2008 R2

Bill Fellows wrfellows at yahoo.com
Thu Sep 23 13:51:44 EDT 2010 

Mike,

Thanks for your reply.

According to the information I've gotten from Microsoft, the 2008 SP2 does not apply to 2008 R2. Also the hotfix you mentioned doesn't apply to 2008 R2. 

We got this response from Microsoft technical support:

"I have received an update from my SME on the data which has been provided to us. The problem is the name-type used for the TGT request is set to Unknown:

133         2010-08-26 17:15:17.284157         x.x.x.x
x.x.x.x     KRB5      AS-REQ
Server Name (Unknown): krbtgt/EXAMPLE.COM
Name-type: Unknown (0)
Name: krbtgt
Name: EXAMPLE.COM

The name-type needs to be Service and Instance.  The reason why it works against the Writable DCs is because those DCs dont need to proxy the authentication, RODCs do.  In W2K8R2 there were additional checks in the Kerberos decryption code path which now exposes this problem."

I've attached a network capture displaying this problem.

Thanks again,
Bill Fellows



--- On Wed, 9/22/10, Mike Patnode <mike.patnode at centrify.com> wrote:

> From: Mike Patnode <mike.patnode at centrify.com>
> Subject: RE: 2008 R2
> To: "Bill Fellows" <wrfellows at yahoo.com>, "krbdev at mit.edu" <krbdev at mit.edu>
> Date: Wednesday, September 22, 2010, 2:52 PM
> Have you install SP2 or this hotfix?
> 
> http://support.microsoft.com/kb/951191
> 
> -----Original Message-----
> From: krbdev-bounces at mit.edu
> [mailto:krbdev-bounces at mit.edu]
> On Behalf Of Bill Fellows
> Sent: Wednesday, September 22, 2010 2:13 PM
> To: krbdev at mit.edu
> Subject: 2008 R2 
> 
> Hi,
> 
> I'm unable to authenticate through Kerberos to a 2008 R2
> read only domain controller (RODC) with Samba 3.5.5. I
> changed the krb5_princ_type field in bld_pr_ext.c
> krb5_build_principal_ext() to KRB5_NT_SRV_INST from
> KRB5_NT_UNKNOWN and this solved the problem. Is there a
> better / safer fix for this bug?
> 
> Thanks,
> Bill Fellows
> 
> 
>       
> _______________________________________________
> krbdev mailing list         
>    krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list