Can't get a TGS ticket from read-only domain controller

Tom Yu tlyu at mit.edu
Tue Jun 21 15:18:40 EDT 2016


It looks like you sent an email with only text/html, which the mailing
list software strips out.  You might want to make sure that you
configure your email to send text/plain as well.

I'm quoting your previous message below so others can see it:

<l at avc.su> writes:

> Hmmm. Not sure what happened. Here's the original text:
>  
> Hello, list!
>  
> I've stumbled upon a strange problem with acquiring ticket on CentOS 7 and
> Fedora 23 machines from Read-Only Domain Controller on Microsoft Windows 2012
> R2.
> I can get TGT from RODC, but can't get any TGS. Switching to nearest RW DC
> fixes this problem, but that's just a workaround. Moreover, we're getting this
> error not with all RODCs in the forest, but we are using single policy for RW
> and RO domain controllers. Here's the trace of getting TGS:
>  
> [root at centos7] # KRB5_TRACE=/dev/stdout kvno ldap/dc.contoso.com at CONTOSO.COM
> Getting credentials user at CONTOSO.COM -> ldap/dc.contoso.com at CONTOSO.COM using
> ccache FILE:/tmp/krb5cc_0
> Retrieving user at CONTOSO.COM -> ldap/dc.contoso.com at CONTOSO.COM from FILE:/tmp/
> krb5cc_0 with result: -1765328243/Matching credential not found
> Retrieving user at CONTOSO.COM -> krbtgt/CONTOSO.COM at CONTOSO.COM from FILE:/tmp/
> krb5cc_0 with result: 0/Success
> Starting with TGT for client realm: user at CONTOSO.COM -> krbtgt/
> CONTOSO.COM at CONTOSO.COM
> Requesting tickets for ldap/dc.contoso.com at CONTOSO.COM, referrals on
> Generated subkey for TGS request: aes256-cts/BECF
> etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
> rc4-hmac, camellia128-cts, camellia256-cts
> Encoding request body and padata into FAST request
> Sending request (2185 bytes) to CONTOSO.COM
> Resolving hostname dc.contoso.com
> Initiating TCP connection to stream 192.168.0.100:88
> Sending TCP request to stream 192.168.0.100:88
> Resolving hostname dc.contoso.com
> Sending initial UDP request to dgram 192.168.0.100:750
> Sending initial UDP request to dgram 192.168.0.100:88
> Sending retry UDP request to dgram 192.168.0.100:88
> Sending retry UDP request to dgram 192.168.0.100:88
> Terminating TCP connection to stream 192.168.0.100:88
> kvno: A service is not available that is required to process the request while
> getting credentials for ldap/dc.contoso.com at CONTOSO.COM
>
> At the first sight, it looks like a network problem. However, tcpdump +
> wireshark revealed that the packets are being sent and received with no errors,
> and dc.contoso.com replies with 'KRB Error: KRB5KDC_ERR_SVC_UNAVAILABLE'. So it
> looks like a problem on the DC itself. However, there are no failures logged.
> I can get TGT and TGS witn no errors when I'm using CentOS 6. Digging with
> Wireshark revealed that TGS request on CentOS6 does not have FAST request in
> TGS_REQ packet. Is preauth on this system going with encrypted timestamp?
> I think it somehow related to Kerberos FAST protocol and its implementation on
> Windows Server side. 
> How can I disable FAST on Kerberos to test this?
> What else could I check in this situation?
>  
> Thanks :)
>  
>  
> 21.06.2016, 21:51, "l at avc.su" <l at avc.su>:
>
>
>
>     ________________________________________________
>     Kerberos mailing list Kerberos at mit.edu
>     https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list