samba - Oct 2024 - Kerberos ticket renew causes a brief network interruption

Hi Ralph Boehme,
>> My hotfolderscan tool start om Monday 2:11 PM en the Kerberos ticket
renewal occurs on 11:19 PM.
>> The hotfolderscantool wrote in the logfile:
>>    2024-10-28 23:19:00 Error 2 No such file or directory
>>>    2024-10-28 23:19:03 Share available again
>> 
>> That was after 9:08 hours and that is 32888 seconds.
>> That time do you also see in the Wireshark output in the attachment.
>there's only a screenshot and it only shows encrypted packets. We need
unencrypted SMB and the pcap file. You'll likely have to upload it somewhere
where >you can share a download link.
>We'll only need the last 60 seconds or so, not the whole pcap if
it's big.
>And again: we need the same against a Windows server to check for
differences.
Kerberos is used to encrypt the SMB packages.
When I use unencrypted SMB, Kerberos is not used and the problem doesn't
occur.

I have a pcap file from SMB against a Windows server, but nothing went wrong, so
I don't how late the Kerberos ticket renewal.
That pcap file contains also encrypted packets, so I don't know how to find
the packets on the moment that the Kerberos ticket renewal.

This discussion is much like the long discussion with Synology's second line
support.
Finally, Synology's second line support ran my hotdolderscan.exe tool
internally at their place and that cleared things up.

Best regards,
Hans van Leeuwen

-----Original Message-----
From: Ralph Boehme <slow at samba.org> 
Sent: Tuesday, October 29, 2024 11:40 AM
To: Hans van Leeuwen <HansvanLeeuwen at mailstreet.nl>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption

LET OP: Deze e-mail is afkomstig van buiten de organisatie. Klik niet op links
of open geen bijlagen tenzij je zeker weet dat je de afzender herkent.

On 10/29/24 3:08 PM, Hans van Leeuwen wrote:
> Kerberos is used to encrypt the SMB packages.
encryption is done with one of the supported encryption ciphers like 
AES-CCM or AES-GCM. Encryption keys are derived from key material 
established when a connection is authenticated via NTLM or Kerberos, but 
generally the authentication protocol used (NTLM or Kerberos) is 
independent from encrypting SMB or not. To disable encryption support on 
the Samba server you can set "server smb encrypt = no". However, if
the
client is configured to require encryption, connection establishment 
might fail.
> When I use unencrypted
> SMB, Kerberos is not used and the problem doesn't occur.
Hm, see above, these are two independent things: authentication and 
encryption. Generally, a client can use Kerberos for authentication but 
then use unencrypted SMB just fine.
> I have a pcap file from SMB against a Windows server, but nothing
> went wrong, so I don't how late the Kerberos ticket renewal. That
> pcap file contains also encrypted packets, so I don't know how to
> find the packets on the moment that the Kerberos ticket renewal.
> 
> This discussion is much like the long discussion with Synology's
> second line support. Finally, Synology's second line support ran my
> hotdolderscan.exe tool internally at their place and that cleared
> things up.
rofl, I'm sorry that a seasoned Samba engineer doesn't do any better 
then Synology's 2nd level support! :)))

-slow

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
SAMBA+ packages       https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241029/21097dd4/OpenPGP_signature.sig>