[37531] in Kerberos
Re: Can't get a TGS ticket from read-only domain controller
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Jun 21 15:19:03 2016
From: Tom Yu <tlyu@mit.edu>
To: kerberos@mit.edu
Date: Tue, 21 Jun 2016 15:18:40 -0400
In-Reply-To: <594061466536290@web29h.yandex.ru> (l.'s message of "Tue, 21 Jun
2016 22:11:30 +0300")
Message-ID: <ldvwpli5p0v.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
It looks like you sent an email with only text/html, which the mailing
list software strips out. You might want to make sure that you
configure your email to send text/plain as well.
I'm quoting your previous message below so others can see it:
<l@avc.su> writes:
> Hmmm. Not sure what happened. Here's the original text:
>
> Hello, list!
>
> I've stumbled upon a strange problem with acquiring ticket on CentOS 7 and
> Fedora 23 machines from Read-Only Domain Controller on Microsoft Windows 2012
> R2.
> I can get TGT from RODC, but can't get any TGS. Switching to nearest RW DC
> fixes this problem, but that's just a workaround. Moreover, we're getting this
> error not with all RODCs in the forest, but we are using single policy for RW
> and RO domain controllers. Here's the trace of getting TGS:
>
> [root@centos7] # KRB5_TRACE=/dev/stdout kvno ldap/dc.contoso.com@CONTOSO.COM
> Getting credentials user@CONTOSO.COM -> ldap/dc.contoso.com@CONTOSO.COM using
> ccache FILE:/tmp/krb5cc_0
> Retrieving user@CONTOSO.COM -> ldap/dc.contoso.com@CONTOSO.COM from FILE:/tmp/
> krb5cc_0 with result: -1765328243/Matching credential not found
> Retrieving user@CONTOSO.COM -> krbtgt/CONTOSO.COM@CONTOSO.COM from FILE:/tmp/
> krb5cc_0 with result: 0/Success
> Starting with TGT for client realm: user@CONTOSO.COM -> krbtgt/
> CONTOSO.COM@CONTOSO.COM
> Requesting tickets for ldap/dc.contoso.com@CONTOSO.COM, referrals on
> Generated subkey for TGS request: aes256-cts/BECF
> etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
> rc4-hmac, camellia128-cts, camellia256-cts
> Encoding request body and padata into FAST request
> Sending request (2185 bytes) to CONTOSO.COM
> Resolving hostname dc.contoso.com
> Initiating TCP connection to stream 192.168.0.100:88
> Sending TCP request to stream 192.168.0.100:88
> Resolving hostname dc.contoso.com
> Sending initial UDP request to dgram 192.168.0.100:750
> Sending initial UDP request to dgram 192.168.0.100:88
> Sending retry UDP request to dgram 192.168.0.100:88
> Sending retry UDP request to dgram 192.168.0.100:88
> Terminating TCP connection to stream 192.168.0.100:88
> kvno: A service is not available that is required to process the request while
> getting credentials for ldap/dc.contoso.com@CONTOSO.COM
>
> At the first sight, it looks like a network problem. However, tcpdump +
> wireshark revealed that the packets are being sent and received with no errors,
> and dc.contoso.com replies with 'KRB Error: KRB5KDC_ERR_SVC_UNAVAILABLE'. So it
> looks like a problem on the DC itself. However, there are no failures logged.
> I can get TGT and TGS witn no errors when I'm using CentOS 6. Digging with
> Wireshark revealed that TGS request on CentOS6 does not have FAST request in
> TGS_REQ packet. Is preauth on this system going with encrypted timestamp?
> I think it somehow related to Kerberos FAST protocol and its implementation on
> Windows Server side.
> How can I disable FAST on Kerberos to test this?
> What else could I check in this situation?
>
> Thanks :)
>
>
> 21.06.2016, 21:51, "l@avc.su" <l@avc.su>:
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
