I tried to look and it seems a bit out of my league from what I can gather
on my own...
I think my best bet is to install Armbian Sid instead of Focal, which would
be based on Debian Sid as I understand, which would be the only OS to have
an official Samba 4.16.5 package available according to this (
https://pkgs.org/download/samba).
The problem now is different then.
I have backed up my original AD DC to a file using "sudo samba-tool domain
backup offline --targetdir=<output-dir>".
If I do a clean install, how will I restore it?
I tried with "samba-tool domain backup restore" while experimenting,
but it
crashed in between...
Couldn't find much detailed information online on restoring a backup. Do I
need a domain already setup, do i need to restore it before configuring
samba after a fresh install?
Perhaps I just searched with the wrong keywords?
On Thu, 13 Oct 2022, 02:49 Andrew Bartlett, <abartlet at samba.org> wrote:
> Yes, you will need to find a third-party packager or speak with your
> vendor.
>
> I do hope to release patches to address this issue in the older
> version, not as a Samba.org release (Samba.org is no longer supporting
> this version), but thanks to my employer's commercial customers and to
> support the community, who we know can't move as fast as we would like.
>
> In the meantime accept the bugzilla invite I've just sent you and CC
> yourself to the bug for updates.
>
> Andrew Bartlett
>
> On Thu, 2022-10-13 at 01:12 +0200, Diego Franchini via samba wrote:
> > don't mind the misspells.
> > The issue is another one now...
> >
> > Thanks to @abarlet at samba.org <abarlet at samba.org> I was
able to find an
> old
> > 21h2 windows 11 PC and add it to the domain perfectly, indeed
confirming
> > the issue to be this one here
> > <https://bugzilla.samba.org/show_bug.cgi?id=15197>.
> >
> > I tried to update the software but the latest version I'm able to
install
> > is "Samba 4.15.9-Ubuntu" on "Armbian 22.08.4 Jammy with
Linux
> > 5.15.72-sunxi".
> >
> > How can I upgrade to Samba 4.16, do I just have to wait for an update
in
> > some future? Am I doomed?
> >
> > Il giorno mer 12 ott 2022 alle ore 20:54 Rowland Penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> > >
> > >
> > > On 12/10/2022 19:21, Diego Franchini via samba wrote:
> > > > this is an extract from my post on superuser and
serverfault. I've
> been
> > > > suggested to seek help here too.
> > > >
> > > > I'm constantly trying new solutions, literally anything
I can find
> > > online,
> > > > but to this day nothing has completely fixed it.
> > > >
> > > >
> > > > *DISCLAMER:*
> > > > I'm still trying to fully learn and understand how to
properly
> maintain a
> > > > samba domain controller.
> > > >
> > > > *The Problem:*
> > > >
> > > > I had a working samba installation with AD controlle but
now, just a
> > > month
> > > > after my last computer join, it won't work anymore. On
Windows it
> says
> > > > "unknown user or password" but I've checked
them to be correct.
> > > >
> > > > I tried setting the log level to 3 in "smb.conf"
and while trying to
> > > join a
> > > > computer this gets logged:
> > > >
> > > > [2022/10/04 12:11:58.018256, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ admuser at example.net from
ipv4:172.27.2.58:50124
> for
> > > > krbtgt/example.net at example.net
> > > > [2022/10/04 12:11:58.039839, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/04 12:11:58.040080, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- admuser at
example.net
> > > > [2022/10/04 12:11:58.040191, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- admuser at
example.net
> > > > [2022/10/04 12:11:58.040341, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > admuser at example.net
> > > > [2022/10/04 12:11:58.043598, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/04 12:11:58.054880, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ admuser at example.net from
ipv4:172.27.2.58:50125
> for
> > > > krbtgt/example.net at example.net
> > > > [2022/10/04 12:11:58.076255, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/04 12:11:58.076483, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- admuser at
example.net
> > > > [2022/10/04 12:11:58.076587, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- admuser at
example.net
> > > > [2022/10/04 12:11:58.077527, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> admuser at example.net
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.077840, 3]
> > > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[admuser at example.net] at [Tue, 04 Oct 2022
12:11:58.077747
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.58:50125] became
> > > > [EXAMPLE]\[admuser]
[S-1-5-21-578677625-3635414378-1858279571-1104].
