cedric at season-of-mist.com
2023-Sep-12 10:29 UTC
[Samba] KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Hello,
We're using Samba 4.19.0 with Windows 10 workstations. Everything runs fine
except that there are errors in my DC logs but I fail to understand what is
causing those errors :
[2023/09/12 12:13:49.994156, 10, pid=665004, effective(0, 0), real(0, 0),
class=kerberos] ../../source4/kdc/kdc-server.c:284(kdc_tcp_call_loop)
Received krb5 TCP packet of length 1857 from ipv4:192.168.10.31:34175
[2023/09/12 12:13:49.994283, 10, pid=665004, effective(0, 0), real(0, 0),
class=kerberos] ../../source4/kdc/kdc-heimdal.c:84(kdc_process)
kdc_process: Received KDC packet of length 1849 from
ipv4:192.168.10.31:34175
[2023/09/12 12:13:49.994359, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2023/09/12 12:13:49.994436, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for TGS-REQ
[2023/09/12 12:13:49.997334, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0]
tixaddrs=TYPE_20:50432d44455633202020202020202020
[2023/09/12 12:13:49.997491, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2023/09/12 12:13:49.997615, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ cedric.puchalver at SEASON-OF-MIST.INTRANET
<mailto:cedric.puchalver at SEASON-OF-MIST.INTRANET> from
ipv4:192.168.10.31:34175 for krbtgt/NT\ Authority at SEASON-OF-MIST.INTRANET
<mailto:Authority at SEASON-OF-MIST.INTRANET> [canonicalize, renewable,
forwardable]
[2023/09/12 12:13:49.998407, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: samba_kdc_fetch_krbtgt: could not find principal in DB
[2023/09/12 12:13:49.999316, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Server not found in database: krbtgt/NT\
Authority at SEASON-OF-MIST.INTRANET <mailto:Authority at
SEASON-OF-MIST.INTRANET>
: no such entry found in hdb
[2023/09/12 12:13:49.999336, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddreason(): adding reason Service principal unknown
[2023/09/12 12:13:49.999350, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:192.168.10.31:34175
[2023/09/12 12:13:49.999366, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: tgs-req: sending error: -1765328377 to client
[2023/09/12 12:13:49.999379, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2023/09/12 12:13:49.999450, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.005105
[2023/09/12 12:13:49.999465, 3, pid=665004, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ ERR_S_PRINCIPAL_UNKNOWN ipv4:192.168.10.31:34175
cedric.puchalver at SEASON-OF-MIST.INTRANET
<mailto:cedric.puchalver at SEASON-OF-MIST.INTRANET> krbtgt/NT\
Authority at SEASON-OF-MIST.INTRANET <mailto:Authority at
SEASON-OF-MIST.INTRANET>
elapsed=0.005105 tixaddrs=TYPE_20:50432d44455633202020202020202020
reason=Service principal unknown
Here it the smb.conf :
# Global parameters
[global]
allow dns updates = nonsecure and secure
disable spoolss = Yes
dns forwarder = 192.168.10.1
dns update command = /usr/local/samba/sbin/samba_dnsupdate
--use-samba-tool
log file = /usr/local/samba/var/samba.log
log level = 1 dns:0 vfs:0
drs_repl:3@/usr/local/samba/var/replication.log
kerberos:10@/usr/local/samba/var/kerberos.log
auth_audit:3@/usr/local/samba/var/auth.log
netbios name = DC3
printcap name = /dev/null
realm = SEASON-OF-MIST.INTRANET
server role = active directory domain controller
winbind refresh tickets = Yes
workgroup = SEASON-OF-MIST
idmap_ldb:use rfc2307 = yes
printing = cups
[netlogon]
path /usr/local/samba/var/locks/sysvol/season-of-mist.intranet/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Here are network packets captured with Wireshark:
* TGS-REQ :
Kerberos
Record Mark: 1853 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0111 0011 1101 = Record Length: 1853
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 2 items
PA-DATA pA-TGS-REQ
padata-type: pA-TGS-REQ (1)
padata-value:
6e82067d30820679a003020105a10302010ea20703050000000000a38205b4618205b030.
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 00000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..0. .... = mutual-required: False
ticket
tkt-vno: 5
realm: SEASON-OF-MIST.INTRANET
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: SEASON-OF-MIST.INTRANET
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno: 1
cipher:
e193e9dcd5b8b88ff8eea53f673d7a9e0e5a469e33a7f08239e87d5a4a67511995fa1e47.
authenticator
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher:
4703b8e78caa5a3f387b8b20679ca0e32c9fb2754258689cf678c0134c70399e66b39dab.
PA-DATA pA-PAC-OPTIONS
padata-type: pA-PAC-OPTIONS (167)
padata-value: 3009a00703050040000000
Padding: 0
flags: 40000000
0... .... = claims: False
.1.. .... = branch-aware: True
..0. .... = forward-to-full-dc: False
...0 .... resource-based-constrained-delegation:
False
req-body
Padding: 0
kdc-options: 40810000
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
1... .... = renewable: True
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... 0... = unused12: False
.... .0.. = unused13: False
.... ..0. = constrained-delegation: False
.... ...1 = canonicalize: True
0... .... = request-anonymous: False
.0.. .... = unused17: False
..0. .... = unused18: False
...0 .... = unused19: False
.... 0... = unused20: False
.... .0.. = unused21: False
.... ..0. = unused22: False
.... ...0 = unused23: False
0... .... = unused24: False
.0.. .... = unused25: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... .0.. = unused29: False
.... ..0. = renew: False
.... ...0 = validate: False
realm: SEASON-OF-MIST.INTRANET
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: NT Authority
till: 2037-09-13 02:48:05 (UTC)
nonce: 370713535
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
* KRB Error :
Kerberos
Record Mark: 192 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 1100 0000 = Record Length: 192
krb-error
pvno: 5
msg-type: krb-error (30)
ctime: 2023-09-12 10:11:54 (UTC)
cusec: 7958
stime: 2023-09-12 10:11:54 (UTC)
susec: 315254
error-code: eRR-S-PRINCIPAL-UNKNOWN (7)
crealm: SEASON-OF-MIST.INTRANET
cname
name-type: kRB5-NT-PRINCIPAL (1)
cname-string: 1 item
CNameString: cedric.puchalver
realm: SEASON-OF-MIST.INTRANET
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: NT Authority