I have added to krb5.conf file below options. I hope it will solve the
issue.
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5
aes256-cts-hmac-sha1-96
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5
aes256-cts-hmac-sha1-96
krb4_convert = true
regards,
On Thu, Mar 19, 2015 at 10:27 AM, Adriana Moga <
adriana.gologaneanu at gmail.com> wrote:
> Hi,
>
> Some users can't logon to their workstation if the session is
negotiating
> with samba domain controller, the password is requested again and again.
> Samba is joined as a Domain Controller in a windows domain controllers. The
> users' s computers are joined also to the domain. But for some users
the
> kerberos ticket is failing.
>
> Samba version 4.1.15 - Debian 7.8
>
> Samba debug logs, level 3:
>
> Kerberos: Failed to decrypt PA-DATA -- com130100003$@MYDOMAIN (enctype
> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum
> type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
>
> Kerberos: AS-REQ com130100003$@MYDOMAIN from ipv4:X.X..2.12:61019 for
> krbtgt/MYDOMAIN at MYDOMAIN
> [2015/03/19 09:53:29.357160, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> [2015/03/19 09:53:29.357211, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- com130100003$@MYDOMAIN
> [2015/03/19 09:53:29.357232, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- com130100003$@MYDOMAIN
> [2015/03/19 09:53:29.357301, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Failed to decrypt PA-DATA -- com130100003$@MYDOMAIN (enctype
> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum
> type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> ................
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> ................
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> com130100003$@MYDOMAIN
>
> Thanks,
>