> > > > local host [NULL]
> > > > {"timestamp":
"2022-10-04T12:11:58.086113+0200", "type":
> > > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId":
"c61be2b0d84a3e12", "logonType": 3,
> > > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.58:50125",
"serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "admuser at
example.net", "workstation": null,
> > > > "becameAccount": "admuser",
"becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1104",
"mappedAccount":
> > > > "admuser", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > > "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 31663}}
> > > > [2022/10/04 12:11:58.160727, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime:
unset
> > > > endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
> > > > [2022/10/04 12:11:58.161033, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3,
using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.161206, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > > forwardable
> > > > [2022/10/04 12:11:58.165799, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/04 12:11:58.178036, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum:
Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/04 12:11:58.178282, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from
ipv4:172.27.2.58:50126
> > > >
> > > > As you can see, the authentication here is reported to be
successful.
> > >
> > > Yes, the authentication for admuser is successful, but unless you
have
> > > changed the Administrator name to 'admuser', the join
will not work,
> > > have you tried a join with 'Administrator' ?
> > >
> > > So
> > > > far it's the same issue as here
> > > > <
> > >
>
https://www.claudiokuenzler.com/blog/1065/windows-client-unable-join-domain-samba-4-domain-controller-logon-failure-unknown-user-name
> > > > ,
> > > > so I tried the following commands:
> > > >
> > > > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > > > _ldap._tcp.example.net has SRV record 0 100 389
> smbdc1.example.net.
> > > > root at SMBDC1:~# host -t SRV _kerebros._udp.example.net
> > >
> > > Is that exactly what you typed ? If so, for the third time, it is
> > > 'kerberos' not 'kerebros'.
> > >
> > > > Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
> > > > root at SMBDC1:~# host -t A focal.exapmle.net
> > >
> > > 'example' not 'exapmle'
> > >
> > >
> > > > Host focal.example.net not found: 3(NXDOMAIN)
> > > >
> > > > root at SMBDC1:~# dig -t SRV _kerebros._udp.frankini.net
> > > >
> > > > ; <<>> DiG 9.16.1-Ubuntu <<>>
-t SRV _kerebros._
> udp.frankini.net
> > >
> > > 'kerebros' again.
> > >
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status:
NXDOMAIN, id: 138
> > > > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0,
AUTHORITY: 1,
> > > ADDITIONAL: 0
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;_kerebros._udp.frankini.net. IN SRV
> > > >
> > > > ;; AUTHORITY SECTION:
> > > > frankini.net. 3600 IN SOA
> > > > smbdc1.frankini.net. hostmaster. frankini.net.
55 900
> 600
> > > 86400 3600
> > > >
> > > > ;; Query time: 3 msec
> > > > ;; SERVER: 172.27.1.1#53(172.27.1.1)
> > > > ;; WHEN: Fri Oct 07 21:44:12 CEST 2022
> > > > ;; MSG SIZE rcvd: 99
> > > >
> > > > This originally worked but now i get "*Host not
found*"... what could
> > > have
> > > > changed?
