No subject
Sat Sep 18 21:15:27 MDT 2010
"I have received an update from my SME on the data which has been provided =
to us. The problem is the name-type used for the TGT request is set to
Unknown:
133 2010-08-26 17:15:17.284157 x.x.x.x
x.x.x.x KRB5 AS-REQ
Server Name (Unknown): krbtgt/EXAMPLE.COM
Name-type: Unknown (0)
Name: krbtgt
Name: EXAMPLE.COM<http://EXAMPLE.COM>
The name-type needs to be Service and Instance. The reason why it works ag=
ainst the Writable DC=A1=A6s is because those DC=A1=A6s don=A1=A6t need to =
proxy the authentication, RODC=A1=A6s do. In W2K8R2 there were additional =
checks in the Kerberos decryption code path which now exposes this problem.=
"
As I'm still a bit skeptical about this analysis of the problem -- I'm work=
ing on verifying the problem and performing further isolation. I was also =
wondering if such a problem was uncovered in you testing as well.
I've attached the following to the mail:
Interactive winbindd debug 100 log
net ads status -machine-pass debug 10
a network capture from the samba server during the net ads status
Thanks for reading
Joshua Hawkinson
More information about the samba-technical
mailing list