Izan Díez Sánchez
2016-Jun-24 09:58 UTC
[Samba] Login not possible / machine account issues
Hi,
Did you find any solution?
I am facing exactly the same scenario.
-CentOS 6.7
-Samba Version 4.4.3
-BIND_DLZ 9.9.8
Some workstations suddenly are unable to login, unless I reboot or rejoin
the domain. The only odd event I see in the client is the one already said:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: workstation.sub.domain.tld
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server "workstation$". The target name used was
"WORKSTATION$". This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (SUB.DOMAIN.TLD) is different from the client domain
(SUB.DOMAIN.TLD), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the
server.
Searching in the logs, apparently the domain controller is granting the
ticket:
[2016/06/24 10:35:23.082573, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ myuser at mydomain from ipv4:172.31.1.134:56661 for
krbtgt/mydomain at mydomain
[2016/06/24 10:35:23.088584, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2016/06/24 10:35:23.088624, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- myuser at mydomain
[2016/06/24 10:35:23.088640, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain
[2016/06/24 10:35:23.088670, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- myuser at mydomain
[2016/06/24 10:35:23.089174, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/06/24 10:35:23.089214, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
[2016/06/24 10:35:23.090052, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ myuser at mydomain from ipv4:199.99.9.199:56662 for
krbtgt/mydomain at mydomain
[2016/06/24 10:35:23.095400, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2016/06/24 10:35:23.095437, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- myuser at mydomain
[2016/06/24 10:35:23.095467, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- myuser at mydomain
[2016/06/24 10:35:23.095526, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- myuser at mydomain using
arcfour-hmac-md5
[2016/06/24 10:35:23.095557, 4]
../source4/auth/sam.c:182(authsam_account_ok)
authsam_account_ok: Checking SMB password for user myuser at mydomain
[2016/06/24 10:35:23.095719, 5] ../source4/auth/sam.c:116(logon_hours_ok)
logon_hours_ok: No hours restrictions for user myuser at mydomain
[2016/06/24 10:35:23.095774, 5]
../source4/auth/sam.c:820(authsam_logon_success_accounting)
lastLogonTimestamp is 131110567801968850
[2016/06/24 10:35:23.095937, 5]
../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
sync interval is 14
[2016/06/24 10:35:23.095973, 5]
../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
randomised sync interval is 12 (-2)
[2016/06/24 10:35:23.095993, 5]
../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
old timestamp is 131110567801968850, threshold 131101941230958000, diff
8626571010850
[2016/06/24 10:35:23.122089, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2016-06-24T10:35:23 starttime: unset endtime:
2016-06-24T20:35:23 renew till: 2016-07-01T10:35:23
[2016/06/24 10:35:23.122204, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2016/06/24 10:35:23.122242, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2016/06/24 10:35:23.122933, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/06/24 10:35:23.122968, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
[2016/06/24 10:35:23.124716, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ myuser at MYDOMAIN.EA from ipv4:199.99.9.199:56663 for
host/windows7machine.mydomain.ea at MYDOMAIN.EA [canonicalize, renewable,
forwardable]
Ive troubleshot DNS and resolution is working fine for domain controllers
(including services) and windows7machine.mydomain.ea. It looks like the
machine has renewed its Kerberos password and the domain controller (KDC)
didnt notice. Although wouldnt match with pure AD behavior according to
<https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwo
rd-process-2/>
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-passwor
d-process-2/
My kerberos configuration is as simple as:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
Im not Kerberos expert and maybe could be tuned to avoid this behavior in
the active directory. Its hard to believe no one has experienced something
similar.
Regards,
Izan Díez Sánchez
<mailto:ids at empre.es> ids at empre.es
---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message by mistake, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es
Este mensaje puede contener datos confidenciales o privilegiados.
Si Vd. no es el destinatario ni ha sido autorizado por el mismo para
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar
ninguna medida basada en este mensaje o en los datos que
contiene. Si Vd. ha recibido este mensaje por error, avise de
forma inmediata al remitente por email y borre el
mensaje. Gracias por su ayuda.
Visite nuestra web: www.empre.es
---------------------------------------------------------------------
Please, Do not print this message unless it is necessary.
Our environment is in our hands.
Antes de imprimir este mensaje, piense si es realmente necesario.
El medio ambiente depende de nosotros.
Possibly Parallel Threads
Wisdom of the Ancients