> > > >
> > > > *My setup*
> > > >
> > > > router: 172.27.0.1
> > > > smbdc: 172.27.1.1
> > > > dns: 172.27.1.2
> > > >
> > > > dhcp range: 172.27.2.2 - 172.27.2.254
> > > >
> > > > Samba runs on an Orange Pi Zero and I connect to it through
Putty and
> > > FileZilla
> > > >
> > > > I route communication between the xxx.xxx.0.xxx,
xxx.xxx.1.xxx and
> > > > xxx.xxx.2.xxx ip ranges and set the network mask to be
255.255.0.0
> > > >
> > > > *System*
> > > >
> > > > OS: Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
> > > > SAMBA: Samba version 4.13.17-Ubuntu
> > > >
> > > > *smb.conf*
> > > >
> > > > # Global parameters
> > > > [global]
> > > > dns forwarder = 172.27.1.2
> > > > netbios name = SMBDC1
> > > > realm = EXAMPLE.NET <http://example.net/>
> > > > server role = active directory domain controller
> > > > workgroup = EXAMPLE
> > > > idmap_ldb:use rfc2307 = yes
> > > > host msdfs = yes
> > > > log level = 3
> > > >
> > > > [sysvol]
> > > > path = /var/lib/samba/sysvol
> > > > read only = No
> > > >
> > > > [netlogon]
> > > > path = /var/lib/samba/sysvol/example.net/scripts
> > > > read only = No
> > > >
> > > > *UPDATE:*
> > > >
> > > > I made an image of the disk as a backup, then did a bunch of
tests
> with
> > > no
> > > > success. so I finally reverted the image to the disk as it
was, and
> now
> > > > suddenly these commands work:
> > > >
> > > > root at SMBDC1:~# host -t SRV _ldap._tcp.example.net
> > > > _ldap._tcp.example.net has SRV record 0 100 389
> smbdc1.example.net.
> > > > root at SMBDC1:~# host -t SRV _kerberos._udp.example.net
> > > > _kerberos._udp.example.net has SRV record 0 100 88
> > > smbdc1.example.net.
> > >
> > > How can something that is spelt wrong work ?
> > >
> > > Rowland
> > >
> > > > root at SMBDC1:~# host -t A SMBDC1.example.net <
> http://smbdc1.example.net/>
> > > > SMBDC1.example.net <http://smbdc1.example.net/>
has address
> > > 172.27.1.4
> > > >
> > > > So the situation now is as follows:
> > > >
> > > > I added the computer "*TESTING-W11*" to the domain
with my domain
> admin
> > > > user, not with 'administrator'. It works only if i
do "
> user at example.net"
> > > > and not "user", which used to work before. and if
someone asks, yes I
> > > also
> > > > tried with administrator and it only work as "
> administrator at example.com"
> > > >
> > > > after the computer rebooted I tried to login but it says
wrong user
> or
> > > > password.
> > > >
> > > > this is the log file of login attempt:
> > > >
> > > > [2022/10/12 19:39:25.980185, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE from
ipv4:172.27.2.26:50574 for
> > > > krbtgt/EXAMPLE at EXAMPLE
> > > > [2022/10/12 19:39:26.008882, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.009229, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.009433, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.009709, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.013190, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.024021, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE from
ipv4:172.27.2.26:50575 for
> > > > krbtgt/EXAMPLE at EXAMPLE
> > > > [2022/10/12 19:39:26.051743, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.052093, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.052302, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at EXAMPLE
> > > > [2022/10/12 19:39:26.052948, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded -- user2 at
EXAMPLE
> using
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.053349, 3]
> > > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\
> > > > [user2 at EXAMPLE] at [Wed, 12 Oct 2022 19:39:26.053205
CEST] with
> > > > [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
[(null)]
> > > > remote host [ipv4:172.27.2.26:50575] became
[EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > > > {"timestamp":
"2022-10-12T19:39:26.053767+0200", "type":
> > > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId":
"d3433331ec6a5bf7", "logonType": 3,
> > > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50575",
"serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE",
"workstation": null,
> > > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > > "user2", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > > "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 30203}}
> > > > [2022/10/12 19:39:26.089947, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.090338, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3,
using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.090474, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.097520, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.106943, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum:
Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.107170, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from
ipv4:172.27.2.26:50576
> > > > [2022/10/12 19:39:26.110456, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.114239, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50577
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127198, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.127410, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127580, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.127768, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.130816, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.140450, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50578
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.152897, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.153102, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.153210, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.153583, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.153816, 3]
> > > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.153732
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50578] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > > > {"timestamp":
"2022-10-12T19:39:26.154039+0200", "type":
> > > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId":
"869dfe1fc68f82a8", "logonType": 3,
> > > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50578",
"serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > > "user2", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > > "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 13913}}
> > > > [2022/10/12 19:39:26.182189, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.182483, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3,
