I'm running a Samba 3.0.0 server in production in security = ADS mode against a W2k ADS server. Works just fine, thanks! We're sort of under pressure to regrade to a 2003 AD server, which sent me trying stuff out a bit. Meager results. The 3.0.0 I have (linked with MIT krb5-1.2.8) refuses to verify incoming tickets: [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) Some frantic googling later it is clear that Windows -really- wants to use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular version of MIT kerberos won't digest. My doubt right now concerns a statement that this "arcfour-hmac-md5" choice applies already in AD2000 -- so howcome it works? (A) The 2k AD supports other types as well and makes peace with MIT krb5 whereas 2k3 AD has been lambasted out of such fraternizing habits, (B) The 2k3 AD would support other types after the proper Magic Handwaving, i. e., tweaking of some well chosen registry keys. Does anybody know to enlighten us on this? It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5; tomorrow I will journey up the Repent, Recompile, Restart mountain and then hopefully be one Microsoft wiser. Magnus
Magnus, I can confirm that you need MIT KRB5 1.3.1. I have not yet had sucess with Heimdal 0.6. On Tue, 28 Oct 2003, Magnus B{ckstr|m wrote:> I'm running a Samba 3.0.0 server in production in security = ADS mode > against a W2k ADS server. Works just fine, thanks! > > We're sort of under pressure to regrade to a 2003 AD server, which sent > me trying stuff out a bit. Meager results. The 3.0.0 I have (linked > with MIT krb5-1.2.8) refuses to verify incoming tickets: > > [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > > Some frantic googling later it is clear that Windows -really- wants to > use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular > version of MIT kerberos won't digest. > > My doubt right now concerns a statement that this "arcfour-hmac-md5" > choice applies already in AD2000 -- so howcome it works? > > (A) The 2k AD supports other types as well and makes peace with MIT krb5 > whereas 2k3 AD has been lambasted out of such fraternizing habits, > > (B) The 2k3 AD would support other types after the proper Magic Handwaving, > i. e., tweaking of some well chosen registry keys. > > Does anybody know to enlighten us on this? > > It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5; > tomorrow I will journey up the Repent, Recompile, Restart mountain > and then hopefully be one Microsoft wiser. > > Magnus >- John T. -- John H Terpstra Email: jht@samba.org
That's a most logical assumption... therefore it's incorrect! To talk to a Win2k3 box, you will need to run MIT's Krb5 1.3.1 libraries. Hopefully you're not running Red Hat 9, or you'll have a whole new set of issues to deal with. If that's the case, let me know, I've already documented (barely) a fix. Terry -----Original Message----- From: Magnus B{ckstr|m <b@etek.chalmers.se> Sent: Oct 28, 2003 10:48 AM To: "The Dancing... you don't want to know." <samba@lists.samba.org> Subject: [Samba] v3.0.0, AD, 2k3 mumbles I'm running a Samba 3.0.0 server in production in security = ADS mode against a W2k ADS server. Works just fine, thanks! We're sort of under pressure to regrade to a 2003 AD server, which sent me trying stuff out a bit. Meager results. The 3.0.0 I have (linked with MIT krb5-1.2.8) refuses to verify incoming tickets: [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) Some frantic googling later it is clear that Windows -really- wants to use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular version of MIT kerberos won't digest. My doubt right now concerns a statement that this "arcfour-hmac-md5" choice applies already in AD2000 -- so howcome it works? (A) The 2k AD supports other types as well and makes peace with MIT krb5 whereas 2k3 AD has been lambasted out of such fraternizing habits, (B) The 2k3 AD would support other types after the proper Magic Handwaving, i. e., tweaking of some well chosen registry keys. Does anybody know to enlighten us on this? It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5; tomorrow I will journey up the Repent, Recompile, Restart mountain and then hopefully be one Microsoft wiser. Magnus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Maybe Matching Threads
- arsenal v3.0.0: An Arsenal of 'R' Functions for Large-Scale Statistical Summaries
- arsenal v3.0.0: An Arsenal of 'R' Functions for Large-Scale Statistical Summaries
- Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
- RES: Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
- Any ideas ?