Created attachment 18504 [details] Packet capture screenshots Hello, I'm having a problem that happens when using a RODC. On a Windows client, I can't authenticate to servers whose machine account are not on the RODC Allowed group or aren't preloaded to the RODC via samba-tool rodc preload. Shouldn't this work normally with the authentication request being redirected to a RWDC? On Windows, I'm getting "wrong username or password". On the Kerberos log (level 9), I get the following messages: [2024/12/04 12:28:15.591790, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: Probing for AS-REQ [2024/12/04 12:28:15.591830, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: Probing for TGS-REQ [2024/12/04 12:28:15.593137, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: heim_audit_vaddkv(): kv pair[0] tixaddrs=TYPE_20:4553502d56454c4f3032202020202020 [2024/12/04 12:28:15.593187, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: heim_audit_vaddkv(): kv pair[0] armor_client_name=username@DOMAIN.INTRA [2024/12/04 12:28:15.593342, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: Client selected FAST [2024/12/04 12:28:15.593363, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: FAST strengthen reply key with strengthen-key [2024/12/04 12:28:15.593436, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: TGS-REQ username@DOMAIN.INTRA from ipv4:192.168.132.31:51067 for cifs/fileserver@DOMAIN.INTRA[canonicalize, renewable, forwardable] [2024/12/04 12:28:15.596649, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: samba_kdc_fetch_server: message2entry failed for cifs/fileserver@DOMAIN.INTRA [2024/12/04 12:28:15.596695, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: target cifs/fileserver@DOMAIN.INTRA does not have secrets at this KDC, need to proxy [2024/12/04 12:28:15.596711, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: heim_audit_vaddreason(): adding reason Target not found here [2024/12/04 12:28:15.596725, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:192.168.132.31:51067 [2024/12/04 12:28:15.596786, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.005004 [2024/12/04 12:28:15.596801, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: TGS-REQ HDB_ERR_NOT_FOUND_HERE ipv4:192.168.132.31:51067 username@DOMAIN.INTRA cifs/fileserver@DOMAIN.INTRA elapsed=0.005004 armor_client_name=username@DOMAIN.INTRA tixaddrs=TYPE_20:4553502d56454c4f3032202020202020 reason=Target not found here If I preload the server's machine account to the RODC, authentication works fine. Attached to the bug report are two packet capture screenshots of the TGS-REQ and the RODC's response. I'm on Samba 4.21.2. Thanks
Created attachment 18505 [details] Packet capture screenshots (from RODC) The last packet capture did not contain the communication between the RODC and a writable DC in another site. Befroe the KRB5KDC_ERR_SVC_UNAVAILABLE response, there is some communication between the RODC and one of our writable DCs