using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.182612, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.187831, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.197162, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum:
Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.197385, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from
ipv4:172.27.2.26:50579
> > > > [2022/10/12 19:39:26.202216, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.206268, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50580
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.218896, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.219112, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.219220, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.219367, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.226212, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.236585, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50581
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249060, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.249272, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249377, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.249842, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.250084, 3]
> > > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.250002
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50581] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > > > {"timestamp":
"2022-10-12T19:39:26.250309+0200", "type":
> > > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId":
"b111aea5f91526ac", "logonType": 3,
> > > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50581",
"serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > > "user2", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > > "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 13999}}
> > > > [2022/10/12 19:39:26.278425, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.278721, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3,
using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.278850, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.284069, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.293333, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum:
Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.293567, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from
ipv4:172.27.2.26:50582
> > > > [2022/10/12 19:39:26.297119, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.301280, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50583
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314043, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: 128
> > > > [2022/10/12 19:39:26.314253, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314361, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.314507, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > > user2 at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.317995, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.328064, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ user2 at EXAMPLE.NET from
ipv4:172.27.2.26:50584
> for
> > > > krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > > [2022/10/12 19:39:26.340620, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > > > [2022/10/12 19:39:26.340832, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for PKINIT pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.340934, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Looking for ENC-TS pa-data -- user2 at
EXAMPLE.NET
> > > > [2022/10/12 19:39:26.341304, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: ENC-TS Pre-authentication succeeded --
> user2 at EXAMPLE.NET
> > > > using aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.341534, 3]
> > > >
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> > > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > > > [(null)]\[user2 at EXAMPLE.NET] at [Wed, 12 Oct 2022
19:39:26.341453
> > > > CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> workstation
> > > > [(null)] remote host [ipv4:172.27.2.26:50584] became
> [EXAMPLE]\[user2]
> > > > [S-1-5-21-578677625-3635414378-1858279571-1105]. local host
[NULL]
> > > > {"timestamp":
"2022-10-12T19:39:26.341761+0200", "type":
> > > > "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> > > > 2}, "eventId": 4624, "logonId":
"4baa7d35daccf446", "logonType": 3,
> > > > "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
> > > > "ipv4:172.27.2.26:50584",
"serviceDescription": "Kerberos KDC",
> > > > "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
> > > > "clientAccount": "user2 at EXAMPLE.NET",
"workstation": null,
> > > > "becameAccount": "user2",
"becameDomain": "EXAMPLE", "becameSid":
> > > > "S-1-5-21-578677625-3635414378-1858279571-1105",
"mappedAccount":
> > > > "user2", "mappedDomain":
"EXAMPLE", "netlogonComputer": null,
> > > > "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
> > > > "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> > > > "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 13987}}
> > > > [2022/10/12 19:39:26.369985, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime:
unset
> > > > endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
> > > > [2022/10/12 19:39:26.370274, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> > > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3,
using
> > > > aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.370405, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Requested flags: renewable-ok, canonicalize,
renewable,
> > > forwardable
> > > > [2022/10/12 19:39:26.375775, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > > [2022/10/12 19:39:26.385121, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed to verify authenticator checksum:
Decrypt
> integrity
> > > > check failed for checksum type rsa-md5, key type
> > > > aes256-cts-hmac-sha1-96
> > > > [2022/10/12 19:39:26.385343, 3]
> > > >
> > >
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > > > Kerberos: Failed parsing TGS-REQ from
ipv4:172.27.2.26:50585
> > > > [2022/10/12 19:39:26.388686, 3]
> > > >
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
> > > > stream_terminate_connection: Terminating connection -
> > > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> > > > NT_STATUS_CONNECTION_DISCONNECTED'
> > > >
> > > > is there something wrong in the log file?
> > > >
> > > >
> > > > Thank you,
> > > >
> > > > Diego
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
>
>