On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba wrote:> On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote: > > > > I'm also having problems with RDP sessions not authenticating against > > samba heimdal kdc.? What is odd is that the initial RDP connection > > (network level connection) works fine and authenticates me, but when I > > get to the desktop, I get access denied and that my password is wrong > > as if I used a wrong password at the console. If I put in the wrong > > password into the initial rdp session for network level connection, it > > immediately rejects me without letting me see the desktop. > > > > Looking at wireshark under the covers, I suspect it's a kerberos > > issue, however all of my hosts have dns settings of samba domain > > controllers and my samba servers do appear to get AD updates. > > > > I was running 4.16.4 but now I'm on 4.17.2 with no change. > > > > I wonder if something changed on the windows side.?? I see Jakob > > posted about a 22H2 update breaking this.? Anyone know the specific > > fix and how to roll it back? > > > > Looking at this more, the 22H2 issue doesn't seem to be the same issue > I'm dealing with as Ralph and others mentioned that it goes away when > they upgrade to latest (which I'm on), also?I'm not seeing the > KRB5KDC_ERR_TGT_REVOKED error. > > Here is what I found in regard to my issue: > > If I have a windows host with RDP authenticate against samba AD it > starts an RDP session, but then rejects the password when we get the > desktop.? Looking at the packet captures I see: > > This part looks identical other than keys between the captures that work > against a real windows dc and captures that don't work against a SAMBA DC: > > From client: as-req > From server: KRB5KDC_ERR_PREAUTH_REQUIRED > From client: as-req > > Now that we get to the as-rep we start to see differences: > > From Windows: as-rep->ticket->enc-part->etype > eTYPE-ARCFOUR-HMAC-MD5(23)??? and??? ap-rep->enc-part->etype > eTYPE-AES256-CTS-HMAC-SHA1-96(18) > From Samba: > as-rep->ticket->enc-part->etype?eTYPE-AES256-CTS-HMAC-SHA1-96(18) ? > and??? ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18) > > Then we see the TGS-REQ and the client asks for a > eTYPE-AES256-CTS-HMAC-SHA1-96(18) from the samba AD and > eTYPE-ARCFOUR-HMAC-MD5(23) from the windows server otherwise identical. > > Now the TGS-REP > > From Windows: tgs-rep->ticket->enc-part->etype > eTYPE-ARCFOUR-HMAC-MD5(23)??? and??? tgs-rep->enc-part->etype > eTYPE-ARCFOUR-HMAC-MD5(23) > From Samba: > tgs-rep->ticket->enc-part->etype?eTYPE-AES256-CTS-HMAC-SHA1-96(18) ? > and??? tgs-rep->enc-part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18) > > Basically, it appears that windows is using MD5 hashing and samba SHA1. > > A this point there aren't any further kerberos interactions from the > client when authenticating to samba and the desktop shows password > failed.? When using the windows AD server we get another TGS-REQ/TGS-REP > for sname kRB5-NT-SRV-INST where it appears to authenticate for LDAP. > > So, where to go from here?? Create a Heimdal bug?? Create a Samba bug?? > Not having RDP is really causing issues for me.I'm actively looking into this, as that doesn't seem right. ?What is the value of msDS-SupportedEncryptionTypes for the server account involved? Are both DCs for this comparison in the same domain? