thr3ads.net - samba - [Samba] issue joining domain and now logging in [Oct 2022]

If this information is useful, please help other people find it:
Share via:

Diego Franchini

2022-Oct-12 23:12 UTC

[Samba] issue joining domain and now logging in

don't mind the misspells.
The issue is another one now...

Thanks to @abarlet at samba.org <abarlet at samba.org> I was able to find
an old
21h2 windows 11 PC and add it to the domain perfectly, indeed confirming
the issue to be this one here
<https://bugzilla.samba.org/show_bug.cgi?id=15197>.

I tried to update the software but the latest version I'm able to install
is "Samba 4.15.9-Ubuntu" on "Armbian 22.08.4 Jammy with Linux
5.15.72-sunxi".

How can I upgrade to Samba 4.16, do I just have to wait for an update in
some future? Am I doomed?

Il giorno mer 12 ott 2022 alle ore 20:54 Rowland Penny via samba <
samba at lists.samba.org> ha scritto:
>
>
> On 12/10/2022 19:21, Diego Franchini via samba wrote:
> > this is an extract from my post on superuser and serverfault. I've
been
> > suggested to seek help here too.
> >
> > I'm constantly trying new solutions, literally anything I can find
> online,
> > but to this day nothing has completely fixed it.
> >
> >
> > *DISCLAMER:*
> > I'm still trying to fully learn and understand how to properly
maintain a
> > samba domain controller.
> >
> > *The Problem:*
> >
> > I had a working samba installation with AD controlle but now, just a
> month
> > after my last computer join, it won't work anymore. On Windows it
says
> > "unknown user or password" but I've checked them to be
correct.
> >
> > I tried setting the log level to 3 in "smb.conf" and while
trying to
> join a
> > computer this gets logged:
> >
> > [2022/10/04 12:11:58.018256,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ admuser at example.net from ipv4:172.27.2.58:50124
for
> > krbtgt/example.net at example.net
> > [2022/10/04 12:11:58.039839,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: 128
> > [2022/10/04 12:11:58.040080,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > [2022/10/04 12:11:58.040191,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > [2022/10/04 12:11:58.040341,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> admuser at example.net
> > [2022/10/04 12:11:58.043598,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/04 12:11:58.054880,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ admuser at example.net from ipv4:172.27.2.58:50125
for
> > krbtgt/example.net at example.net
> > [2022/10/04 12:11:58.076255,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > [2022/10/04 12:11:58.076483,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > [2022/10/04 12:11:58.076587,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > [2022/10/04 12:11:58.077527,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: ENC-TS Pre-authentication succeeded -- admuser at
example.net
> > using aes256-cts-hmac-sha1-96
> > [2022/10/04 12:11:58.077840,  3]
> > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[admuser at example.net] at [Tue, 04 Oct 2022 12:11:58.077747
> > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> > [(null)] remote host [ipv4:172.27.2.58:50125] became
> > [EXAMPLE]\[admuser] [S-1-5-21-578677625-3635414378-1858279571-1104].
> > local host [NULL]
> >    {"timestamp":
"2022-10-04T12:11:58.086113+0200", "type":
> > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > 2}, "eventId": 4624, "logonId":
"c61be2b0d84a3e12", "logonType": 3,
> > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > "ipv4:172.27.2.58:50125", "serviceDescription":
"Kerberos KDC",
> > "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> > "clientAccount": "admuser at example.net",
"workstation": null,
> > "becameAccount": "admuser",
"becameDomain": "EXAMPLE", "becameSid":
> > "S-1-5-21-578677625-3635414378-1858279571-1104",
"mappedAccount":
> > "admuser", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 31663}}
> > [2022/10/04 12:11:58.160727,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime: unset
> > endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
> > [2022/10/04 12:11:58.161033,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > [2022/10/04 12:11:58.161206,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> > [2022/10/04 12:11:58.165799,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/04 12:11:58.178036,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > check failed for checksum type rsa-md5, key type
> > aes256-cts-hmac-sha1-96
> > [2022/10/04 12:11:58.178282,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.58:50126
> >
> > As you can see, the authentication here is reported to be successful.
>
> Yes, the authentication for admuser is successful, but unless you have
> changed the Administrator name to 'admuser', the join will not
work,
> have you tried a join with 'Administrator' ?
>
> So
> > far it's the same issue as here
> > <
>
https://www.claudiokuenzler.com/blog/1065/windows-client-unable-join-domain-samba-4-domain-controller-logon-failure-unknown-user-name
> >,
> > so I tried the following commands:
> >
> >   root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> >      _ldap._tcp.example.net has SRV record 0 100 389
smbdc1.example.net.
> >   root at SMBDC1:~# host -t SRV _kerebros._udp.example.net
>
> Is that exactly what you typed ? If so, for the third time, it is
> 'kerberos' not 'kerebros'.
>
> >      Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
> >   root at SMBDC1:~# host -t A focal.exapmle.net
>
> 'example' not 'exapmle'
>
>
> >      Host focal.example.net not found: 3(NXDOMAIN)
> >
> >   root at SMBDC1:~# dig -t SRV _kerebros._udp.frankini.net
> >
> >      ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV
_kerebros._udp.frankini.net
>
> 'kerebros' again.
>
> >      ;; global options: +cmd
> >      ;; Got answer:
> >      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:
138
> >      ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0
> >
> >      ;; QUESTION SECTION:
> >      ;_kerebros._udp.frankini.net.   IN      SRV
> >
> >      ;; AUTHORITY SECTION:
