Web lists-archives.com

Re: [Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)




After reviewing logs I found that my previous assumption was wrong.

Situation: - i'm trying to start live migration from hyper-v host A (BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as user from DOMAIN ADMINS group).

Kerberos constrained delegation is set in accordnance to microsoft instructions with proper SPN's set (well, proper as in with the workaround I wrote earlier).

Below logs from wireshark and Samba 4 DC (the one that handled request).
kacper_wirski user, that belongs to DOMAIN ADMINS group is the one "giving" the command. I tried already with different user, also tried the other way round (from host B -> to host A when logged into host B). Same errors. Tried with different Hyper-V host C, same error

I have bar to none experience with troubleshooting kerberos (up untli now everything was working flawlessly) but reading from the logs I understand that generated ticket request from Host A seems ok: it wants to "impersonate" kacper_wirski in order to get to SPN on Host B, but request fails. I admit that I already googled this error and wasted a lot of hours, but I really don't know how to handle this situation - wether it's kerberos error, or samba error, or microsoft Hyper-V was just built that way that it simply will work ONLY with microsoft AD?

Every bit of advice/tip is greatly appreciated, as I feel i'm running out of ideas or options.

/etc/krb5.conf is basic generated ad DC promo. Overall no issues in the domain using kerberos so far (over 6 months now), also used SSO for apache so kerberos overall seems ok.

Logs below (tried my best to trim down).

Samba 4 log from  DC that Host A contacted (one of 3 DC's in domain):

Log level 5
Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating kacper_wirski@xxxxxxxxxxxxxxxx to service bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable] [2017/03/18 22:00:03.656262, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime: 2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till: 2017-03-25T21:39:30 [2017/03/18 22:00:03.657328, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2017/03/18 22:00:03.657340, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2017/03/18 22:00:03.658763, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt enc-authorization-data
[2017/03/18 22:00:03.658776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932
[2017/03/18 22:00:03.658911, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.658920, 3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]


Wireshark relevant output:

TGS-REQ (host A -> Samba 4 AD DC):
Kerberos
                            msg-type: krb-ap-req (14)

                            ticket
                                realm: MYDOMAIN.COM.XYZ
                                sname
                                    name-type: kRB5-NT-SRV-INST (2)
                                    sname-string: 2 items
                                        SNameString: krbtgt
                                        SNameString: MYDOMAIN.COM.XYZ
                                enc-part
                                    etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                            authenticator
                                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
            PA-DATA PA-FOR-USER
                padata-type: kRB5-PADATA-S4U2SELF (129)
                        name
                            name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
                            name-string: 1 item
                                KerberosString: kacper_wirski
                        realm: MYDOMAIN.COM.XYZ
                        cksum
                            cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
                        auth: Kerberos
        req-body
            Padding: 0
            kdc-options: 40810000 (forwardable, renewable, canonicalize)
            realm: MYDOMAIN.COM.XYZ
            sname
                name-type: kRB5-NT-PRINCIPAL (1)
                sname-string: 1 item
                    SNameString: bmsrv4-hyperv$
            etype: 5 items
                ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)

TGS-REP KDC -> HOST  A

    tgs-rep
           msg-type: krb-tgs-rep (13)
        crealm: MYDOMAIN.COM.XYZ
        cname
            name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
            cname-string: 1 item
                CNameString: kacper_wirski
        ticket
            tkt-vno: 5
            realm: MYDOMAIN.COM.XYZ
            sname
                name-type: kRB5-NT-PRINCIPAL (1)
                sname-string: 1 item
                    SNameString: bmsrv4-hyperv$
            enc-part
                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                kvno: 1
        enc-part
            etype: eTYPE-ARCFOUR-HMAC-MD5 (23)

TGS-REQ (Host A -> KDC)

    tgs-req
        pvno: 5
        msg-type: krb-tgs-req (12)
        padata: 2 items
            PA-DATA PA-TGS-REQ
                padata-type: kRB5-PADATA-TGS-REQ (1)
                         ticket
                                tkt-vno: 5
                                realm: MYDOMAIN.COM.XYZ
                                sname
                                    name-type: kRB5-NT-SRV-INST (2)
                                    sname-string: 2 items
                                        SNameString: krbtgt
                                        SNameString: MYDOMAIN.COM.XYZ
                                enc-part
                                    etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                    kvno: 1
                               authenticator
                                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
            PA-DATA Unknown:167
                padata-type: Unknown (167)
                    padata-value: 3009a00703050010000000
        req-body
            Padding: 0
kdc-options: 40830000 (forwardable, renewable, request-anonymous, canonicalize)
            realm: MYDOMAIN.COM.XYZ
            sname
                name-type: kRB5-NT-SRV-INST (2)
                sname-string: 2 items
                    SNameString: Microsoft Virtual System Migration Service
                    SNameString: BM-SRV-5
            till: 2017-03-18 21:15:03 (UTC)
            nonce: 478023267
            etype: 5 items
                ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
                ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
            enc-authorization-data
                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2...
            additional-tickets: 1 item
                Ticket
                    realm: MYDOMAIN.COM.XYZ
                    sname
                        name-type: kRB5-NT-PRINCIPAL (1)
                            SNameString: bmsrv4-hyperv$
                    enc-part
                        etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                        kvno:
and final TGS-REP (KDC -> HOST A)
    krb-error
        pvno: 5
        msg-type: krb-error (30)
        ctime: 2017-03-18 21:00:03 (UTC)
        cusec: 481
        stime: 2017-03-18 21:00:03 (UTC)
        susec: 658781
        error-code: eRR-BAD-INTEGRITY (31)
        realm: <unspecified realm>
        sname
            name-type: kRB5-NT-UNKNOWN (0)
            sname-string: 0 items




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba