Gerald (Jerry) Carter
2004-Jan-27 21:01 UTC
[Samba] Solution -- can connect via IP but not by name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's an update for those of you struggling to get Samba working in an AD domain environment. ~ Summary: in securirty = ads, clients can browse to the ~ Samba member server via IP but not by name (either netbios ~ or DNS). Kinit and wbinfo -t all work as expected. The apparent reason for this is that the 2k client uses NTLMSSP when you connect via IP which works. However the kerberos authentication always fails to decrypt the ticket. The log appears as ~ ads_verify_ticket: enc type [16] failed to decrypt with ~ error Bad encryption type ~ ads_verify_ticket: enc type [1] failed to decrypt with ~ error Bad encryption type ~ ads_verify_ticket: enc type [3] failed to decrypt with ~ error Bad encryption type ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad ~ encryption type) ~ Failed to verify incoming ticket! The only way I have been able to reproduce this locally using MIT 1.3.1 is by setting a list of permitted_enctypes in /etc/krb5.conf. For example, ~ [libdefaults] ~ dns_lookup_kdc = true ~ default_tgs_enctypes = des-cbc-md5 ~ default_tkt_enctypes = des-cbc-md5 ~ permitted_enctypes = des-cbc-md5 des-cbc-crc Commenting out the last line solved things in my tests. Usually I have a very minimal krb5.conf which works correctly. ~ [libdefaults] ~ dns_lookup_kdc = true The end result is that this is a kerberos configuration issue and not a Samba bug (Of course you could call it our bug since kinit works and we don't). I would be grateful if the people experiencing this problem could either confirm or refute my theory. Thanks. cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAFtHRIR7qMdg1EfYRAs6vAKDmRRs8WfMcjh8JZ2rlckEwj2VTUQCgmJMr nM0LK2YCsl9PanYV1p0Z5cU=CQ+c -----END PGP SIGNATURE-----
John H Terpstra
2004-Jan-27 21:26 UTC
[Samba] Re: Solution -- can connect via IP but not by name
On Tue, 27 Jan 2004, Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Here's an update for those of you struggling to get Samba > working in an AD domain environment. > > ~ Summary: in securirty = ads, clients can browse to the > ~ Samba member server via IP but not by name (either netbios > ~ or DNS). Kinit and wbinfo -t all work as expected. > > The apparent reason for this is that the 2k client uses > NTLMSSP when you connect via IP which works. However > the kerberos authentication always fails to decrypt > the ticket. The log appears as > > ~ ads_verify_ticket: enc type [16] failed to decrypt with > ~ error Bad encryption type > ~ ads_verify_ticket: enc type [1] failed to decrypt with > ~ error Bad encryption type > ~ ads_verify_ticket: enc type [3] failed to decrypt with > ~ error Bad encryption type > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad > ~ encryption type) > ~ Failed to verify incoming ticket! > > The only way I have been able to reproduce this locally > using MIT 1.3.1 is by setting a list of permitted_enctypes > in /etc/krb5.conf. For example, > > ~ [libdefaults] > ~ dns_lookup_kdc = true > ~ default_tgs_enctypes = des-cbc-md5 > ~ default_tkt_enctypes = des-cbc-md5 > ~ permitted_enctypes = des-cbc-md5 des-cbc-crcThe current Samba-HOWTO-Collection.pdf Section 7.4.2 says: "With both MIT and Heimdal Kerberos, it is unnecessary to configure the /etc/krb5.conf, and it may be detrimental." The above configuration is specifically given for use only with Heimdal version 0.6. The documentation could possibly be clearer. Anyone have comments on that?> Commenting out the last line solved things in my tests. Usually > I have a very minimal krb5.conf which works correctly. > > ~ [libdefaults] > ~ dns_lookup_kdc = trueThat should work Ok. If anyone can suggest better wording or more appropriate notations to eliminate potential for the documentation to be misleading or inaccurate I would appreciate some feedback.> > The end result is that this is a kerberos configuration issue > and not a Samba bug (Of course you could call it our bug > since kinit works and we don't). I would be grateful if the > people experiencing this problem could either confirm or > refute my theory.At the end of the day, either it works or it doesn't. - John T. -- John H Terpstra Email: jht@samba.org
Gerald (Jerry) Carter
2004-Jan-27 21:38 UTC
[Samba] Re: Solution -- can connect via IP but not by name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John H Terpstra wrote: | The current Samba-HOWTO-Collection.pdf | Section 7.4.2 says: Sorry. I wrote part of the message thinking it was the default enctypes lines but it was the permitted enctypes lines. And it is the out of date MS interop guide that says only the DES-CBC-MD% and DES-CBC-CRC enctypes are supported by MIT. cheers, j erry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAFtpqIR7qMdg1EfYRAqkDAJ98PMYLuilYCADI1G28+gMRNAPGlQCgljJC LbQ6V56jBe1cnpzUoW0M2UI=RJYX -----END PGP SIGNATURE-----
Wolfgang Wagner
2004-Jan-28 13:54 UTC
[Samba] Solution -- can connect via IP but not by name
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] > > The only way I have been able to reproduce this locally > using MIT 1.3.1 is by setting a list of permitted_enctypes > in /etc/krb5.conf. For example, > > ~ [libdefaults] > ~ dns_lookup_kdc = true > ~ default_tgs_enctypes = des-cbc-md5 > ~ default_tkt_enctypes = des-cbc-md5 > ~ permitted_enctypes = des-cbc-md5 des-cbc-crc > > Commenting out the last line solved things in my tests. Usually > I have a very minimal krb5.conf which works correctly. > > ~ [libdefaults] > ~ dns_lookup_kdc = true > > The end result is that this is a kerberos configuration issue > and not a Samba bug (Of course you could call it our bug > since kinit works and we don't). I would be grateful if the > people experiencing this problem could either confirm or > refute my theory.Hello, here using samba V3.0.1-Debian this config does not change behaviour. even afer restarting samba and winbindd. I am using Debian-Woody with packages from http:\\www.backports.org. Maybe I have to restart some other daemons ?> > Thanks. > > cheers, jerryMit freundlichen Gr??en Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstra?e 1, 87435 Kempten, +49-831-52 29 63-537 eMail: wolfgang.wagner@riwa-gis.de