Re: Fedora 32: samba 4.12.2: Problem with access from win10b to win10a via remote desktop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On la, 16 touko 2020, Dario Lesca wrote:
Il giorno ven, 15/05/2020 alle 18.08 +0200, Dario Lesca ha scritto:
I have a test environment for test samba AD MIT kerberos out of the
box

I have a AD-DC samba on Fedora 32 (addc1), a Centos 8 member server
(centos8) and two PC windows 10 (win10a and win10b), fedora.loc is
the
AD domain name

All work fine except access from windows to windows with remote
desktop. I work with administrator@xxxxxxxxxx and when I try to
accessI get a password request for this user and

This is what I get into /var/log/samba/mit_kdc.log:

mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.122.102:
NEEDED_PREAUTH: Administrator@FEDORA for krbtgt/FEDORA@FEDORA,
Additional pre-authentication required
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd
19
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.122.102:
ISSUE: authtime 1589554729, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
Administrator@FEDORA for krbtgt/FEDORA@FEDORA
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd
19
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ (5
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135)}) 192.168.122.102: ISSUE: authtime 1589554729,
etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-
96(18), ses=aes256-cts-hmac-sha1-96(18)}, Administrator@xxxxxxxxxx
for TERMSRV/win10a@xxxxxxxxxx
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd
19
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ
192.168.122.102: 2ND_TKT_MISMATCH: authtime 1589554729,
Administrator@xxxxxxxxxx for TERMSRV/win10a@xxxxxxxxxx, 2nd tkt
client WIN10A$@FEDORA.LOC
mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd
19

If I access via file manager (\\win10a\share) from window to a shared
folder on another windows it work.

If I try to access to win10a from fedora addc1 server with xfreerdp
utility I can access without problem, this is the log:

[lesca@addc1 ~]$ xfreerdp  /u:administrator@xxxxxxxxxx
/v:win10a.fedora.loc
[18:01:32:549] [2340:2341] [INFO][com.freerdp.core] -
freerdp_connect:freerdp_set_last_error_ex resetting error state
[18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx rdpdr
[18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx rdpsnd
[18:01:32:549] [2340:2341] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx cliprdr
[18:01:35:857] [2340:2341] [INFO][com.freerdp.primitives] -
primitives autodetect, using optimized
[18:01:35:864] [2340:2341] [INFO][com.freerdp.core] -
freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex
resetting error state
[18:01:35:867] [2340:2341] [INFO][com.freerdp.core] -
freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[18:01:35:886] [2340:2341] [WARN][com.freerdp.crypto] - Certificate
verification failure 'unable to get local issuer certificate (20)' at
stack position 0
[18:01:35:886] [2340:2341] [WARN][com.freerdp.crypto] - CN =
win10a.fedora.loc
Password:
[18:01:39:264] [2340:2341] [INFO][com.freerdp.gdi] - Local
framebuffer format  PIXEL_FORMAT_BGRX32
[18:01:39:265] [2340:2341] [INFO][com.freerdp.gdi] - Remote
framebuffer format PIXEL_FORMAT_RGB16
[18:01:40:343] [2340:2341] [INFO][com.winpr.clipboard] - initialized
POSIX local file subsystem
[18:01:41:829] [2340:2341] [INFO][com.freerdp.channels.rdpsnd.client]
- Loaded fake backend for rdpsnd
[18:02:12:906] [2340:2341] [INFO][com.freerdp.core] -
rdp_set_error_info:freerdp_set_last_error_ex resetting error state
[18:02:12:906] [2340:2347]
[WARN][com.freerdp.channels.cliprdr.common] -
[cliprdr_packet_format_list_new] called with invalid type 00000000

Is this a know issue or it is a bugs?

If you need some other informations let me know

Many thanks


Is this the right place for submit this kind of question?
Or I must use another channel? what?

Please open a bug in bugzilla.
This is one of user-to-user authentication cases that aren't implemented
properly in MIT Kerberos and Samba AD for aliases (SPNs) of the machine
account:

 19 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): TGS_REQ
 192.168.122.102: 2ND_TKT_MISMATCH: authtime 1589554729,
 Administrator@xxxxxxxxxx for TERMSRV/win10a@xxxxxxxxxx, 2nd tkt
 client WIN10A$@FEDORA.LOC
 mag 15 16:58:49 addc1.fedora.loc krb5kdc[821](info): closing down fd

From Windows point of view TERMSRV/win10a is a service principal name of
the WIN10A$ machine account, so they share the same key and are seen at
the same principal for the check that is being done here. For MIT
Kerberos, it doesn't see them as aliases as it does explicit compare of
the principals and requested service principal does not match the
principal in the evidence (2nd) ticket.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux