On la, 16 touko 2020, Dario Lesca wrote:
Il giorno ven, 15/05/2020 alle 18.08 +0200, Dario Lesca ha scritto:I have a test environment for test samba AD MIT kerberos out of the box I have a AD-DC samba on Fedora 32 (addc1), a Centos 8 member server (centos8) and two PC windows 10 (win10a and win10b), fedora.loc is the AD domain name All work fine except access from windows to windows with remote desktop. I work with administrator@xxxxxxxxxx and when I try to accessI get a password request for this user and This is what I get into /var/log/samba/mit_kdc.log: mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.122.102: NEEDED_PREAUTH: Administrator@FEDORA for krbtgt/FEDORA@FEDORA, Additional pre-authentication required mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd 19 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.122.102: ISSUE: authtime 1589554729, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, Administrator@FEDORA for krbtgt/FEDORA@FEDORA mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd 19 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.122.102: ISSUE: authtime 1589554729, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1- 96(18), ses=aes256-cts-hmac-sha1-96(18)}, Administrator@xxxxxxxxxx for TERMSRV/win10a@xxxxxxxxxx mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd 19 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ 192.168.122.102: 2ND_TKT_MISMATCH: authtime 1589554729, Administrator@xxxxxxxxxx for TERMSRV/win10a@xxxxxxxxxx, 2nd tkt client WIN10A$@FEDORA.LOC mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd 19 If I access via file manager (\\win10a\share) from window to a shared folder on another windows it work. If I try to access to win10a from fedora addc1 server with xfreerdp utility I can access without problem, this is the log: [lesca@addc1 ~]$ xfreerdp /u:administrator@xxxxxxxxxx /v:win10a.fedora.loc [18:01:32:549] [2340:2341] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state [18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr [18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd [18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [18:01:35:857] [2340:2341] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized [18:01:35:864] [2340:2341] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [18:01:35:867] [2340:2341] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [18:01:35:886] [2340:2341] [WARN][com.freerdp.crypto] - Certificate verification failure 'unable to get local issuer certificate (20)' at stack position 0 [18:01:35:886] [2340:2341] [WARN][com.freerdp.crypto] - CN = win10a.fedora.loc Password: [18:01:39:264] [2340:2341] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [18:01:39:265] [2340:2341] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16 [18:01:40:343] [2340:2341] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem [18:01:41:829] [2340:2341] [INFO][com.freerdp.channels.rdpsnd.client] - Loaded fake backend for rdpsnd [18:02:12:906] [2340:2341] [INFO][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex resetting error state [18:02:12:906] [2340:2347] [WARN][com.freerdp.channels.cliprdr.common] - [cliprdr_packet_format_list_new] called with invalid type 00000000 Is this a know issue or it is a bugs? If you need some other informations let me know Many thanksIs this the right place for submit this kind of question? Or I must use another channel? what?
Please open a bug in bugzilla.
This is one of user-to-user authentication cases that aren't implemented properly in MIT Kerberos and Samba AD for aliases (SPNs) of the machine account: 19 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ 192.168.122.102: 2ND_TKT_MISMATCH: authtime 1589554729, Administrator@xxxxxxxxxx for TERMSRV/win10a@xxxxxxxxxx, 2nd tkt client WIN10A$@FEDORA.LOC mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd From Windows point of view TERMSRV/win10a is a service principal name of the WIN10A$ machine account, so they share the same key and are seen at the same principal for the check that is being done here. For MIT Kerberos, it doesn't see them as aliases as it does explicit compare of the principals and requested service principal does not match the principal in the evidence (2nd) ticket. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
