Estevam Henrique Carvalho
2004-Apr-20 12:05 UTC
RES: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
Hi Jim,
I did what the doc says but the problem is the same.
Does anybody saw this work ? I mean, is the Samba 3.0.2a+Kerberos MIT 1.3.3
able to be accessed by a WXP, W2K or W2K3 machine, using Kerberos tickets
generated in a Windows 2003 KDC (W2K3 AD) ?
Thanks
-----Mensagem original-----
De: Jim McDonough [mailto:jmcd@us.ibm.com]
Enviada em: segunda-feira, 19 de abril de 2004 17:07
Para: Duran Munoz, Pedro
Cc: Estevam Henrique Carvalho; samba;
samba-bounces+jmcd=samba.org@lists.samba.org
Assunto: RE: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
This is a bug in Win2k3. See knowledgebase KB833708. The KB article
itself isn't correct, because it states that if you request des-cbc-crc
you'll get des-cbc-md5 tickets, but in reality you get rc4-hmac tickets.
The KB article points you to a hotfix or a registry setting.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd@us.ibm.com
jmcd@samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
"Duran Munoz, Pedro" <Pedro.Duran@fujitsu-siemens.com>
Sent by: samba-bounces+jmcd=samba.org@lists.samba.org
04/19/2004 09:42 AM
To
"Estevam Henrique Carvalho" <estevamh@bmf.com.br>
cc
samba <samba@lists.samba.org>
Subject
RE: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Saludos / Best Regards
Pedro Dur?n Mu?oz
Hello Henrique
Actually I have the same problem as you. Firts I had tried an ADS w2k3
and Samba 3.0.2a integration without any success ( Only works IP NTML
protocol, kerberos does not works ( hostaname instead IP address)) . After
I tried w2k and Samba 3.0.2a integration and works fine. But I need an ADS
w2k3 and Samba integration and for the moment does not works. We need the
Samba team help for solve this issue ASAP, Is it possible for us Samba
Team?
-----Original Message-----
From: samba-bounces+pedro.duran=fujitsu-siemens.com@lists.samba.org
[mailto:samba-bounces+pedro.duran=fujitsu-siemens.com@lists.samba.org] On
Behalf Of Estevam Henrique Carvalho
Sent: Monday, April 19, 2004 1:59 PM
To: samba
Subject: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Hi people,
I have a Linux box running Samba 3.0.2a in ADS mode MIT Kerberos 1.3.3. My
W2K e WXP users can't access the linux box by netbios name, the only
access that works is by IP address, I know that's caused because access
thought IP address don't make use of Kerberos. The most strange for me
it's that the same environment works fine with a W2K Active Directory, I
read in same list the problem was the kerberos 1.2.x, then I changed to
1.3.3, but the problem remains.
I also have tried the following combinations of parameters in the
krb5.conf
Test 1 - No permitted_enctypes
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#permitted_enctypes = des-cbc-crc des-cbc-md5
Result
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:38:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Test 2 - all enctypes that I know
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 arcfour-hmac arcfour-hmac-exp arcfour-hmac-md5 des
des-cbc-crc des-cbc-md4
des-cbc-md5 des-cbc-raw des-cbc-rawv des-hmac-sha1 des3-cbc-raw
des3-cbc-sha1 des3-cbc-sha1-kd des3-hmac-sha1 rc4-hmac
Result
2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [24] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [4] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [8] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [6] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:40:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Could anybody help me ?
Does anybody have a list of MIT Kerberos 1.3.3 enctypes ?
Does anybody know what are the enctypes for Windows 2003 Active Directory
?
What does mean "...failed to decrypt with error Decrypt integrity check
failed" in the enctype 3 ?
Thanks
Estevam Henrique
========================================================Esta mensagem pode
conter informacao confidencial e/ou privilegiada. Se
voce nao for o destinatario ou a pessoa autorizada a receber esta
mensagem, nao devera utilizar, copiar, alterar, divulgar a informacao nela
contida ou tomar qualquer acao baseada nessas informacoes. Se voce recebeu
esta mensagem por engano, por favor avise imediatamente o remetente,
respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperacao.
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, change, take any action based on this
message or any information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail and delete
this message. Thank you for your cooperation.
========================================================--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
=========================================================
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc?
n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o
dever? utilizar, copiar, alterar, divulgar a informa??o nela contida ou
tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta
mensagem por engano, por favor avise imediatamente o remetente, respondendo
o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.
