This is a bug report relating to the following thread on samba@lists.samba.org: https://lists.samba.org/archive/samba/2025-June/251595.html. The client is Ubuntu 24.04 with default Samba 4.19.5 packages joined to a Windows 2012 domain with two DCs. The initial message reported in the winbind log was: ads_krb5_mk_req: smb_krb5_get_credentials failed for HOST$@DOMAIN.LOCAL (Preauthentication failed) After tracing through the code it was found that when the random nonce in third_party/heimdal/lib/krb5/get_in_tkt.c had the highest 8 bits set then the request would fail, i.e. `nonce & 0xff000000 == 0xff000000` is true. To confirm that the following change was made: diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index 6e48846bcb3..1317f33515d 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -551,6 +551,7 @@ get_cred_kdc(krb5_context context, krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; + nonce |= 0x7fffffff; if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data, no authentication was possible via winbind in this case with the error reported for every case. Checking in the code base the `nonce &= 0xffffffff;` bit mask appears unusual, in most other places it is 0x7ffffff (assuming the e vs f is for the purposes of the test script): $ git grep nonce | grep ffffff python/samba/tests/krb5/as_canonicalization_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/as_canonicalization_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/compatability_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/compatability_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/kdc_base_test.py: nonce=0x7fffffff, python/samba/tests/krb5/kdc_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/raw_testcase.py: nonce_max = 0x7fffffff python/samba/tests/krb5/s4u_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/s4u_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/s4u_tests.py: nonce=0x7ffffffe, python/samba/tests/krb5/simple_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/simple_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/simple_tests.py: nonce=0x7ffffffe, python/samba/tests/krb5/xrealm_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/xrealm_tests.py: nonce=0x7fffffff, python/samba/tests/krb5/xrealm_tests.py: nonce=0x7ffffffe, third_party/heimdal/lib/krb5/get_cred.c: nonce &= 0xffffffff; third_party/heimdal/lib/krb5/get_in_tkt.c: nonce &= 0xffffffff; third_party/heimdal/lib/krb5/init_creds_pw.c: ctx->nonce &= 0x7fffffff; Is it possible this change should be made (and possibly also relevant in get_in_tkt.c)? diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index 6e48846bcb3..81c1c42e1b1 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -550,7 +550,7 @@ get_cred_kdc(krb5_context context, padata.len = 0; krb5_generate_random_block(&nonce, sizeof(nonce)); - nonce &= 0xffffffff; + nonce &= 0x7fffffff; if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data, If this should be filed upstream at https://github.com/heimdal/heimdal I can do that.
I did note that in third_party/heimdal/lib/asn1/pkinit.asn1 in some cases a nonce is signed and other unsigned but I've got a bit lost by this point trying to match what is happening against the documentation. As RP reported being unable to reproduce this then perhaps there is a bug in an external library or something else about the Ubuntu build or our environment which is wrong.
The original test patch to prove the isssue was wrong, it should have looked like: diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index 6e48846bcb3..1317f33515d 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -551,6 +551,7 @@ get_cred_kdc(krb5_context context, krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; + nonce |= 0xff000000; if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data,
(In reply to James Dingwall from comment #1) No, I didn't say I couldn't reproduce it, I said that it didn't happen on my correctly set up Unix domain member, where the default domain '*' uses tdb and the 'DOMAIN' domain uses rid, unlike your set up that is using 'autorid' (with 'ignore builtin = yes') for the default domain and 'rid' for the 'DOMAIN' domain.
(In reply to Rowland Penny from comment #3) I now can say that I cannot reproduce this error, using the bug reporters smb.conf and a script based on his, it just works, potentially for ever. The big difference is that I used the latest Samba against Samba AD DCs.