> >      frankini.net.           3600    IN      SOA
> >      smbdc1.frankini.net. hostmaster.        frankini.net. 55 900 600
> 86400 3600
> >
> >      ;; Query time: 3 msec
> >      ;; SERVER: 172.27.1.1#53(172.27.1.1)
> >      ;; WHEN: Fri Oct 07 21:44:12 CEST 2022
> >      ;; MSG SIZE  rcvd: 99
> >
> > This originally worked but now i get "*Host not found*"...
what could
> have
> > changed?
> >
> > *My setup*
> >
> > router:     172.27.0.1
> > smbdc:      172.27.1.1
> > dns:        172.27.1.2
> >
> > dhcp range: 172.27.2.2 - 172.27.2.254
> >
> > Samba runs on an Orange Pi Zero and I connect to it through Putty and
> FileZilla
> >
> > I route communication between the xxx.xxx.0.xxx, xxx.xxx.1.xxx and
> > xxx.xxx.2.xxx ip ranges and set the network mask to be 255.255.0.0
> >
> > *System*
> >
> >   OS:    Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
> >   SAMBA: Samba version 4.13.17-Ubuntu
> >
> > *smb.conf*
> >
> > # Global parameters
> > [global]
> >      dns forwarder = 172.27.1.2
> >      netbios name = SMBDC1
> >      realm = EXAMPLE.NET <http://example.net/>
> >      server role = active directory domain controller
> >      workgroup = EXAMPLE
> >      idmap_ldb:use rfc2307 = yes
> >      host msdfs = yes
> >      log level = 3
> >
> > [sysvol]
> >      path = /var/lib/samba/sysvol
> >      read only = No
> >
> > [netlogon]
> >      path = /var/lib/samba/sysvol/example.net/scripts
> >      read only = No
> >
> > *UPDATE:*
> >
> > I made an image of the disk as a backup, then did a bunch of tests
with
> no
> > success. so I finally reverted the image to the disk as it was, and
now
> > suddenly these commands work:
> >
> > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> >      _ldap._tcp.example.net has SRV record 0 100 389
smbdc1.example.net.
> > root at SMBDC1:~# host -t SRV _kerberos._udp.example.net
> >      _kerberos._udp.example.net has SRV record 0 100 88
> smbdc1.example.net.
>
> How can something that is spelt wrong work ?
>
> Rowland
>
> > root at SMBDC1:~# host -t A SMBDC1.example.net
<http://smbdc1.example.net/>
> >      SMBDC1.example.net <http://smbdc1.example.net/> has address
> 172.27.1.4
> >
> > So the situation now is as follows:
> >
> > I added the computer "*TESTING-W11*" to the domain with my
domain admin
> > user, not with 'administrator'. It works only if i do
"user at example.net"
> > and not "user", which used to work before. and if someone
asks, yes I
> also
> > tried with administrator and it only work as "administrator at
example.com"
> >
> > after the computer rebooted I tried to login but it says wrong user or
> > password.
> >
> > this is the log file of login attempt:
> >
> > [2022/10/12 19:39:25.980185,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50574 for
> > krbtgt/EXAMPLE at EXAMPLE
> > [2022/10/12 19:39:26.008882,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: 128
> > [2022/10/12 19:39:26.009229,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > [2022/10/12 19:39:26.009433,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > [2022/10/12 19:39:26.009709,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> user2 at EXAMPLE
> > [2022/10/12 19:39:26.013190,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.024021,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50575 for
> > krbtgt/EXAMPLE at EXAMPLE
> > [2022/10/12 19:39:26.051743,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > [2022/10/12 19:39:26.052093,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > [2022/10/12 19:39:26.052302,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > [2022/10/12 19:39:26.052948,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at EXAMPLE
using
> > aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.053349,  3]
> > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\
> > [user2 at EXAMPLE] at [Wed, 12 Oct 2022 19:39:26.053205 CEST] with
> > [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
> > remote host [ipv4:172.27.2.26:50575] became [EXAMPLE]\[user2]
> > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> >    {"timestamp":
"2022-10-12T19:39:26.053767+0200", "type":
> > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > 2}, "eventId": 4624, "logonId":
"d3433331ec6a5bf7", "logonType": 3,
> > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > "ipv4:172.27.2.26:50575", "serviceDescription":
"Kerberos KDC",
> > "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> > "clientAccount": "user2 at EXAMPLE",
"workstation": null,
> > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 30203}}
> > [2022/10/12 19:39:26.089947,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > [2022/10/12 19:39:26.090338,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.090474,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> > [2022/10/12 19:39:26.097520,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.106943,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > check failed for checksum type rsa-md5, key type
> > aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.107170,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50576
> > [2022/10/12 19:39:26.110456,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.114239,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50577
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.127198,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: 128
> > [2022/10/12 19:39:26.127410,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.127580,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.127768,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.130816,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.140450,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50578
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.152897,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > [2022/10/12 19:39:26.153102,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.153210,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.153583,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > using aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.153816,  3]
> > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.153732
> > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> > [(null)] remote host [ipv4:172.27.2.26:50578] became [EXAMPLE]\[user2]
> > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> >    {"timestamp":
"2022-10-12T19:39:26.154039+0200", "type":
> > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > 2}, "eventId": 4624, "logonId":
"869dfe1fc68f82a8", "logonType": 3,
> > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > "ipv4:172.27.2.26:50578", "serviceDescription":
"Kerberos KDC",
> > "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13913}}
> > [2022/10/12 19:39:26.182189,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > [2022/10/12 19:39:26.182483,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.182612,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> > [2022/10/12 19:39:26.187831,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.197162,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > check failed for checksum type rsa-md5, key type
> > aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.197385,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50579
> > [2022/10/12 19:39:26.202216,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.206268,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50580
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.218896,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: 128
> > [2022/10/12 19:39:26.219112,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.219220,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.219367,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.226212,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.236585,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50581
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.249060,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > [2022/10/12 19:39:26.249272,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.249377,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.249842,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > using aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.250084,  3]
> > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.250002
> > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> > [(null)] remote host [ipv4:172.27.2.26:50581] became [EXAMPLE]\[user2]
> > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> >    {"timestamp":
"2022-10-12T19:39:26.250309+0200", "type":
> > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > 2}, "eventId": 4624, "logonId":
"b111aea5f91526ac", "logonType": 3,
> > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > "ipv4:172.27.2.26:50581", "serviceDescription":
"Kerberos KDC",
> > "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13999}}
> > [2022/10/12 19:39:26.278425,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > [2022/10/12 19:39:26.278721,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.278850,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> > [2022/10/12 19:39:26.284069,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.293333,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > check failed for checksum type rsa-md5, key type
> > aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.293567,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50582
> > [2022/10/12 19:39:26.297119,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.301280,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50583
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.314043,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: 128
> > [2022/10/12 19:39:26.314253,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.314361,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.314507,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.317995,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.328064,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ user2 at EXAMPLE.NET from ipv4:172.27.2.26:50584
for
> > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > [2022/10/12 19:39:26.340620,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > [2022/10/12 19:39:26.340832,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.340934,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > [2022/10/12 19:39:26.341304,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > using aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.341534,  3]
> > ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022 19:39:26.341453
> > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> > [(null)] remote host [ipv4:172.27.2.26:50584] became [EXAMPLE]\[user2]
> > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
> >    {"timestamp":
"2022-10-12T19:39:26.341761+0200", "type":
> > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > 2}, "eventId": 4624, "logonId":
"4baa7d35daccf446", "logonType": 3,
> > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > "ipv4:172.27.2.26:50584", "serviceDescription":
"Kerberos KDC",
> > "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13987}}
> > [2022/10/12 19:39:26.369985,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset
> > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > [2022/10/12 19:39:26.370274,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.370405,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> > [2022/10/12 19:39:26.375775,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2022/10/12 19:39:26.385121,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > check failed for checksum type rsa-md5, key type
> > aes256-cts-hmac-sha1-96
> > [2022/10/12 19:39:26.385343,  3]
> >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50585
> > [2022/10/12 19:39:26.388686,  3]
> > ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> >    stream_terminate_connection: Terminating connection -
> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> >
> > is there something wrong in the log file?
> >
> >
> > Thank you,
> >
> > Diego
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Andrew Bartlett

