samba - Sep 2003 - bad encryption type when accessing AD member server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm trying to access a Samba 3.0 server (running on Debian unstable) in an 
Active Directory environment. I successfully joined the domain, klist shows 
my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000 
server. However, when I try to access a share on the Samba machine from a 
Windows 2000 client, I'm being asked for the password and Samba logs:

[2003/09/29 13:17:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to 
verify incoming ticket!

I turned up logging to 5 and found this just before the "incoming
ticket"
line:

[2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317) 
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

"klist -e" shows my tickets as follows:

- ----- snip -----
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR@DOMAIN.LOCAL

Valid starting     Expires            Service principal
09/29/03 13:31:30  09/29/03 23:31:26  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 09/29/03 23:31:30, Etype (skey, tkt): DES cbc mode with 
CRC-32, DES cbc mode with CRC-32
09/29/03 13:31:30  09/29/03 23:31:26  filepile-a$@DOMAIN.LOCAL
        renew until 09/29/03 23:31:30, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- ----- snap -----

Did I make a mistake when setting up my Kerberos environment or is this a 
Samba problem?

Thanks,

     <-gninneH<-
- --
   __                 _  __    __   Henning Holtschneider
  / /  ___  _______ _/ |/ /__ / /_  <henning@loca.net>
 / /__/ _ \/ __/ _ `/    / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/  ...net happens!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/eFbnP9goCV2uudcRAoWkAJsGmSNmyicQnkLV8uGcLYBiLdSCAwCfUcS5
n1bPagVlnJ1UJauvnodA8PM=y0aZ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 29 September 2003 17:59, Henning Holtschneider wrote:
> I'm trying to access a Samba 3.0 server (running on Debian unstable) in
an
> Active Directory environment. I successfully joined the domain, klist shows
> my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000
> server. However, when I try to access a share on the Samba machine from a
> Windows 2000 client, I'm being asked for the password and Samba logs:
> [...]
> [2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
I replaced Debian's default krb5.conf (which looks like MIT Kerberos'
sample
file) with the minimum configuration described in the Samba documentation and 
finally the connection from the Windows clients works! Don't know why I 
didn't try that earlier ...

Sorry about the noise,

     <-gninneH<-
- --
   __                 _  __    __   Henning Holtschneider
  / /  ___  _______ _/ |/ /__ / /_  <henning@loca.net>
 / /__/ _ \/ __/ _ `/    / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/  ...net happens!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/eVC/P9goCV2uudcRArZOAJ9RWeUl/H8umC19zZLZy8NZ58UHCACfcI3q
M0tr3nsdEy02fli9vC+2MAY=mnRw
-----END PGP SIGNATURE-----

On Thu, 2 Oct 2003, Derek T. Yarnell wrote:
> Can you send me your working krb5.conf file? I am having the same
> problem (not running debian) and trying to figure out what I need to
> have in it is a pain.
Less is more in this case.

Try _removing_ anything about the enctypes in krb5.conf and only define
the realm, like mentioned in the Samba HOWTO collection:

http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790

If you use the mentioned minimal config, everything should work fine.

Alex

-- 
"They that can give up essential liberty to obtain a little temporary
safety
deserve neither liberty not safety."
		--Benjamin Franklin, 1759

On Thu, Oct 02, 2003 at 03:53:34PM -0500, Gerald (Jerry) Carter
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeremy Allison wrote:
> ....
> 
> |>14      rc4-hmac-exp
> |>15      arcfour-hmac-md5-exp
> |>16      aes128-cts-hmac-sha1-96
> |>17      aes128-cts
> |>18      aes256-cts-hmac-sha1-96
> |>19      aes256-cts
> |
> |
> | I think the enc-type you need is type 23 which I believe is rc4-md4.
> 
> I think you mean RC4-HMAC
Doh ! Thanks :-).

Jeremy.

So understanding that, I get this error,

[2003/10/02 17:10:23, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed

Any suggestions to where to look to find this one? Could it be something
with the Win2k3 server?

[derek@atlantis samba]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek@PC.CS.UMD.EDU

Valid starting     Expires            Service principal
10/02/03 17:06:16  10/03/03 03:06:20  krbtgt/PC.CS.UMD.EDU@PC.CS.UMD.EDU
        renew until 10/02/03 18:06:16, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5 


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

So I am getting ArcFour tickets by default here.


On Thu, Oct 02, 2003 at 03:53:34PM -0500, Gerald (Jerry) Carter
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeremy Allison wrote:
> ....
> 
> |>14      rc4-hmac-exp
> |>15      arcfour-hmac-md5-exp
> |>16      aes128-cts-hmac-sha1-96
> |>17      aes128-cts
> |>18      aes256-cts-hmac-sha1-96
> |>19      aes256-cts
> |
> |
> | I think the enc-type you need is type 23 which I believe is rc4-md4.
> 
> I think you mean RC4-HMAC
> 
> 
> 
> 
> 
> jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/fJBOIR7qMdg1EfYRAuefAJ4nvtyRxA7kwJ6l3VgO3eQAbwXtvwCg0ffI
> DTqh5cC2hfbbHEcBcuBqazE> =HIcx
> -----END PGP SIGNATURE-----
-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu