[Samba] netlogon_creds_encrypt_samlogon_validation() failed - NT_STATUS_INVALID_INFO_CLASS
Andrew Bartlett
abartlet at samba.org
Mon Dec 18 08:23:01 UTC 2023
If you can get me a decoded NDR dump of the SamLogonEx that triggers
this, I would like to see it.
The error is in our AD DC code in the output path, we should be able to
do better than that.
Andrew Bartlett
On Mon, 2023-12-18 at 09:08 +0100, Kacper Wirski via samba wrote:
> Hello, I found what is causing the error, it wasn't update related at
> all,just a random coincidence of me looking at samba DC logs while
> using hypervfeature of remote console to the updated VM.
> Remote console to VM via windows 2016 hyperv host uses kerberos and
> eventhough it's working, it floods DC log with this error, while
> using saidconsole.
> I suppose I can rather safely ignore it then?
> Regards,Kacper
>
> pon., 18 gru 2023, 01:51 użytkownik Andrew Bartlett <
> abartlet at samba.org>napisał:
> > On Sun, 2023-12-17 at 22:52 +0100, Kacper Wirski via samba wrote:
> > *Hello,*
> >
> > *I'm running samba as AD DC on Debian 10, 3 DC's total, samba is
> > from
> > base debian repo
> > *
> >
> > *Version 4.13.13-Debian
> > *
> >
> > today on one of my DC's I started to see error such as this:
> >
> >
> > *samba[2720697]: [2023/12/17 22:36:21.896597, 0]
> > ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1414(dcesrv_net
> > r_LogonSamLogon_base_reply)
> > samba[2720697]: dcesrv_netr_LogonSamLogon_base_reply:
> > netlogon_creds_encrypt_samlogon_validation() failed -
> > NT_STATUS_INVALID_INFO_CLASS*
> >
> > *
> > *
> >
> > *it started to appear after I moved my VM with samba file server
> > between
> > 2 hyper-v hosts. In my samba DC log, before this error appears, I
> > see:*
> >
> > *samba[2720714]: Auth: [Kerberos KDC,ENC-TS Pre-authentication]
> > user
> > [(null)]\[SRV6$@MYDOMAIN] at [Sun, 17 Dec 2023 22:36:21.851537 CET]
> > with
> > [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)]
> > remote
> > host [ipv4:192.1 etc.
> > samba[2720714]: {"timestamp": "2023-12-17T22:36:21.851719+0100",
> > "type": "Authentication", "Authentication": {"version": {"major":
> > 1,
> > "minor": 2}, "eventId": 4624, "logonId": "b204a5992394b4e1",
> > "logonType": 3, "status": "NT_STATUS_OK", etc.
> > *
> >
> > *VM itself was updated (centos 7.9 running samba from repo i.e.
> > Version
> > 4.10.16)
> > *
> >
> > This is the more important detail than the host migration. Samba
> > 4.11 included this commit:
> >
> > commit 8c9cf56fe9865029bf033557b00e8987873a7096
> > Author: Andreas Schneider <asn at samba.org>
> > Date: Wed May 29 14:39:34 2019 +0200
> >
> > libcli:auth: Return NTSTATUS for
> > netlogon_creds_server_step_check()
> > Signed-off-by: Andreas Schneider <asn at samba.org>
> > Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> >
> > The code now says:
> >
> > default:
> > /* If we can't find it, we can't very well decrypt it
> > */
> > return NT_STATUS_INVALID_INFO_CLASS;
> >
> > The server is sending back some data that we don't know how to
> > handle.
> >
> > More details may be available at higher debug levels, but it gets
> > overwhelming fast and can contain sensitive info.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead
> > https://catalyst.net.nz/services/samba
> > Catalyst.Net Ltd
> > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> > company
> > Samba Development and Support:
> > https://catalyst.net.nz/services/samba
> >
> > Catalyst IT - Expert Open Source Solutions
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list