samba - Oct 2004 - Samba kerberos authentication issues with samba 3.0.7

Hello.

I'm having difficulty running kerberized samba on my Linux box in my Windows
ADS domain.  Specifically, smbclient -k //server/share fails with a
"session setup failed: NT_STATUS_LOGON_FAILURE" error message.  I ran
smbd with -d 3 debugging verbosity, and the following came out on stdout/stderr.
I marked the interesting lines with ***'s:

# smbd -i -d 3
get_current_groups: user is in 16 groups: 0, 1, 2, 3, 4, 6, 10, 12, 7, 4, 9, 6,
5, 3, 2, 8
smbd version 3.0.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
uid=0 gid=0 euid=0 egid=0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[al]"
adding IPC service
adding IPC service
added interface ip=10.50.195.251 bcast=10.50.199.255 nmask=255.255.248.0
loaded services
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
start_background_queue: Starting background LPQ thread
waiting for a connection
open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 7353, global_oplock_port = 32836
Transaction 0 of length 183
switch message SMBnegprot (pid 7353) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [DOS LANMAN2.1]
Requested protocol [Samba]
using SPNEGO
Selected protocol NT LANMAN 1.0
Transaction 1 of length 2054
switch message SMBsesssetupX (pid 7353) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got OID 1 2 840 48018 1 2 2
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 1914
*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type)
*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
*** Failed to verify incoming ticket!
*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to 
Server exit (normal exit)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to 
yield_connection: tdb_delete for name  failed with error Record does not exist.





In case it will provide any hints, I will also provide the ticket cache on the
machine running smbclient and the keytab contents on the machine with the share:

[lnx251 samba]# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/lnx251.company.com@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1
HMAC)
   3 host/lnx251.company.com@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1
HMAC)
   3 host/lnx251.company.com@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1)
   3 host/lnx251.company.com@NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 cifs/lnx251.company.com@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1
HMAC)
   3 cifs/lnx251.company.com@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1
HMAC)
   3 cifs/lnx251.company.com@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1)
   3 cifs/lnx251.company.com@NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 host/lnx251@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 host/lnx251@NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 host/lnx251@NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 host/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 host/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 cifs/lnx251@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 cifs/lnx251@NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 

------------------------------------------------------------

al@lnx135.company.com/home/al> klist -e
Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5
Default principal: al@NA.COMPANY.COM

Valid starting     Expires            Service principal
10/26/04 23:18:14  10/27/04 09:18:14  krbtgt/NA.COMPANY.COM@NA.COMPANY.COM
        renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5
10/26/04 23:18:26  10/27/04 00:18:26  lnx251$@NA.COMPANY.COM
        renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with
RSA-MD5, DES cbc mode with RSA-MD5


Kerberos 4 ticket cache: /tmp/tkt6568
klist: You have no tickets cached


-----------------------------------------


Finally, a few notes about my setup:

o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short
hostnames
o The machine with the share is a member of the domain, thanks to net ads
join... I had to use Microsoft's setspn.exe to add service principal names,
though, because when the machine joined the domain, the SPN's were
host/lnx251.na.company.com instead of host/lnx251.company.com, etc.  Afterwards,
the keytab was populated with 'net ads keytab'.
o samba-3.0.7
o krb5-workstation-1.3.4
o RedHat Enterprise Linux Workstation 3.0 on both machines
o Windows Server 2003 as the ADS server



If anyone has any suggestions or ideas that could help me, I would truly
appreciate it.

Also, if there's anything else I should provide, let me know.


Thank you very much,
Al


-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

>*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption
type)
>*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
>*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
>*** Failed to verify incoming ticket!
>*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) [lnx251 
>
enctype 3 is DES_CBC_MD5
#define ENCTYPE_DES_CBC_MD5     0x0003  /* DES cbc mode with RSA-MD5 */
>al@lnx135.company.com/home/al> klist -e
>Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5
>Default principal: al@NA.COMPANY.COM
>
>Valid starting     Expires            Service principal
>10/26/04 23:18:14  10/27/04 09:18:14  krbtgt/NA.COMPANY.COM@NA.COMPANY.COM
>        renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
>10/26/04 23:18:26  10/27/04 00:18:26  lnx251$@NA.COMPANY.COM
>        renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with
RSA-MD5, DES cbc mode with RSA-MD5
>  
>
verified lnx251$ is using des-cbc-md5.
There are some issues with using des-cbc-md5 where the DNSdomain is not 
the same as the REALM domain DNS.  The salt used by MS will not be the 
same as the salt used on the linux box
You need to get to rc4-hmac for authentication which doesn't use a salt.

You probably have a userAccountControl defined like this:
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | 
UF_DONT_EXPIRE_PASSWD |UF_USE_DES_KEY_ONLY );
Subtract 0x200000 (2097152 dec) from the field using adsiedit.msc.  Then 
the MS KDC will use rc4-hmac instead of DES encryption.  Make sure the 
KDC ticket cache is flushed of any reference to the DES ticket and try 
again.

However, if you didn't add the UF_USE_DES_KEY_ONLY, then samba added it 
automatically because samba thinks you don't have rc4-hmac available.
libads/ldap.c line 1392 svn 2929
#ifndef ENCTYPE_ARCFOUR_HMAC
        acct_control |= UF_USE_DES_KEY_ONLY;
#endif
So the compiled version of samba you have would have been compiled 
against a version of kerberos that didn't have rc4-hmac available.  No 
way out of that except to recompile samba against your current kerberos 
or get a different pre-compiled binary.
>o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then
short hostnames
>o The machine with the share is a member of the domain, thanks to net ads
join... I had to use Microsoft's setspn.exe to add service principal names,
though, because when the machine joined the domain, the SPN's were
host/lnx251.na.company.com instead of host/lnx251.company.com, etc.  Afterwards,
the keytab was populated with 'net ads keytab'.
>
For the instance of DNSdomain != REALM, I have to add the SPN for 
host/fqdn like you did.
I also had to add a DNS record for lnx251.na.company.com for the MS KDC 
as well as the lnx251.company.com for the linux box forward and reverse 
lookups.  Never tried it with hosts files. But 
c:\winnt\system32\drivers\etc\hosts would need the lnx251.na.company.com

Regards, Doug