Hi All, I am getting Kerberos "enc type" problem that I can't explain: [2005/06/11 11:41:29, 1, pid=29355] libads/kerberos_verify.c:ads_keytab_verify_ticket(61) ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (No such file or directory) [2005/06/11 11:41:29, 3, pid=29355] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Program lacks support for encryption type [2005/06/11 11:41:29, 3, pid=29355] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Program lacks support for encryption type [2005/06/11 11:41:29, 3, pid=29355] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Program lacks support for encryption type It used to run well but suddenly it happened out of the blue. I would like to ask what are the things that can lead to this problem. Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? I have seen someone mentioned Microsoft Hot Fix for Kerberos, is this what I need here. Is it something on the SAMBA server, a file or krb command I can run to clear things up when it happens? I appreciate very much any hint in this area. Cheers, Ephi
On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote:> Hi All, > > I am getting Kerberos "enc type" problem that I can't explain: >> Just a quick background: > 1. My samba version is 3.0. 6 (will switch to latest soon) > 2. My Kerberos version is krb5 1.2.7. > 4. Samba joined active directory that has one KDC running win2003 (not > sp1) > 5. I switched between different domains and join as ADS and domain many > times, could it contribute to this problem? > > At the moment, I can't switch to latest krb5 package. What is the > minimum Kerberos version required by SAMBA?MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050614/34b3d46b/attachment.bin
Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote:> Hi All, > > I am getting Kerberos "enc type" problem that I can't explain: >> Just a quick background: > 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My > Kerberos version is krb5 1.2.7. > 4. Samba joined active directory that has one KDC running win2003 > (not > sp1) > 5. I switched between different domains and join as ADS and domain > many times, could it contribute to this problem? > > At the moment, I can't switch to latest krb5 package. What is the > minimum Kerberos version required by SAMBA?MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became "Decrypt integrity check failed". I rebooted my AD server and the SAMBA server just in case. Here is the log: [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) Any idea? Did I forget to do something so obvious? Is it anything to do with keytab which I have noticed that if I specify "use kerberos keytab = yes" I get an error in net ads join that says: [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_add_entry(236) ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_create_default(418) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829) Error creating host keytab! Joined 'SSN217' to realm 'LONDON.STORADINC.COM' And last, is it to do with kerberos hot fix http://support.microsoft.com/kb/833708/ Just wondering. Thanks so much in advance for any hint in this complicated area. Cheers, Ephi -----Original Message----- From: Ephi Dror Sent: Tuesday, June 14, 2005 10:28 AM To: 'Andrew Bartlett' Cc: Samba (samba@lists.samba.org) Subject: RE: [Samba] Kerberos enc type [xx] failed Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote:> Hi All, > > I am getting Kerberos "enc type" problem that I can't explain: >> Just a quick background: > 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My > Kerberos version is krb5 1.2.7. > 4. Samba joined active directory that has one KDC running win2003 > (not > sp1) > 5. I switched between different domains and join as ADS and domain > many times, could it contribute to this problem? > > At the moment, I can't switch to latest krb5 package. What is the > minimum Kerberos version required by SAMBA?MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Hi All, Little update: After installing kerberos 1.3.3 recompiling samba against those libs/include the problem went away!! I am a little unclear regarding what really needed to be put in krb5.conf At the moment I have them as suggested by Dimitri> default_tkt_enctypes = des-cbc-crc des-cbc-md5 > default_tgs_enctypes = des-cbc-crc des-cbc-md5So I don't understand what those defaults do, why put any default, and why encryption type that is not put in there should have a problem. Also, if I do need to list all supported etypes, what are they? What are all possible etypes that windows 200x using? And one more question. Does Kerberos has important files similar to secrets.tdb that are kept even after reboot and where does Kerberos keep them. Thanks again for the wonderful support in this complicated issue, Cheers, Ephi -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Tuesday, June 14, 2005 8:03 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: RE: [Samba] Kerberos enc type [xx] failed On Tue, 2005-06-14 at 19:04 -0700, Ephi Dror wrote:> Hi Andrew, > > I upgraded krb5 libs to 1.3.3 and now the error became "Decrypt > integrity check failed".Just checking, have you rebuilt Samba against the new libs/headers? We detect the older libs, and do workarounds that you don't want any more. Also, how did you upgrade the kerberos libs. I meant to say in my original mail that it is known to be a very painful process, so I wonder if the libs you installed are the ones you are using. Check what configure said, and what ldd says. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net