Created attachment 18178 [details]
Partial log from Samba server with the failure captured, Log Level 10
Attempted a repadmin from Windows Server vNext Insider Preview (build 25987) with destination being the Samba server and source being the vNext server, and caused an Invalid Parameter error.
Worked fine when running Server 2022 RTM, even after applying the vNext schema updates and adprep steps.
This is also reported to Microsoft under Feedback Hub report https://aka.ms/AAnc94e
Server is Samba 4.19.2-Debian, from the Trixie repo.
(In reply to William Feely from comment #0)
CPU is ARM64 (Raspberry Pi 4) which isn't on the list of processor architectures in the bug report list.
[2023/11/03 10:04:55.031067, 10, pid=54993, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:399(dcerpc_pull_auth_trailer)
dcerpc_pull_auth_trailer: auth_pad_length 8
[2023/11/03 10:04:55.031155, 1, pid=54993, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/gssapi_helper.c:294(gssapi_unseal_packet)
gss_unwrap_iov failed: A token was invalid: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
[2023/11/03 10:04:55.031189, 0, pid=54993, effective(0, 0), real(0, 0)] ../../source4/auth/gensec/gensec_gssapi.c:1288(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=76,data=96,pdu=128) failed: NT_STATUS_ACCESS_DENIED
Looks like there is a new mech code (0) for GSS-API krb5 mechanism and Heimdal does not support it yet.
I wonder if we are starting to see a new negotiation Microsoft introduces to replace NTLM. Should we ask the protocols team on clarification?
(In reply to Alexander Bokovoy from comment #2)
Perhaps it has to do with this:
Do you have that enabled?
It would be great to see a network trace capture to understand what's wrong with the GSSAPI payload we see. It would also help talking to Microsoft's protocols documentation team.
I just tested on Insider Preview 25997 and it appears the issue is now fixed as the new build is successfully syncing with the Samba server.
Thank you for the update.
I think we should close this bug then.