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On Mon, 2022-10-31 at 17:53 +1300, Andrew Bartlett wrote:> On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba > wrote: > > On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote: > > > I'm also having problems with RDP sessions not authenticating > > > against samba heimdal kdc. What is odd is that the initial RDP > > > connection (network level connection) works fine and > > > authenticates me, but when I get to the desktop, I get access > > > denied and that my password is wrong as if I used a wrong > > > password at the console. If I put in the wrong password into the > > > initial rdp session for network level connection, it immediately > > > rejects me without letting me see the desktop. > > > Looking at wireshark under the covers, I suspect it's a kerberos > > > issue, however all of my hosts have dns settings of samba domain > > > controllers and my samba servers do appear to get AD updates. > > > I was running 4.16.4 but now I'm on 4.17.2 with no change. > > > I wonder if something changed on the windows side. I see Jakob > > > posted about a 22H2 update breaking this. Anyone know the > > > specific fix and how to roll it back? > > > > Looking at this more, the 22H2 issue doesn't seem to be the same > > issue I'm dealing with as Ralph and others mentioned that it goes > > away when they upgrade to latest (which I'm on), also I'm not > > seeing the KRB5KDC_ERR_TGT_REVOKED error. > > Here is what I found in regard to my issue: > > If I have a windows host with RDP authenticate against samba AD it > > starts an RDP session, but then rejects the password when we get > > the desktop. Looking at the packet captures I see: > > This part looks identical other than keys between the captures that > > work against a real windows dc and captures that don't work against > > a SAMBA DC: > > From client: as-req From server: KRB5KDC_ERR_PREAUTH_REQUIRED From > > client: as-req > > Now that we get to the as-rep we start to see differences: > > From Windows: as-rep->ticket->enc-part->etype eTYPE-ARCFOUR-HMAC- > > MD5(23) and ap-rep->enc-part->etype eTYPE-AES256-CTS-HMAC- > > SHA1-96(18) From Samba: as-rep->ticket->enc-part->etype eTYPE- > > AES256-CTS-HMAC-SHA1-96(18) and ap-rep->enc-part->etype eTYPE- > > AES256-CTS-HMAC-SHA1-96(18) > > Then we see the TGS-REQ and the client asks for a eTYPE-AES256-CTS- > > HMAC-SHA1-96(18) from the samba AD and eTYPE-ARCFOUR-HMAC-MD5(23) > > from the windows server otherwise identical. > > Now the TGS-REP > > From Windows: tgs-rep->ticket->enc-part->etype eTYPE-ARCFOUR-HMAC- > > MD5(23) and tgs-rep->enc-part->etype eTYPE-ARCFOUR-HMAC- > > MD5(23) From Samba: tgs-rep->ticket->enc-part->etype eTYPE-AES256- > > CTS-HMAC-SHA1-96(18) and tgs-rep->enc-part->etype eTYPE- > > AES256-CTS-HMAC-SHA1-96(18) > > Basically, it appears that windows is using MD5 hashing and samba > > SHA1. > > A this point there aren't any further kerberos interactions from > > the client when authenticating to samba and the desktop shows > > password failed. When using the windows AD server we get another > > TGS-REQ/TGS-REP for sname kRB5-NT-SRV-INST where it appears to > > authenticate for LDAP. > > So, where to go from here? Create a Heimdal bug? Create a Samba > > bug? Not having RDP is really causing issues for me. > > I'm actively looking into this, as that doesn't seem right. What is > the value of msDS-SupportedEncryptionTypes for the server account > involved? > > Are both DCs for this comparison in the same domain? > > Andrew BartlettIf you could create a Samba bug that would be great, and if you can send me privately that network trace I'll try and reproduce with our test harness. I also need that msDS-SupportedEncryptionTypes value and any other context you are able to share, in particular the target server version. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On Tue, 2022-11-01 at 12:31 +1300, Andrew Bartlett wrote:> On Mon, 2022-10-31 at 17:53 +1300, Andrew Bartlett wrote: > > On Fri, 2022-10-28 at 09:59 -0700, Matthew Schumacher via samba > > wrote: > > > On 10/27/22 4:36 PM, Matthew Schumacher via samba wrote: > > > > I'm also having problems with RDP sessions not authenticating > > > > against samba heimdal kdc. What is odd is that the initial RDP > > > > connection (network level connection) works fine and > > > > authenticates me, but when I get to the desktop, I get access > > > > denied and that my password is wrong as if I used a wrong > > > > password