2022-Oct-13 00:48 UTC

head link

[Samba] issue joining domain and now logging in

Yes, you will need to find a third-party packager or speak with your
vendor. ?

I do hope to release patches to address this issue in the older
version, not as a Samba.org release (Samba.org is no longer supporting
this version), but thanks to my employer's commercial customers and to
support the community, who we know can't move as fast as we would like.

In the meantime accept the bugzilla invite I've just sent you and CC
yourself to the bug for updates. 

Andrew Bartlett

On Thu, 2022-10-13 at 01:12 +0200, Diego Franchini via samba
wrote:> don't mind the misspells.
> The issue is another one now...
> 
> Thanks to @abarlet at samba.org <abarlet at samba.org> I was able to
find an old
> 21h2 windows 11 PC and add it to the domain perfectly, indeed confirming
> the issue to be this one here
> <https://bugzilla.samba.org/show_bug.cgi?id=15197>.
> 
> I tried to update the software but the latest version I'm able to
install
> is "Samba 4.15.9-Ubuntu" on "Armbian 22.08.4 Jammy with
Linux
> 5.15.72-sunxi".
> 
> How can I upgrade to Samba 4.16, do I just have to wait for an update in
> some future? Am I doomed?
> 
> Il giorno mer 12 ott 2022 alle ore 20:54 Rowland Penny via samba <
> samba at lists.samba.org> ha scritto:
> 
> > 
> > 
> > On 12/10/2022 19:21, Diego Franchini via samba wrote:
> > > this is an extract from my post on superuser and serverfault.
I've been
> > > suggested to seek help here too.
> > > 
> > > I'm constantly trying new solutions, literally anything I can
find
> > online,
> > > but to this day nothing has completely fixed it.
> > > 
> > > 
> > > *DISCLAMER:*
> > > I'm still trying to fully learn and understand how to
properly maintain a
> > > samba domain controller.
> > > 
> > > *The Problem:*
> > > 
> > > I had a working samba installation with AD controlle but now,
just a
> > month
> > > after my last computer join, it won't work anymore. On
Windows it says
> > > "unknown user or password" but I've checked them to
be correct.
> > > 
> > > I tried setting the log level to 3 in "smb.conf" and
while trying to
> > join a
> > > computer this gets logged:
> > > 
> > > [2022/10/04 12:11:58.018256,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ admuser at example.net from
ipv4:172.27.2.58:50124 for
> > > krbtgt/example.net at example.net
> > > [2022/10/04 12:11:58.039839,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: 128
> > > [2022/10/04 12:11:58.040080,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > > [2022/10/04 12:11:58.040191,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > > [2022/10/04 12:11:58.040341,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > admuser at example.net
> > > [2022/10/04 12:11:58.043598,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/04 12:11:58.054880,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ admuser at example.net from
ipv4:172.27.2.58:50125 for
> > > krbtgt/example.net at example.net
> > > [2022/10/04 12:11:58.076255,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > [2022/10/04 12:11:58.076483,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- admuser at example.net
> > > [2022/10/04 12:11:58.076587,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- admuser at example.net
> > > [2022/10/04 12:11:58.077527,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: ENC-TS Pre-authentication succeeded -- admuser at
example.net
> > > using aes256-cts-hmac-sha1-96
> > > [2022/10/04 12:11:58.077840,  3]
> > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > [(null)]\[admuser at example.net] at [Tue, 04 Oct 2022
12:11:58.077747
> > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
workstation
> > > [(null)] remote host [ipv4:172.27.2.58:50125] became
> > > [EXAMPLE]\[admuser]
[S-1-5-21-578677625-3635414378-1858279571-1104].
> > > local host [NULL]
> > >    {"timestamp":
"2022-10-04T12:11:58.086113+0200", "type":
> > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > 2}, "eventId": 4624, "logonId":
"c61be2b0d84a3e12", "logonType": 3,
> > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > "ipv4:172.27.2.58:50125",
"serviceDescription": "Kerberos KDC",
> > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > "clientAccount": "admuser at example.net",
"workstation": null,
> > > "becameAccount": "admuser",
"becameDomain": "EXAMPLE", "becameSid":
> > > "S-1-5-21-578677625-3635414378-1858279571-1104",
"mappedAccount":
> > > "admuser", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 31663}}
> > > [2022/10/04 12:11:58.160727,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime:
unset
> > > endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
> > > [2022/10/04 12:11:58.161033,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > [2022/10/04 12:11:58.161206,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > forwardable
