Password:
CCHE2l7$t$bJ]T
-----Original Message-----
From: Bryan Burgin
Sent: Wednesday, December 14, 2011 10:08 PM
To: 'Andrew Bartlett'
Cc: '[email protected]'; 'Love Hörnquist Åstrand'; MSSolve Case Email;
Tarun Chopra
Subject: RE: [REG:111121459051600] Puzzled: Heimdal upgrade breaks Win2k8
dcpromo
Andrew,
Attached is the x64 Time Travel Trace utility (rename to .msi and install). It
will create the folder c:\debuggers\ttt. From an elevated command prompt (run
CMD as an Administrator), do:
-- Tasklist
-- Locate the task lsass and note its process number (PID)
-- Do "TTTracer -dumpfull -attach <lsass_pid>"
-- It will complain that you're not running the current version; just ignore
that warning.
-- In 30-60 seconds a small dialog box will appear in the upper-left corner of
the screen. This means that recording has begun.
-- Repro your issue
-- In the dialog, un-tick the checkbox that says it is logging/tracing. This
will stop the trace. Do NOT press the Exit Application button -- that will
terminate LSASS and crash the system.
-- In c:\debuggers\ttt there will be two files: lsass01.run and lsass01.out. I
need both those files (zipped, please).
You can upload the trace to https://[...].
I'll send a second password with the upload workspace's password.
B.
-----Original Message-----
From: Bryan Burgin
Sent: Wednesday, December 14, 2011 1:51 PM
To: Andrew Bartlett
Cc: [email protected]; Love Hörnquist Åstrand; MSSolve Case Email
Subject: [REG:111121459051600] Puzzled: Heimdal upgrade breaks Win2k8 dcpromo
[Dochelp to bcc]
[Adding case number to title & casemail]
Hi Andrew,
We made case 111121459051600 to track this issue. I did a quick review of
KDC_ERR_PREAUTH_REQUIRED (25).
I think the best way to dig into this issue is to capture a Time Travel Trace
of the process LSASS on the Windows 2008 R2 machine while you are attempting
this transaction. The server-side code you are triggering is bound within
LSASS.
I will send you the x64 tool to do this (a .msi), instructions and I'll also
make you a file upload workspace to get the results in separate mail.
As you gather the Time Travel Trace, I'll review the materials you sent in more
detail.
Bryan
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Tuesday, December 13, 2011 9:35 PM
To: Interoperability Documentation Help
Cc: [email protected]; Love Hörnquist Åstrand
Subject: Puzzled: Heimdal upgrade breaks Win2k8 dcpromo
Dochelp,
The issue I have is a very odd one. I'm trying to import a new snapshot of
Heimdal into Samba4. I do this every now and then, and it is naturally good
practice to ensure it continues to work with Windows.
It appears to work with Windows 7, but when I dcpromo from a Win2008R2 machine
to a Samba4 domain, I get 'Logon Failure: the username or password is
incorrect'.
The error occurs in the reply to an AS-REQ, with error
KRB5KDC_ERR_PREAUTH_REQUIRED (25)
The big difference in this error packet between old and new versions is the
inclusion of FAST, but then I patched that back out and it still fails.
I have prepared git branches in git://git.samba.org/abartlet/samba.git
import-lorikeet-1 is the old code, this works (good)
import-lorikeet-2 is the new code, and fails (bad)
import-lorikeet-3 is includes a patch that results in an identical (timestamp
aside) KRB-ERROR packet to import-lorikeet-1. This also fails. (not-match)
I would suspect that the error is elsewhere, but I cannot find any other
interesting packets, and in the working case (packet 14), the kerberos exchange
continues to a clock skew (packet 23), and then a successful AS-REP (32).
My question is: How do I find out why the Windows 2008R2 client running
dcpromo is convinced that the error is 'username or password is incorrect'? No
password is ever presented, and the same underlying Samba DB is used, so I know
this is not the problem...
I've CC'ed Love, the Heimdal maintainer in case he has any clues.
I've included the good, bad and 'not-match' (my attempt to revert only the
change in the KRB-ERROR AS-REP packet) packets in various formats as
attachments. Also I include the pcap trace.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
