Bug 15761 - Can't authenticate to other servers on site with RODC without allowing replication of their machine accounts
Summary: Can't authenticate to other servers on site with RODC without allowing replic...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-12-05 14:40 UTC by Leonardo Bernardes
Modified: 2024-12-18 23:58 UTC (History)
2 users (show)

See Also:


Attachments
Packet capture screenshots (43.11 KB, application/x-zip-compressed)
2024-12-05 14:40 UTC, Leonardo Bernardes
no flags Details
Packet capture screenshots (from RODC) (19.19 KB, image/png)
2024-12-06 13:21 UTC, Leonardo Bernardes
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Leonardo Bernardes 2024-12-05 14:40:44 UTC
Created attachment 18504 [details]
Packet capture screenshots

Hello,

I'm having a problem that happens when using a RODC. On a Windows client, I can't authenticate to servers whose machine account are not on the RODC Allowed group or aren't preloaded to the RODC via samba-tool rodc preload. Shouldn't this work normally with the authentication request being redirected to a RWDC?

On Windows, I'm getting "wrong username or password".

On the Kerberos log (level 9), I get the following messages:

[2024/12/04 12:28:15.591790,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2024/12/04 12:28:15.591830,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for TGS-REQ
[2024/12/04 12:28:15.593137,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] tixaddrs=TYPE_20:4553502d56454c4f3032202020202020
[2024/12/04 12:28:15.593187,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] armor_client_name=username@DOMAIN.INTRA
[2024/12/04 12:28:15.593342,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client selected FAST
[2024/12/04 12:28:15.593363,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: FAST strengthen reply key with strengthen-key
[2024/12/04 12:28:15.593436,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ username@DOMAIN.INTRA from ipv4:192.168.132.31:51067 for cifs/fileserver@DOMAIN.INTRA[canonicalize, renewable, forwardable]
[2024/12/04 12:28:15.596649,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: samba_kdc_fetch_server: message2entry failed for cifs/fileserver@DOMAIN.INTRA
[2024/12/04 12:28:15.596695,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: target cifs/fileserver@DOMAIN.INTRA does not have secrets at this KDC, need to proxy
[2024/12/04 12:28:15.596711,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddreason(): adding reason Target not found here
[2024/12/04 12:28:15.596725,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.132.31:51067
[2024/12/04 12:28:15.596786,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.005004
[2024/12/04 12:28:15.596801,  3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ HDB_ERR_NOT_FOUND_HERE ipv4:192.168.132.31:51067 username@DOMAIN.INTRA cifs/fileserver@DOMAIN.INTRA elapsed=0.005004 armor_client_name=username@DOMAIN.INTRA tixaddrs=TYPE_20:4553502d56454c4f3032202020202020 reason=Target not found here

If I preload the server's machine account to the RODC, authentication works fine.

Attached to the bug report are two packet capture screenshots of the TGS-REQ and the RODC's response.

I'm on Samba 4.21.2.

Thanks
Comment 1 Leonardo Bernardes 2024-12-06 13:21:14 UTC
Created attachment 18505 [details]
Packet capture screenshots (from RODC)

The last packet capture did not contain the communication between the RODC and a writable DC in another site. Befroe the KRB5KDC_ERR_SVC_UNAVAILABLE response, there is some communication between the RODC and one of our writable DCs