> > > [2022/10/04 12:11:58.165799,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/04 12:11:58.178036,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > > check failed for checksum type rsa-md5, key type
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/04 12:11:58.178282,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.58:50126
> > > 
> > > As you can see, the authentication here is reported to be
successful.
> > 
> > Yes, the authentication for admuser is successful, but unless you have
> > changed the Administrator name to 'admuser', the join will not
work,
> > have you tried a join with 'Administrator' ?
> > 
> > So
> > > far it's the same issue as here
> > > <
> >
https://www.claudiokuenzler.com/blog/1065/windows-client-unable-join-domain-samba-4-domain-controller-logon-failure-unknown-user-name
> > > ,
> > > so I tried the following commands:
> > > 
> > >   root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > >      _ldap._tcp.example.net has SRV record 0 100 389
smbdc1.example.net.
> > >   root at SMBDC1:~# host -t SRV _kerebros._udp.example.net
> > 
> > Is that exactly what you typed ? If so, for the third time, it is
> > 'kerberos' not 'kerebros'.
> > 
> > >      Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
> > >   root at SMBDC1:~# host -t A focal.exapmle.net
> > 
> > 'example' not 'exapmle'
> > 
> > 
> > >      Host focal.example.net not found: 3(NXDOMAIN)
> > > 
> > >   root at SMBDC1:~# dig -t SRV _kerebros._udp.frankini.net
> > > 
> > >      ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV
_kerebros._udp.frankini.net
> > 
> > 'kerebros' again.
> > 
> > >      ;; global options: +cmd
> > >      ;; Got answer:
> > >      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN,
id: 138
> > >      ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> > ADDITIONAL: 0
> > > 
> > >      ;; QUESTION SECTION:
> > >      ;_kerebros._udp.frankini.net.   IN      SRV
> > > 
> > >      ;; AUTHORITY SECTION:
> > >      frankini.net.           3600    IN      SOA
> > >      smbdc1.frankini.net. hostmaster.        frankini.net. 55 900
600
> > 86400 3600
> > > 
> > >      ;; Query time: 3 msec
> > >      ;; SERVER: 172.27.1.1#53(172.27.1.1)
> > >      ;; WHEN: Fri Oct 07 21:44:12 CEST 2022
> > >      ;; MSG SIZE  rcvd: 99
> > > 
> > > This originally worked but now i get "*Host not
found*"... what could
> > have
> > > changed?
> > > 
> > > *My setup*
> > > 
> > > router:     172.27.0.1
> > > smbdc:      172.27.1.1
> > > dns:        172.27.1.2
> > > 
> > > dhcp range: 172.27.2.2 - 172.27.2.254
> > > 
> > > Samba runs on an Orange Pi Zero and I connect to it through Putty
and
> > FileZilla
> > > 
> > > I route communication between the xxx.xxx.0.xxx, xxx.xxx.1.xxx
and
> > > xxx.xxx.2.xxx ip ranges and set the network mask to be
255.255.0.0
> > > 
> > > *System*
> > > 
> > >   OS:    Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
> > >   SAMBA: Samba version 4.13.17-Ubuntu
> > > 
> > > *smb.conf*
> > > 
> > > # Global parameters
> > > [global]
> > >      dns forwarder = 172.27.1.2
> > >      netbios name = SMBDC1
> > >      realm = EXAMPLE.NET <http://example.net/>
> > >      server role = active directory domain controller
> > >      workgroup = EXAMPLE
> > >      idmap_ldb:use rfc2307 = yes
> > >      host msdfs = yes
> > >      log level = 3
> > > 
> > > [sysvol]
> > >      path = /var/lib/samba/sysvol
> > >      read only = No
> > > 
> > > [netlogon]
> > >      path = /var/lib/samba/sysvol/example.net/scripts
> > >      read only = No
> > > 
> > > *UPDATE:*
> > > 
> > > I made an image of the disk as a backup, then did a bunch of
tests with
> > no
> > > success. so I finally reverted the image to the disk as it was,
and now
> > > suddenly these commands work:
> > > 
> > > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > >      _ldap._tcp.example.net has SRV record 0 100 389
smbdc1.example.net.
> > > root at SMBDC1:~# host -t SRV _kerberos._udp.example.net
> > >      _kerberos._udp.example.net has SRV record 0 100 88
> > smbdc1.example.net.
> > 
> > How can something that is spelt wrong work ?
> > 
> > Rowland
> > 
> > > root at SMBDC1:~# host -t A SMBDC1.example.net
<http://smbdc1.example.net/>
> > >      SMBDC1.example.net <http://smbdc1.example.net/> has
address
> > 172.27.1.4
> > > 
> > > So the situation now is as follows:
> > > 
> > > I added the computer "*TESTING-W11*" to the domain with
my domain admin
> > > user, not with 'administrator'. It works only if i do
"user at example.net"
> > > and not "user", which used to work before. and if
someone asks, yes I
> > also
> > > tried with administrator and it only work as "administrator
at example.com"
> > > 
> > > after the computer rebooted I tried to login but it says wrong
user or
> > > password.
> > > 
> > > this is the log file of login attempt:
> > > 
> > > [2022/10/12 19:39:25.980185,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50574
for
> > > krbtgt/EXAMPLE at EXAMPLE
> > > [2022/10/12 19:39:26.008882,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: 128
