Cannot join AD after upgrading to 4.2.x. KDC Policy rejects transited path Error: KRB5KRB_AP_ERR_MODIFIED (-1765328343): Message stream modified (4280532)

Cannot join AD after upgrading to 4.2.x. KDC Policy rejects transited path Error: KRB5KRB_AP_ERR_MODIFIED (-1765328343): Message stream modified

Cannot join AD after upgrading to 4.2.x. KDC Policy rejects transited path

The following error is sometimes reported when a user attempts to authenticate cross forest from DOMAIN1.COM to SUB.DOMAIN2.COM and is using Authentication Service 4.2 and a transitive trust in in place.

DOMAIN1.COM  <--        -->          DOMAIN2.COM

             ^                                                  ^

             |                                                  |

            V                                                  V

SUB.DOMAIN1.COM                      SUB.DOMAIN2.COM

++++++++++++++++++

[root@server1 ~]# /opt/quest/bin/vastool  -u user1 auth

Password for user1@ DOMAIN1.COM:
ERROR: VAS_ERR_KRB5: Kerberos error
  Failed to obtain credentials. Client: user1@ DOMAIN1.COM, Service: server1$@ SUB.DOMAIN2.COM, Server: server2. DOMAIN1.com
  Caused by:
  KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356): KDC Policy rejects transited path
Reason: Matching credential (server1$@ SUB.DOMAIN2.COM) not found

++++++++++++++++++

This is caused by a bug in the new version of Heimdal Kerberos around its ability to automatically handle server referrals. Authentication Services 4.2 uses this latest Kerberos implementation. This is only an issue in cross forest transitive trusts, where one side isn't a root domain. If it wasn't cross forest, or if it was cross forest from DOMAIN1.COM to DOMAIN2.COM, it would work. But once a sub domain is used this issue is seen.

RESOLUTION:

Upgrade to QAS 4.2.3 or higher. 

WORKAROUND 1:

Run the following command on the affected Unix host which will update the vas.conf file. Please note that the host may need to be rebooted.

# /opt/quest/bin/vastool configure vas libvas use-server-referrals true

If this option does not resolve the problem then it can be removed by running the following command.

# /opt/quest/bin/vastool configure vas libvas use-server-referrals

WORKAROUND 2:

There is the workaround using capaths, which explicitly tells the library the chain of trust to use to properly obtain tickets in that situation.

If capaths workaround is used then the following will have to be added to the vas.conf file on each Unix hosts.

[capaths]
SUB.DOMAIN2.COM = {
DOMAIN1.COM = DOMAIN2.COM
}
DOMAIN1.COM = {
SUB.DOMAIN2.COM = DOMAIN2.COM
}
DOMAIN2.COM = {
SUB.DOMAIN2.COM = .
}

Please note that this is not part of the existing vas.conf configuration and cannot be added by the QAS Configuration properties in group policy. However vgp could run a script that could add it to the vas.conf file or else it could be added by chef or puppet if these are available.

It can be added manually on the unix host by running the following command.

# /opt/quest/bin/vastool configure vas capaths stanza SUB.DOMAIN2.COM DOMAIN1.COM = DOMAIN2.COM DOMAIN1.COM SUB.DOMAIN2.COM = DOMAIN2.COM DOMAIN2.COM SUB.DOMAIN2.COM = .

To remove capaths entirely please run.

# /opt/quest/bin/vastool configure vas remove capaths



STATUS:
Fixed in QAS 4.2.3. 

802683