Hi,
A few days ago we were talking about the different service records (_ldap, _kerberos and _kpasswd) and when these are used. Joe did a network trace and posted his findings. I was also curious and I also did network trace. Here are my findings. (I did not go through the traces thoroughly)
I did three network traces and used the following:
Configuration used:
* Windows 2003 SP0 installed and upgraded to SP1 -> DC/DNS
* Windows 2003 SP1 installed -> Client
* 1 AD domain
* Network monitor installed on both the client and the DC
* Network monitor used: Packetyzer 4.0.0
TRACES:
(1) Joining a client to an AD domain
--> _ldap SRV RR and _kerberos SRV RR used
--> NetBIOS also used to determine DCs. Don't understand this one!
--> Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one!
(2) Booting of a client and the logon of a user
--> _ldap SRV RR used. Use of _kerberos SRV RR not detected, but kerberos authentication is used!
--> Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one!
(3) Password change of a user account
--> Received "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN". The client used the SPN "cifs/172.16.1.11" instead of "cifs/w2k3dc01.w2k3domain.lan". Don't understand why.
As I know _kpasswd service record is for the Kerberos Password Change service, but I have not seen it being used in the trace.
For the specific findings see below.
Cheers,
#JORGE#
PS: If anyone is interested in also receiving the traces mail me offline
(1) findings:
Queries (FROM THE CLIENT TO THE DC) --> 4x
_ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN
Name: _ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN
Type: SRV (Service location)
Class: IN (0x0001)
Queries (FROM THE CLIENT TO THE DC) --> 8x
W2K3DOMAIN.LAN<1c>: type NB, class IN
Name: W2K3DOMAIN.LAN<1c> (Domain Controllers)
Type: NB
Class: IN
Queries (FROM THE CLIENT TO THE DC) --> 1x
_kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN
Name: _kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN
Type: SRV (Service location)
Class: IN (0x0001)
Kerberos AS-REQ (User Datagram Protocol, Src Port: 1050 (1050), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1050 (1050)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:20:00 (Z)
susec: 665713
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Instance): krbtgt/W2K3DOMAIN.LAN
Name-type: Service and Instance (2)
Name: krbtgt
Name: W2K3DOMAIN.LAN
Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1052 (1052), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1052 (1052)) (FROM DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:20:01 (Z)
susec: 962588
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Instance): cifs/w2k3dc01.w2k3domain.lan
Name-type: Service and Instance (2)
Name: cifs
Name: w2k3dc01.w2k3domain.lan
Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1069 (1069), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1069 (1069)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:20:08 (Z)
susec: 259463
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Instance): ldap/w2k3dc01.w2k3domain.lan
Name-type: Service and Instance (2)
Name: ldap
Name: w2k3dc01.w2k3domain.lan
(2) findings:
Queries (FROM THE CLIENT TO THE DC) --> 3x
W2K3DC01.W2K3DOMAIN.LAN: type A, class IN
Name: W2K3DC01.W2K3DOMAIN.LAN
Type: A (Host address)
Class: IN (0x0001)
Queries (FROM THE CLIENT TO THE DC) --> 1x
_ldap._tcp.Default-First-Site-Name._sites.W2K3DOMAIN.LAN: type SRV, class IN
Name: _ldap._tcp.Default-First-Site-Name._sites.W2K3DOMAIN.LAN
Type: SRV (Service location)
Class: IN (0x0001)
Kerberos AS-REQ (User Datagram Protocol, Src Port: 1069 (1069), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1069 (1069)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:27:19 (Z)
susec: 90859
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN
Server Name (Service and Instance): krbtgt/W2K3DOMAIN
Name-type: Service and Instance (2)
Name: krbtgt
Name: W2K3DOMAIN
Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1071 (1071), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1071 (1071)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:27:19 (Z)
susec: 106484
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Host): host/w2k3sp1srv00.w2k3domain.lan
Name-type: Service and Host (3)
Name: host
Name: w2k3sp1srv00.w2k3domain.lan
Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1073 (1073), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1073 (1073)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:27:20 (Z)
susec: 75234
error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Instance): cifs/W2K3DC01.W2K3DOMAIN.LAN
Name-type: Service and Instance (2)
Name: cifs
Name: W2K3DC01.W2K3DOMAIN.LAN
(3) findings
NO SRV RRs used here
Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1085 (1085), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC)
Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1085 (1085)) (FROM THE DC TO THE CLIENT)
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2005-05-07 20:31:10 (Z)
susec: 262734
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: W2K3DOMAIN.LAN
Server Name (Service and Instance): cifs/172.16.1.11
Name-type: Service and Instance (2)
Name: cifs
Name: 172.16.1.11
Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________
<< OLE Object: Picture (Metafile) >>
LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
. Postbus 7089
5605 JB Eindhoven
( Tel : +31-(0)40-29.57.777
2 Fax : +31-(0)40-29.57.709
( Mobile : +31-(0)6-26.26.62.80
* E-mail : [EMAIL PROTECTED]
" <http://www.logicacmg.com/> - Solutions that matter -
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
