samba - Dec 2023 - netlogon_creds_encrypt_samlogon_validation() failed - NT_STATUS_INVALID_INFO_CLASS

*Hello,*

*I'm running samba as AD DC on Debian 10, 3 DC's total, samba is from 
base debian repo
*

*Version 4.13.13-Debian
*

today on one of my DC's I started to see error such as this:


*samba[2720697]: [2023/12/17 22:36:21.896597,? 0] 
../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1414(dcesrv_netr_LogonSamLogon_base_reply)
samba[2720697]:?? dcesrv_netr_LogonSamLogon_base_reply: 
netlogon_creds_encrypt_samlogon_validation() failed - 
NT_STATUS_INVALID_INFO_CLASS*

*
*

*it started to appear after I moved my VM with samba file server between 
2 hyper-v hosts. In my samba DC log, before this error appears, I see:*

*samba[2720714]:?? Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[SRV6$@MYDOMAIN] at [Sun, 17 Dec 2023 22:36:21.851537 CET] with 
[arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote 
host [ipv4:192.1 etc.
samba[2720714]:?? {"timestamp":
"2023-12-17T22:36:21.851719+0100",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 2}, "eventId": 4624, "logonId":
"b204a5992394b4e1",
"logonType": 3, "status": "NT_STATUS_OK", etc.
*

*VM itself was updated (centos 7.9 running samba from repo i.e. Version 
4.10.16)
*

*Account that appears right before error is on the other hand is the 
hyper-v host account on which my file server was previously. I can't 
find anything NOT working, but error is new and I have no idea what to 
do about it and what caused it. Hyper-v hosts use certificates not 
kerberos for replication (it was my first guess that it's something 
concerning replication, but it's not).*

*Any pointers and help is appreciated. I know that I could try updating 
samba on DC's (backports repo), but it's not something I can do on a
whim.
*

*
*

*Regards,*

*Kacper
*


-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

On Sun, 2023-12-17 at 22:52 +0100, Kacper Wirski via samba
wrote:
> *Hello,*
> *I'm running samba as AD DC on Debian 10, 3 DC's total, samba is
from
> base debian repo*
> *Version 4.13.13-Debian*
> today on one of my DC's I started to see error such as this:
> 
> *samba[2720697]: [2023/12/17 22:36:21.896597,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1414(dcesrv_netr_
> LogonSamLogon_base_reply)samba[2720697]:  
> dcesrv_netr_LogonSamLogon_base_reply:
> netlogon_creds_encrypt_samlogon_validation() failed -
> NT_STATUS_INVALID_INFO_CLASS*
> **
> *it started to appear after I moved my VM with samba file server
> between 2 hyper-v hosts. In my samba DC log, before this error
> appears, I see:*
> *samba[2720714]:   Auth: [Kerberos KDC,ENC-TS Pre-authentication]
> user [(null)]\[SRV6$@MYDOMAIN] at [Sun, 17 Dec 2023 22:36:21.851537
> CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:192.1 etc.samba[2720714]:  
{"timestamp":
> "2023-12-17T22:36:21.851719+0100", "type":
"Authentication",
> "Authentication": {"version": {"major": 1,
"minor": 2}, "eventId":
> 4624, "logonId": "b204a5992394b4e1",
"logonType": 3, "status":
> "NT_STATUS_OK", etc.*
> *VM itself was updated (centos 7.9 running samba from repo i.e.
> Version 4.10.16)*
This is the more important detail than the host migration.   Samba 4.11
included this commit:
commit 8c9cf56fe9865029bf033557b00e8987873a7096Author: Andreas
Schneider <asn at samba.org>Date:   Wed May 29 14:39:34 2019 +0200
    libcli:auth: Return NTSTATUS for
netlogon_creds_server_step_check()        Signed-off-by: Andreas
Schneider <asn at samba.org>    Reviewed-by: Andrew Bartlett <
abartlet at samba.org>
The code now says:
	default:		/* If we can't find it, we can't very
well decrypt it */		return NT_STATUS_INVALID_INFO_CLASS;
The server is sending back some data that we don't know how to handle.
More details may be available at higher debug levels, but it gets
overwhelming fast and can contain sensitive info.
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead               
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions