samba - Oct 2022 - Remote Desktop problem on samba 4.17.2

On 10/26/22 4:27 AM, Oliver Freyd via samba wrote:
> Hello,
>
> I'm running a network with 2 samba AD DCs that were on 4.12.15 on 
> debian buster (debian 10, oldstable).
>
> Because of the Win11 22H2 bug I upgraded one of the DCs to samba 4.6.5 
> on debian bullseye, via the samba package from bullseye-backports.
>
> This DC has one problem though, when people connect to their Windows 
> machines via RDP the connection fails when this DC is used (verified 
> that by switching off the old DC and only using the new one), it seems 
> the password authentication does not work correctly, RDP will should 
> the username/password dialog repeatedly...
>
> This happens only when the RDP connection is made with the DNS-name of 
> the client machine, the connection works if one connects with the IP 
> of the client machine.
>
> Checking with wireshark I see a kerberos error: KRB5KDC_ERR_TGT_REVOKED
>
> Another weird thing is that yesterday I re-joined that new DC, and 
> temporarily everything worked fine, only after a day or so it fails 
> again.
> Any ideas on how I could debug this issue?
>
> best regards,
>
> Oliver Freyd
>
I'm also having problems with RDP sessions not authenticating against 
samba heimdal kdc.? What is odd is that the initial RDP connection 
(network level connection) works fine and authenticates me, but when I 
get to the desktop, I get access denied and that my password is wrong as 
if I used a wrong password at the console.? If I put in the wrong 
password into the initial rdp session for network level connection, it 
immediately rejects me without letting me see the desktop.

Looking at wireshark under the covers, I suspect it's a kerberos issue, 
however all of my hosts have dns settings of samba domain controllers 
and my samba servers do appear to get AD updates.

I was running 4.16.4 but now I'm on 4.17.2 with no change.

I wonder if something changed on the windows side.?? I see Jakob posted 
about a 22H2 update breaking this.? Anyone know the specific fix and how 
to roll it back?

Thanks
Matt

On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote:
>
> I'm also having problems with RDP sessions not authenticating against 
> samba heimdal kdc.? What is odd is that the initial RDP connection 
> (network level connection) works fine and authenticates me, but when I 
> get to the desktop, I get access denied and that my password is wrong 
> as if I used a wrong password at the console. If I put in the wrong 
> password into the initial rdp session for network level connection, it 
> immediately rejects me without letting me see the desktop.
>
> Looking at wireshark under the covers, I suspect it's a kerberos 
> issue, however all of my hosts have dns settings of samba domain 
> controllers and my samba servers do appear to get AD updates.
>
> I was running 4.16.4 but now I'm on 4.17.2 with no change.
>
> I wonder if something changed on the windows side.?? I see Jakob 
> posted about a 22H2 update breaking this.? Anyone know the specific 
> fix and how to roll it back?
>
Looking at this more, the 22H2 issue doesn't seem to be the same issue 
I'm dealing with as Ralph and others mentioned that it goes away when 
they upgrade to latest (which I'm on), also?I'm not seeing the 
KRB5KDC_ERR_TGT_REVOKED error.

Here is what I found in regard to my issue:

If I have a windows host with RDP authenticate against samba AD it 
starts an RDP session, but then rejects the password when we get the 
desktop.? Looking at the packet captures I see:

This part looks identical other than keys between the captures that work 
against a real windows dc and captures that don't work against a SAMBA DC:

 From client: as-req
 From server: KRB5KDC_ERR_PREAUTH_REQUIRED
 From client: as-req

Now that we get to the as-rep we start to see differences:

 From Windows: as-rep->ticket->enc-part->etype 
eTYPE-ARCFOUR-HMAC-MD5(23)??? and??? ap-rep->enc-part->etype 
eTYPE-AES256-CTS-HMAC-SHA1-96(18)
 From Samba: 
as-rep->ticket->enc-part->etype?eTYPE-AES256-CTS-HMAC-SHA1-96(18) ? 
and??? ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)

Then we see the TGS-REQ and the client asks for a 
eTYPE-AES256-CTS-HMAC-SHA1-96(18) from the samba AD and 
eTYPE-ARCFOUR-HMAC-MD5(23) from the windows server otherwise identical.

Now the TGS-REP

 From Windows: tgs-rep->ticket->enc-part->etype 
eTYPE-ARCFOUR-HMAC-MD5(23)??? and??? tgs-rep->enc-part->etype 
eTYPE-ARCFOUR-HMAC-MD5(23)
 From Samba: 
tgs-rep->ticket->enc-part->etype?eTYPE-AES256-CTS-HMAC-SHA1-96(18) ? 
and??? tgs-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18)

Basically, it appears that windows is using MD5 hashing and samba SHA1.

A this point there aren't any further kerberos interactions from the 
client when authenticating to samba and the desktop shows password 
failed.? When using the windows AD server we get another TGS-REQ/TGS-REP 
for sname kRB5-NT-SRV-INST where it appears to authenticate for LDAP.

So, where to go from here?? Create a Heimdal bug?? Create a Samba bug?? 
Not having RDP is really causing issues for me.

Thanks,
Matt

28.10.2022 02:36, Matthew Schumacher via samba ?????:
..
> I'm also having problems with RDP sessions not authenticating against
samba heimdal kdc.? What is odd is that the initial RDP connection (network
> level connection) works fine and authenticates me, but when I get to the
desktop, I get access denied and that my password is wrong as if I used a
> wrong password at the console.? If I put in the wrong password into the
initial rdp session for network level connection, it immediately rejects me
> without letting me see the desktop.
Do you have the same (set of) users defined in samba ad and in local
/etc/passwd?

/mjt