NAT regression from 3.1.8

[cprofitt]

After upgrading from 3.1.8 to 3.2.0 or 3.2.4 I encounter a regression in NAT. Details below:

Running 3.2.4: Computer is using NAT for networking

1. I can authenticate to Active Directory if I do so immediately. If I allow the machine to sit at the login prompt for more than 60 seconds I get a message 'internal error'
2. If I use the Microsoft DNS Management tool I can not access the DNS server and manage it
3. If I launch Microsoft DHCP Management tool I can not access the DHCP server

Running 3.2.4: Computer is using Bridged for networking

1. I can authenticate to Active Directory
2. If I use the Microsoft DNS Management tool I can access the DNS server and manage it
3. If I launch Microsoft DHCP Management tool I can access the DHCP server

Running 3.1.8 Computer is using NAT for networking

1. I can authenticate to Active Directory
2. If I use the Microsoft DNS Management tool I can access the DNS server and manage it
3. If I launch Microsoft DHCP Management tool I can access the DHCP server

[cprofitt]

VBox.log file with NAT issues

[cprofitt]

Replying to frank: Frank: Is there any other data I can gather to pinpoint this issue?

[cprofitt]

I did an ipconfig on the guest.

3.1.8 Windows IP Configuration

Host Name . . . . . . . . . . . . : Firefly-VM Primary Dns Suffix . . . . . . . : pcsd.monroe.edu Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pcsd.monroe.edu

monroe.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : pcsd.monroe.edu Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address. . . . . . . . . : 08-00-27-43-A9-F5 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.2.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.2 DHCP Server . . . . . . . . . . . : 10.0.2.2 DNS Servers . . . . . . . . . . . : 10.120.255.5

10.120.255.5

Lease Obtained. . . . . . . . . . : Friday, June 11, 2010 1:16:57 PM Lease Expires . . . . . . . . . . : Saturday, June 12, 2010 1:16:57 PM

3.2.4 Windows IP Configuration

Host Name . . . . . . . . . . . . : Firefly-VM Primary Dns Suffix . . . . . . . : pcsd.monroe.edu Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pcsd.monroe.edu

monroe.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : pcsd.monroe.edu Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address. . . . . . . . . : 08-00-27-43-A9-F5 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.2.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.2 DHCP Server . . . . . . . . . . . : 10.0.2.2 DNS Servers . . . . . . . . . . . : 10.120.255.5

10.120.255.5

Lease Obtained. . . . . . . . . . : Friday, June 11, 2010 2:45:55 PM Lease Expires . . . . . . . . . . : Saturday, June 12, 2010 2:45:55 PM

[vasily Levchenko]

Could you please collect ​pcap file of fail attempts? And other question. Are these tools distributed with Ms servers OSes or they are downloadable from somewhere?

[cprofitt]

I will get the pcap file later today. The programs are part of the server management tools. You can download the versions I have ​here.

[cprofitt]

The pcap file was too large to capture all the login process and running the application. The file attached is just running the app.

[cprofitt]

DNS Management Tool access denied

[cprofitt]

When I tried saving the machine state at the login and then starting it to capture just the login -- the login failed. The login apparently only works on initial boot.

[cprofitt]

The initial bootup and login are too large - 508.1 KB - to attach. Not sure how I can get you that information.

[cprofitt]

I just tried the login by itself and it is 450.2 KB -- So I can not even get that to you.

[vasily Levchenko]

Replying to cprofitt:

I just tried the login by itself and it is 450.2 KB -- So I can not even get that to you.

delivery instructions has been delivered.

[vasily Levchenko]

And could you please provide some map, which ip filter out?

[cprofitt]

Hachiman -- you want the IP of the guest?

[vasily Levchenko]

Replying to cprofitt:

Hachiman -- you want the IP of the guest?

No I'd like to know the server's IP to know which traffic I should investigate. There're several destinations in pcap files, that why i'm asking.

[cprofitt]

10.120.255.5

[vasily Levchenko]

Replying to cprofitt:

10.120.255.5

Could you please try ​build?

[vasily Levchenko]

Replying to Hachiman:

Replying to cprofitt:

10.120.255.5

Could you please try ​build?

or even better with 3.2.6 b2?

[cprofitt]

Do you have the link to the beta 2

[cprofitt]

I found the link thanks to help on IRC. The 3.2.6 b2 version still had the same regression.

[vasily Levchenko]

Replying to cprofitt:

I found the link thanks to help on IRC. The 3.2.6 b2 version still had the same regression.

Regarding loginfail.pcap: There're authentication sequences between guest and pointed server: Kerberos and DCERPC. First one looks suspicious, but not invalid or broken: there're sequence of AS and TGS, every first AS-REQ and TGS-REQ are rejected with KRB5KRB_AP_ERR_SKEW (Clock skew too great), but every second is accepted by server. DCERPC looks fine at least no errors are pointed in protocol's headers/bodies. As soon as repeated requests contains the same information, and they're accepted by server and thus it shouldn't lead to login fail.

BTW: what the link which solves your problem? Could you please post it on ticket, probably it will give some hint to me?

[cprofitt]

link: ​http://forums.virtualbox.org/viewtopic.php?f=15&t=32277

I actually thought about issues with time skew and the client machine has the same time (measured in minutes). The link did not solve the problems, merely told me where to download 3.2.6b.

[vasily Levchenko]

Replying to cprofitt:

link: ​http://forums.virtualbox.org/viewtopic.php?f=15&t=32277

I actually thought about issues with time skew and the client machine has the same time (measured in minutes). The link did not solve the problems, merely told me where to download 3.2.6b.

Probably Kerberos isn't a reason, because finally all requests are satisfied by kerberos server (on second attempt). Could you please try the same login operation with bridged networking and attach guest trace for it (just login).

[cprofitt]

I am bogged down today -- and off tomorrow -- will try to do this Wednesday.

[cprofitt]

I tried again to get the file small enough -- but no dice -- is there another way to get it to you?

[vasily Levchenko]

Replying to cprofitt:

I tried again to get the file small enough -- but no dice -- is there another way to get it to you?

you can send it to me via mail [vasily _dot_ levchenko _at_ Sun _dot_ COM].

[cprofitt]

Sent an email with two captures -- 3.2.6 both with NAT and Bridged -- the startup process up to the login.

[vasily Levchenko]

Replying to cprofitt:

Sent an email with two captures -- 3.2.6 both with NAT and Bridged -- the startup process up to the login.

Thank you, will take a look later today.

[Frank Mehnert]

Still relevant with VBox 4.0.4?

[cprofitt]

No, the problem has been resolved.