I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server. Works just fine, thanks!
We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit. Meager results. The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:
[2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
version of MIT kerberos won't digest.
My doubt right now concerns a statement that this "arcfour-hmac-md5"
choice applies already in AD2000 -- so howcome it works?
(A) The 2k AD supports other types as well and makes peace with MIT krb5
whereas 2k3 AD has been lambasted out of such fraternizing habits,
(B) The 2k3 AD would support other types after the proper Magic Handwaving,
i. e., tweaking of some well chosen registry keys.
Does anybody know to enlighten us on this?
It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.
Magnus
Magnus,
I can confirm that you need MIT KRB5 1.3.1. I have not yet had sucess with
Heimdal 0.6.
On Tue, 28 Oct 2003, Magnus B{ckstr|m wrote:
> I'm running a Samba 3.0.0 server in production in security = ADS mode
> against a W2k ADS server. Works just fine, thanks!
>
> We're sort of under pressure to regrade to a 2003 AD server, which sent
> me trying stuff out a bit. Meager results. The 3.0.0 I have (linked
> with MIT krb5-1.2.8) refuses to verify incoming tickets:
>
> [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>
> Some frantic googling later it is clear that Windows -really- wants to
> use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
> version of MIT kerberos won't digest.
>
> My doubt right now concerns a statement that this
"arcfour-hmac-md5"
> choice applies already in AD2000 -- so howcome it works?
>
> (A) The 2k AD supports other types as well and makes peace with MIT krb5
> whereas 2k3 AD has been lambasted out of such fraternizing habits,
>
> (B) The 2k3 AD would support other types after the proper Magic
Handwaving,
> i. e., tweaking of some well chosen registry keys.
>
> Does anybody know to enlighten us on this?
>
> It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
> tomorrow I will journey up the Repent, Recompile, Restart mountain
> and then hopefully be one Microsoft wiser.
>
> Magnus
>
- John T.
--
John H Terpstra
Email: jht@samba.org
That's a most logical assumption... therefore it's incorrect!
To talk to a Win2k3 box, you will need to run MIT's Krb5 1.3.1 libraries.
Hopefully you're not running Red Hat 9, or you'll have a whole new set
of issues to deal with. If that's the case, let me know, I've already
documented (barely) a fix.
Terry
-----Original Message-----
From: Magnus B{ckstr|m <b@etek.chalmers.se>
Sent: Oct 28, 2003 10:48 AM
To: "The Dancing... you don't want to know."
<samba@lists.samba.org>
Subject: [Samba] v3.0.0, AD, 2k3 mumbles
I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server. Works just fine, thanks!
We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit. Meager results. The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:
[2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that
particular
version of MIT kerberos won't digest.
My doubt right now concerns a statement that this "arcfour-hmac-md5"
choice applies already in AD2000 -- so howcome it works?
(A) The 2k AD supports other types as well and makes peace with MIT krb5
whereas 2k3 AD has been lambasted out of such fraternizing habits,
(B) The 2k3 AD would support other types after the proper Magic Handwaving,
i. e., tweaking of some well chosen registry keys.
Does anybody know to enlighten us on this?
It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.
Magnus
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Possibly Parallel Threads
- arsenal v3.0.0: An Arsenal of 'R' Functions for Large-Scale Statistical Summaries
- arsenal v3.0.0: An Arsenal of 'R' Functions for Large-Scale Statistical Summaries
- Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
- RES: Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
- Any ideas ?