OmniOS -- Netlogon RPC Sealing Support

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

gea

Well-Known Member
Dec 31, 2010
3,141
1,184
113
DE
I have just tried and found:

Updated OmniOS 151046 with todays sealing patch
Resetted Windows 2019 AD server to a state prior deadline

Joined OmniOS to domain (napp-it menu Services > SMB > Active Directory)
everything ok (needed to wait a short time)

Reboot OmniOS
SMB access failed with log entry (napp-it menu System > Log)
Jun 21 13:39:38 omnios46 smbd[496]: [ID 122762 daemon.error] smb_domain_getinfo: no DC info
Jun 21 13:40:28 omnios46 smbd[496]: [ID 122762 daemon.error] smb_domain_getinfo: no DC info
Jun 21 13:42:08 omnios46 smbd[496]: [ID 892017 daemon.notice] smb_locate_dc timeout
Jun 21 13:42:08 omnios46 smbd[496]: [ID 199031 daemon.notice] smbd_dc_update: local.de: locate failed

Rejoin Domain
ok again
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,184
113
DE
Due a remark from an llumos dev I rechecked settings and the reason of my problem seems to be the dhcp server with Google DNS that overwrites DNS settings from AD join during boot. I was irritated because it worked prior Windows+OmniOS updates.

Everything ok now for me.
 

cmderr

New Member
Jun 20, 2023
3
1
1
Well, I'm still not getting it to join, still
KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
We ran some packet captures on both the AD server and my OmniOS client. I'm sending KPASSWD on UDP 464 and the Domain Controllers never see it. Looking at the capture

234 11.773759 [Client_IP] [Server IP] IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=0142) [Reassembled in #235]
235 11.773760 [Client_IP] [Server_IP] KPASSWD 465 Request

The whole packet is fragmented and reassembled. So there's a chance it's getting dropped somewhere in between. I've been trying to force OmniOS to use TCP for the KPASSWD piece but no luck so far. Watching packet captures on the DC, we're seeing other systems with KPASSWD over TCP getting through. I doubt TCP/UDP is the problem in itself, but perhaps the packet fragmentation is.

As a note, we all seem to be MTU=1500.
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,184
113
DE
Can you add some details

-Did it worked prior last Windows sealing update ?
-Newest OmniOS ex r151046h ?
-Join via napp-it Services > SMB > Active Directory (AD server must be used as DNS for OmniOS, and date in sync)?
- other special network settings beside Jumbo frames ex aggregation ?
- any log entries (System > Log)
 

cmderr

New Member
Jun 20, 2023
3
1
1
Sigh. Campus firewall was blocking 464 UDP. That’s why I couldn’t rejoin. I had tried to force OmniOS to send KPASSWD over tcp but had no luck with krb5 changes.
Shares working again now that 464 is open for UDP.
 
  • Like
Reactions: gb00s

nosense

New Member
Mar 15, 2022
17
0
1
@gea, I have been on vacation/holiday for 3 weeks! Ahh, now back to reality.

I can confirm that the patch works fine on all my systems, but there is still a loose end that is going to bite again down the road. Namely October 2023 when Microsoft enforces AES encryption for Kerberos/Schannel/Netlogon. Currently with the patch, I now get 5840 errors on the windows server from OmniOS which indicates weak encryption for Netlogon using RC4. I have blocked RC4 on the windows server, and OmniOS is happy to use AES, so I think there just needs to be a change to the default setting. Again, this applies to more than just Netlogon. As of now, I have not been able to locate those default settings for each situation in OmniOS.

I have not been able to find the exact link to the official October deadline, but this reddit post which tracks upcoming Microsoft critical deadlines shows it as October. Microsoft Ticking Timebombs - April 2023 Edition : r/sysadmin (reddit.com)

Also, here is Samba's patch info. for handling the RC4 issue. Samba - Security Announcement Archive