=========================================================
Jim McDonough
2004-Apr-20 13:29 UTC
RES: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
Ok, if you're using MIT 1.3.3, you shouldn't need the
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
lines. It should be fine without them...if it's still not, you probably
need to send me an ethereal trace.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd@us.ibm.com
jmcd@samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
Estevam Henrique Carvalho <estevamh@bmf.com.br>
04/20/2004 11:04 AM
To
Jim McDonough/Portland/IBM@IBMUS, "Duran Munoz, Pedro"
<Pedro.Duran@fujitsu-siemens.com>
cc
samba <samba@lists.samba.org>,
samba-bounces+jmcd=samba.org@lists.samba.org
Subject
RES: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
Hi Jim,
I did what the doc says but the problem is the same.
Does anybody saw this work ? I mean, is the Samba 3.0.2a+Kerberos MIT
1.3.3
able to be accessed by a WXP, W2K or W2K3 machine, using Kerberos tickets
generated in a Windows 2003 KDC (W2K3 AD) ?
Thanks
-----Mensagem original-----
De: Jim McDonough [mailto:jmcd@us.ibm.com]
Enviada em: segunda-feira, 19 de abril de 2004 17:07
Para: Duran Munoz, Pedro
Cc: Estevam Henrique Carvalho; samba;
samba-bounces+jmcd=samba.org@lists.samba.org
Assunto: RE: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
This is a bug in Win2k3. See knowledgebase KB833708. The KB article
itself isn't correct, because it states that if you request des-cbc-crc
you'll get des-cbc-md5 tickets, but in reality you get rc4-hmac tickets.
The KB article points you to a hotfix or a registry setting.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd@us.ibm.com
jmcd@samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
"Duran Munoz, Pedro" <Pedro.Duran@fujitsu-siemens.com>
Sent by: samba-bounces+jmcd=samba.org@lists.samba.org
04/19/2004 09:42 AM
To
"Estevam Henrique Carvalho" <estevamh@bmf.com.br>
cc
samba <samba@lists.samba.org>
Subject
RE: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Saludos / Best Regards
Pedro Dur?n Mu?oz
Hello Henrique
Actually I have the same problem as you. Firts I had tried an ADS w2k3
and Samba 3.0.2a integration without any success ( Only works IP NTML
protocol, kerberos does not works ( hostaname instead IP address)) . After
I tried w2k and Samba 3.0.2a integration and works fine. But I need an ADS
w2k3 and Samba integration and for the moment does not works. We need the
Samba team help for solve this issue ASAP, Is it possible for us Samba
Team?
-----Original Message-----
From: samba-bounces+pedro.duran=fujitsu-siemens.com@lists.samba.org
[mailto:samba-bounces+pedro.duran=fujitsu-siemens.com@lists.samba.org] On
Behalf Of Estevam Henrique Carvalho
Sent: Monday, April 19, 2004 1:59 PM
To: samba
Subject: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Hi people,
I have a Linux box running Samba 3.0.2a in ADS mode MIT Kerberos 1.3.3. My
W2K e WXP users can't access the linux box by netbios name, the only
access that works is by IP address, I know that's caused because access
thought IP address don't make use of Kerberos. The most strange for me
it's that the same environment works fine with a W2K Active Directory, I
read in same list the problem was the kerberos 1.2.x, then I changed to
1.3.3, but the problem remains.
I also have tried the following combinations of parameters in the
krb5.conf
Test 1 - No permitted_enctypes
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#permitted_enctypes = des-cbc-crc des-cbc-md5
Result
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:38:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Test 2 - all enctypes that I know
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 arcfour-hmac arcfour-hmac-exp arcfour-hmac-md5 des
des-cbc-crc des-cbc-md4
des-cbc-md5 des-cbc-raw des-cbc-rawv des-hmac-sha1 des3-cbc-raw
des3-cbc-sha1 des3-cbc-sha1-kd des3-hmac-sha1 rc4-hmac
Result
2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [24] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [4] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [8] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [6] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:40:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Could anybody help me ?
Does anybody have a list of MIT Kerberos 1.3.3 enctypes ?
Does anybody know what are the enctypes for Windows 2003 Active Directory
?
What does mean "...failed to decrypt with error Decrypt integrity check
failed" in the enctype 3 ?
Thanks
Estevam Henrique
========================================================Esta mensagem pode
conter informacao confidencial e/ou privilegiada. Se
voce nao for o destinatario ou a pessoa autorizada a receber esta
mensagem, nao devera utilizar, copiar, alterar, divulgar a informacao nela
contida ou tomar qualquer acao baseada nessas informacoes. Se voce recebeu
esta mensagem por engano, por favor avise imediatamente o remetente,
respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperacao.
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, change, take any action based on this
message or any information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail and delete
this message. Thank you for your cooperation.
========================================================--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
=========================================================
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se
voc?
n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o
dever? utilizar, copiar, alterar, divulgar a informa??o nela contida ou
tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta
mensagem por engano, por favor avise imediatamente o remetente,
respondendo
o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If
you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this
message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.
=========================================================