Any pointers here? I've poked this a bit more but haven't come up with
any
more clues as to why Windows is rejecting the tickets.
On Sun, Apr 1, 2018 at 9:59 PM, Ryan Bair <ryandbair at gmail.com> wrote:
> I've been playing with a MIT powered DC. There are two DCs, an existing
> Heimdal based one running Samba 4.5 and a new MIT based one running 4.7.6.
>
> There are clients running Windows 7 and 10, a 2012R2 server, and a Samba
> 4.5 file server.
>
> Once the new MIT DC is brought online, clients can no longer connect to
> the Windows server by hostname. Connections still work via IP address which
> makes me suspect a Kerberos issue. Shutting down the MIT DC allows the
> clients to connect again.
>
> Packet captures show that clients are getting STATUS_ACCESS_DENIED while
> attempting to connect. This pops open a password dialog on the client,
> entering the credentials there causes the client to issue a TGS to the MIT
> DC, which gives a successful response, but the Windows server again denies
> access.
>
> On the Windows Server, I see an error 551 (authentication) in failure
> cases. Somewhat interesting is that the error has FULL.DOMAIN.NAME/user
> as the user versus the usual case of WORKGROUP/user.
>
> Any help would be appreciated.
>