Hi. Just upgraded a samba DC from 4.18.6 to 4.19.0. Since then, I have a lot errors like this in my auth logs : [2023/09/15 10:34:13.138186, 2] ../../auth/auth_log.c:876(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[ADM$@LAPIOLE.LOCAL] at [Fri, 15 Sep 2023 10:34:13.138164 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation [(null)] remote host [ipv4:10.99.6.10:57814] mapped to [LAPIOLE]\[ADM$]. local host [NULL] [2023/09/15 10:34:13.149112, 3] ../../auth/auth_log.c:876(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[ADM$@LAPIOLE. LOCAL ] at [Fri, 15 Sep 2023 10:34:13.149085 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.99.6.10:46228] became [LAPIOLE]\[ADM$] [S-1-5-21-3157880385-2929606428-1306126165-1108]. local host [NULL] Each time one of my client machine auth against the controller, there's first an NT_STATUS_PROTOCOL_UNREACHABLE, followed immediatly by a NT_STATUS_OK. Clients are various Linux servers (mainly Alma Linux 8 and Debian) joined to the domain with SSSD. Everything seems to be working, but I'm worried about those errors. Would anyone know what does this mean ? -- Daniel Berteaud
On Fri, 2023-09-15 at 10:45 +0200, Daniel Berteaud via samba wrote:> > Each time one of my client machine auth against the controller, > there's first an NT_STATUS_PROTOCOL_UNREACHABLE, followed immediatly > by a NT_STATUS_OK. > > > > Clients are various Linux servers (mainly Alma Linux 8 and Debian) > joined to the domain with SSSD. > > > > Everything seems to be working, but I'm worried about those errors. > Would anyone know what does this mean ?Totally harmless and expected, just a waste of CPU. The client will first contact the KDC over UDP, but ask for a PAC. This just isn't going to work, we need TCP transport to make a reply with a PAC (it is large), so we go though the whole authentication dance only to say 'sorry, that won't fit in that packet'. Then the client gets that error code, retries with TCP and it all works. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions