thr3ads.net - samba - [Samba] v3.0.0, AD, 2k3 mumbles [Oct 2003]

If this information is useful, please help other people find it:
Share via:

Magnus B{ckstr|m

2003-Oct-28 16:48 UTC

[Samba] v3.0.0, AD, 2k3 mumbles

I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server.  Works just fine, thanks!

We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit.  Meager results.  The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:

  [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
    ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
version of MIT kerberos won't digest.

  My doubt right now concerns a statement that this "arcfour-hmac-md5"
  choice applies already in AD2000 -- so howcome it works?

  (A) The 2k AD supports other types as well and makes peace with MIT krb5
      whereas 2k3 AD has been lambasted out of such fraternizing habits,

  (B) The 2k3 AD would support other types after the proper Magic Handwaving,
      i. e., tweaking of some well chosen registry keys.

Does anybody know to enlighten us on this?

It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.

Magnus

John H Terpstra

2003-Oct-28 18:14 UTC

head link

[Samba] v3.0.0, AD, 2k3 mumbles

Magnus,

I can confirm that you need MIT KRB5 1.3.1. I have not yet had sucess with
Heimdal 0.6.

On Tue, 28 Oct 2003, Magnus B{ckstr|m wrote:
> I'm running a Samba 3.0.0 server in production in security = ADS mode
> against a W2k ADS server.  Works just fine, thanks!
>
> We're sort of under pressure to regrade to a 2003 AD server, which sent
> me trying stuff out a bit.  Meager results.  The 3.0.0 I have (linked
> with MIT krb5-1.2.8) refuses to verify incoming tickets:
>
>   [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
>     ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>
> Some frantic googling later it is clear that Windows -really- wants to
> use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
> version of MIT kerberos won't digest.
>
>   My doubt right now concerns a statement that this
"arcfour-hmac-md5"
>   choice applies already in AD2000 -- so howcome it works?
>
>   (A) The 2k AD supports other types as well and makes peace with MIT krb5
>       whereas 2k3 AD has been lambasted out of such fraternizing habits,
>
>   (B) The 2k3 AD would support other types after the proper Magic
Handwaving,
>       i. e., tweaking of some well chosen registry keys.
>
> Does anybody know to enlighten us on this?
>
> It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
> tomorrow I will journey up the Repent, Recompile, Restart mountain
> and then hopefully be one Microsoft wiser.
>
> Magnus
>
- John T.
-- 
John H Terpstra
Email: jht@samba.org

tvsjr@sprynet.com

2003-Oct-28 18:53 UTC

head link

[Samba] v3.0.0, AD, 2k3 mumbles

That's a most logical assumption... therefore it's incorrect!

To talk to a Win2k3 box, you will need to run MIT's Krb5 1.3.1 libraries.
Hopefully you're not running Red Hat 9, or you'll have a whole new set
of issues to deal with. If that's the case, let me know, I've already
documented (barely) a fix.

Terry


-----Original Message-----
From: Magnus B{ckstr|m <b@etek.chalmers.se>
Sent: Oct 28, 2003 10:48 AM
To: "The Dancing... you don't want to know."
<samba@lists.samba.org>
Subject: [Samba] v3.0.0, AD, 2k3 mumbles

I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server.  Works just fine, thanks!

We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit.  Meager results.  The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:

  [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
    ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
version of MIT kerberos won't digest.

  My doubt right now concerns a statement that this "arcfour-hmac-md5"
  choice applies already in AD2000 -- so howcome it works?

  (A) The 2k AD supports other types as well and makes peace with MIT krb5
      whereas 2k3 AD has been lambasted out of such fraternizing habits,

  (B) The 2k3 AD would support other types after the proper Magic Handwaving,
      i. e., tweaking of some well chosen registry keys.

Does anybody know to enlighten us on this?

It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.

Magnus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reasonably Related Threads

Search for more reasonably related threads

samba - Oct 2003 - v3.0.0, AD, 2k3 mumbles

[Samba] v3.0.0, AD, 2k3 mumbles

[Samba] v3.0.0, AD, 2k3 mumbles

[Samba] v3.0.0, AD, 2k3 mumbles

Reasonably Related Threads