Bug 15510 - Windows Server vNext Insider Preview fails to sync to Samba 4.19.2 DC with Invalid Parameter
Summary: Windows Server vNext Insider Preview fails to sync to Samba 4.19.2 DC with In...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.2
Hardware: Other All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-11-03 17:09 UTC by William Feely
Modified: 2023-11-23 08:31 UTC (History)
2 users (show)

See Also:

Partial log from Samba server with the failure captured, Log Level 10 (34.35 KB, text/plain)
2023-11-03 17:09 UTC, William Feely
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description William Feely 2023-11-03 17:09:41 UTC
Created attachment 18178 [details]
Partial log from Samba server with the failure captured, Log Level 10

Attempted a repadmin from Windows Server vNext Insider Preview (build 25987) with destination being the Samba server and source being the vNext server, and caused an Invalid Parameter error.

Worked fine when running Server 2022 RTM, even after applying the vNext schema updates and adprep steps.

This is also reported to Microsoft under Feedback Hub report https://aka.ms/AAnc94e

Server is Samba 4.19.2-Debian, from the Trixie repo.
Comment 1 William Feely 2023-11-03 17:31:04 UTC
(In reply to William Feely from comment #0)
CPU is ARM64 (Raspberry Pi 4) which isn't on the list of processor architectures in the bug report list.
Comment 2 Alexander Bokovoy 2023-11-06 10:49:20 UTC
[2023/11/03 10:04:55.031067, 10, pid=54993, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:399(dcerpc_pull_auth_trailer)
  dcerpc_pull_auth_trailer: auth_pad_length 8
[2023/11/03 10:04:55.031155,  1, pid=54993, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/gssapi_helper.c:294(gssapi_unseal_packet)
  gss_unwrap_iov failed:  A token was invalid: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
[2023/11/03 10:04:55.031189,  0, pid=54993, effective(0, 0), real(0, 0)] ../../source4/auth/gensec/gensec_gssapi.c:1288(gensec_gssapi_unseal_packet)
  gssapi_unseal_packet(hdr_signing=1,sig_size=76,data=96,pdu=128) failed: NT_STATUS_ACCESS_DENIED

Looks like there is a new mech code (0) for GSS-API krb5 mechanism and Heimdal does not support it yet. 

I wonder if we are starting to see a new negotiation Microsoft introduces to replace NTLM. Should we ask the protocols team on clarification?
Comment 3 William Feely 2023-11-06 16:17:49 UTC
(In reply to Alexander Bokovoy from comment #2)
Perhaps it has to do with this:
Comment 4 Alexander Bokovoy 2023-11-07 07:45:28 UTC
Do you have that enabled?

It would be great to see a network trace capture to understand what's wrong with the GSSAPI payload we see. It would also help talking to Microsoft's protocols documentation team.
Comment 5 William Feely 2023-11-21 21:32:15 UTC
I just tested on Insider Preview 25997 and it appears the issue is now fixed as the new build is successfully syncing with the Samba server.
Comment 6 Alexander Bokovoy 2023-11-23 08:31:07 UTC
Thank you for the update.

I think we should close this bug then.