> > > [2022/10/12 19:39:26.009229,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > [2022/10/12 19:39:26.009433,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > [2022/10/12 19:39:26.009709,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > user2 at EXAMPLE
> > > [2022/10/12 19:39:26.013190,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.024021,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE from ipv4:172.27.2.26:50575
for
> > > krbtgt/EXAMPLE at EXAMPLE
> > > [2022/10/12 19:39:26.051743,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > [2022/10/12 19:39:26.052093,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > [2022/10/12 19:39:26.052302,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > [2022/10/12 19:39:26.052948,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE using
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.053349,  3]
> > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\
> > > [user2 at EXAMPLE] at [Wed, 12 Oct 2022 19:39:26.053205 CEST]
with
> > > [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
[(null)]
> > > remote host [ipv4:172.27.2.26:50575] became [EXAMPLE]\[user2]
> > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > >    {"timestamp":
"2022-10-12T19:39:26.053767+0200", "type":
> > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > 2}, "eventId": 4624, "logonId":
"d3433331ec6a5bf7", "logonType": 3,
> > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > "ipv4:172.27.2.26:50575",
"serviceDescription": "Kerberos KDC",
> > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > "clientAccount": "user2 at EXAMPLE",
"workstation": null,
> > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 30203}}
> > > [2022/10/12 19:39:26.089947,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > [2022/10/12 19:39:26.090338,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.090474,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > forwardable
> > > [2022/10/12 19:39:26.097520,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.106943,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > > check failed for checksum type rsa-md5, key type
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.107170,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50576
> > > [2022/10/12 19:39:26.110456,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.114239,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50577 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.127198,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: 128
> > > [2022/10/12 19:39:26.127410,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.127580,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.127768,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.130816,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.140450,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50578 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.152897,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > [2022/10/12 19:39:26.153102,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.153210,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.153583,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > > using aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.153816,  3]
> > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.153732
> > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
workstation
> > > [(null)] remote host [ipv4:172.27.2.26:50578] became
[EXAMPLE]\[user2]
> > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > >    {"timestamp":
"2022-10-12T19:39:26.154039+0200", "type":
> > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > 2}, "eventId": 4624, "logonId":
"869dfe1fc68f82a8", "logonType": 3,
> > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > "ipv4:172.27.2.26:50578",
"serviceDescription": "Kerberos KDC",
> > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13913}}
> > > [2022/10/12 19:39:26.182189,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > [2022/10/12 19:39:26.182483,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.182612,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > forwardable
> > > [2022/10/12 19:39:26.187831,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.197162,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > > check failed for checksum type rsa-md5, key type
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.197385,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50579
> > > [2022/10/12 19:39:26.202216,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.206268,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50580 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.218896,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: 128
> > > [2022/10/12 19:39:26.219112,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.219220,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.219367,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.226212,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.236585,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50581 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.249060,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > [2022/10/12 19:39:26.249272,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.249377,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.249842,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > > using aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.250084,  3]
> > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.250002
> > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
workstation
> > > [(null)] remote host [ipv4:172.27.2.26:50581] became
[EXAMPLE]\[user2]
> > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > >    {"timestamp":
"2022-10-12T19:39:26.250309+0200", "type":
> > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > 2}, "eventId": 4624, "logonId":
"b111aea5f91526ac", "logonType": 3,
> > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > "ipv4:172.27.2.26:50581",
"serviceDescription": "Kerberos KDC",
> > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13999}}
> > > [2022/10/12 19:39:26.278425,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > [2022/10/12 19:39:26.278721,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.278850,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > forwardable
> > > [2022/10/12 19:39:26.284069,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.293333,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > > check failed for checksum type rsa-md5, key type
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.293567,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50582
> > > [2022/10/12 19:39:26.297119,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.301280,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50583 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.314043,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: 128
> > > [2022/10/12 19:39:26.314253,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.314361,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.314507,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.317995,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.328064,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50584 for
> > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > [2022/10/12 19:39:26.340620,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > [2022/10/12 19:39:26.340832,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.340934,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE.NET
> > > [2022/10/12 19:39:26.341304,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE.NET
> > > using aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.341534,  3]
> > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > >    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.341453
> > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
workstation
> > > [(null)] remote host [ipv4:172.27.2.26:50584] became
[EXAMPLE]\[user2]
> > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > >    {"timestamp":
"2022-10-12T19:39:26.341761+0200", "type":
> > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > 2}, "eventId": 4624, "logonId":
"4baa7d35daccf446", "logonType": 3,
> > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > "ipv4:172.27.2.26:50584",
"serviceDescription": "Kerberos KDC",
> > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > "user2", "mappedDomain": "EXAMPLE",
"netlogonComputer": null,
> > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > "passwordType": "aes256-cts-hmac-sha1-96",
"duration": 13987}}
> > > [2022/10/12 19:39:26.369985,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > [2022/10/12 19:39:26.370274,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
> > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.370405,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > forwardable
> > > [2022/10/12 19:39:26.375775,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > [2022/10/12 19:39:26.385121,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed to verify authenticator checksum: Decrypt
integrity
> > > check failed for checksum type rsa-md5, key type
> > > aes256-cts-hmac-sha1-96
> > > [2022/10/12 19:39:26.385343,  3]
> > > 
> >
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50585
> > > [2022/10/12 19:39:26.388686,  3]
> > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > >    stream_terminate_connection: Terminating connection -
> > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > 
> > > is there something wrong in the log file?
> > > 
> > > 
> > > Thank you,
> > > 
> > > Diego
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

samba - Oct 2022 - issue joining domain and now logging in

[Samba] issue joining domain and now logging in

[Samba] issue joining domain and now logging in