at the console. If I put in the wrong password into > > > > the initial rdp session for network level connection, it > > > > immediately rejects me without letting me see the desktop. > > > > Looking at wireshark under the covers, I suspect it's a > > > > kerberos issue, however all of my hosts have dns settings of > > > > samba domain controllers and my samba servers do appear to get > > > > AD updates. > > > > I was running 4.16.4 but now I'm on 4.17.2 with no change. > > > > I wonder if something changed on the windows side. I see > > > > Jakob posted about a 22H2 update breaking this. Anyone know > > > > the specific fix and how to roll it back? > > > > > > Looking at this more, the 22H2 issue doesn't seem to be the same > > > issue I'm dealing with as Ralph and others mentioned that it goes > > > away when they upgrade to latest (which I'm on), also I'm not > > > seeing the KRB5KDC_ERR_TGT_REVOKED error. > > > Here is what I found in regard to my issue: > > > If I have a windows host with RDP authenticate against samba AD > > > it starts an RDP session, but then rejects the password when we > > > get the desktop. Looking at the packet captures I see: > > > This part looks identical other than keys between the captures > > > that work against a real windows dc and captures that don't work > > > against a SAMBA DC: > > > From client: as-req From server: KRB5KDC_ERR_PREAUTH_REQUIRED > > > From client: as-req > > > Now that we get to the as-rep we start to see differences: > > > From Windows: as-rep->ticket->enc-part->etype eTYPE-ARCFOUR- > > > HMAC-MD5(23) and ap-rep->enc-part->etype eTYPE-AES256-CTS- > > > HMAC-SHA1-96(18) From Samba: as-rep->ticket->enc-part- > > > >etype eTYPE-AES256-CTS-HMAC-SHA1-96(18) and ap-rep->enc- > > > part->etype eTYPE-AES256-CTS-HMAC-SHA1-96(18) > > > Then we see the TGS-REQ and the client asks for a eTYPE-AES256- > > > CTS-HMAC-SHA1-96(18) from the samba AD and eTYPE-ARCFOUR-HMAC- > > > MD5(23) from the windows server otherwise identical. > > > Now the TGS-REP > > > From Windows: tgs-rep->ticket->enc-part->etype eTYPE-ARCFOUR- > > > HMAC-MD5(23) and tgs-rep->enc-part->etype eTYPE-ARCFOUR- > > > HMAC-MD5(23) From Samba: tgs-rep->ticket->enc-part->etype eTYPE- > > > AES256-CTS-HMAC-SHA1-96(18) and tgs-rep->enc-part->etype > > > eTYPE-AES256-CTS-HMAC-SHA1-96(18) > > > Basically, it appears that windows is using MD5 hashing and samba > > > SHA1. > > > A this point there aren't any further kerberos interactions from > > > the client when authenticating to samba and the desktop shows > > > password failed. When using the windows AD server we get another > > > TGS-REQ/TGS-REP for sname kRB5-NT-SRV-INST where it appears to > > > authenticate for LDAP. > > > So, where to go from here? Create a Heimdal bug? Create a Samba > > > bug? Not having RDP is really causing issues for me. > > > > I'm actively looking into this, as that doesn't seem right. What > > is the value of msDS-SupportedEncryptionTypes for the server > > account involved? > > > > Are both DCs for this comparison in the same domain? > > > > Andrew Bartlett > > If you could create a Samba bug that would be great, and if you can > send me privately that network trace I'll try and reproduce with our > test harness. > I also need that msDS-SupportedEncryptionTypes value and any other > context you are able to share, in particular the target server > version. > Andrew BartlettI'm going to need a lot more information about the Windows servers and Windows DCs, in particular the versions, if they are in the same Samba domain, and exactly which domain and forest functional level they are in. So far what I'm seeing is behaviour I would expect if the Windows server was in Functional Level 2003, for example. Did this work with Samba 4.15 and does it work again with 4.15 after you apply the patch from https://bugzilla.samba.org/show_bug.cgi?id=15197 ? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions