Andrew Bartlett
2012-Oct-03 06:22 UTC
[Samba] Samba4 KDC Windows 7 clients may fail to get a ticket
On Wed, 2012-10-03 at 10:28 +0400, Dmitry Khromov wrote:> Hello. > Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. Windows 7 machines may fail to get a ticket: > > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ con-11$@KLIN.KIFATO-MK.COM from ipv4:192.168.1.138:49682 for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- con-11$@KLIN.KIFATO-MK.COM > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- con-11$@KLIN.KIFATO-MK.COM > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 > [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM > [2012/10/03 09:31:54, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2012/10/03 09:31:54, 3] ../source4/smbd/process_single.c:104(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]This certainly is a worry, but perhaps you can get me some more detail: What happens when this error occurs? Does something fail on the client? Is this only shortly after a machine account password change, and pending replication? Does the client retry with the previous machine account password? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Dmitry Khromov
2012-Oct-03 06:28 UTC
[Samba] Samba4 KDC Windows 7 clients may fail to get a ticket
Hello. Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. Windows 7 machines may fail to get a ticket: [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ con-11$@KLIN.KIFATO-MK.COM from ipv4:192.168.1.138:49682 for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2012/10/03 09:31:54, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] -- Best regards, Dmitry Khromov.