRV-INST where it appears to
> > authenticate for LDAP.
> > So, where to go from here?  Create a Heimdal bug?  Create a Samba
> > bug?  Not having RDP is really causing issues for me.
> 
> I'm actively looking into this, as that doesn't seem right.  What is
> the value of msDS-SupportedEncryptionTypes for the server account
> involved?
> 
> Are both DCs for this comparison in the same domain?
> 
> Andrew Bartlett

If you could create a Samba bug that would be great, and if you can
send me privately that network trace I'll try and reproduce with our
test harness. 

I also need that msDS-SupportedEncryptionTypes value and any other
context you are able to share, in particular the target server version.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list