[Samba] netlogon_creds_encrypt_samlogon_validation() failed - NT_STATUS_INVALID_INFO_CLASS

Andrew Bartlett abartlet at samba.org
Mon Dec 18 00:51:28 UTC 2023 

On Sun, 2023-12-17 at 22:52 +0100, Kacper Wirski via samba wrote:
> *Hello,*
> *I'm running samba as AD DC on Debian 10, 3 DC's total, samba is from
> base debian repo*
> *Version 4.13.13-Debian*
> today on one of my DC's I started to see error such as this:
> 
> *samba[2720697]: [2023/12/17 22:36:21.896597,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1414(dcesrv_netr_
> LogonSamLogon_base_reply)samba[2720697]:  
> dcesrv_netr_LogonSamLogon_base_reply:
> netlogon_creds_encrypt_samlogon_validation() failed -
> NT_STATUS_INVALID_INFO_CLASS*
> **
> *it started to appear after I moved my VM with samba file server
> between 2 hyper-v hosts. In my samba DC log, before this error
> appears, I see:*
> *samba[2720714]:   Auth: [Kerberos KDC,ENC-TS Pre-authentication]
> user [(null)]\[SRV6$@MYDOMAIN] at [Sun, 17 Dec 2023 22:36:21.851537
> CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:192.1 etc.samba[2720714]:   {"timestamp":
> "2023-12-17T22:36:21.851719+0100", "type": "Authentication",
> "Authentication": {"version": {"major": 1, "minor": 2}, "eventId":
> 4624, "logonId": "b204a5992394b4e1", "logonType": 3, "status":
> "NT_STATUS_OK", etc.*
> *VM itself was updated (centos 7.9 running samba from repo i.e.
> Version 4.10.16)*

This is the more important detail than the host migration.   Samba 4.11
included this commit:
commit 8c9cf56fe9865029bf033557b00e8987873a7096Author: Andreas
Schneider <asn at samba.org>Date:   Wed May 29 14:39:34 2019 +0200
    libcli:auth: Return NTSTATUS for
netlogon_creds_server_step_check()        Signed-off-by: Andreas
Schneider <asn at samba.org>    Reviewed-by: Andrew Bartlett <
abartlet at samba.org>
The code now says:
	default:		/* If we can't find it, we can't very
well decrypt it */		return NT_STATUS_INVALID_INFO_CLASS;
The server is sending back some data that we don't know how to handle.
More details may be available at higher debug levels, but it gets
overwhelming fast and can contain sensitive info.
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list