samba - Oct 2004 - Samba ADS -- works with XP Pro, but not 2000 Pro

I am using Samba with Active Directory.  I have successfully joined my 
Samba server to the domain D1 ( net ads join -U username@D2.DOMAIN.COM 
).  I am able to succesfully connect from Windows XP clients ( with no 
password ), but not from Windows 2000 ( even when specifying a password 
).  With w2k, I always get "Failed to verify incoming ticket!".

I think it has something to do with the key type of the Kerberos tickets 
( etype or enctype in krb5.conf ).  Does Windows 2000 speak the same 
Kerberos 5 as Windows XP?  Which key types are used by Windows?  How do 
I know which enctype I need, and why doesn't the default enctype setting 
negotiate something that works?

It might also have something to do with trust relationships, since my 
samba machine is in domain D1.DOMAIN.COM, but my users are in domain 
D2.DOMAIN.COM.  (And my client machine is in D3.DOMAIN.COM).  Each of 
these domains is an active directory tree, with trust relationships 
between them...

But it works with an XP client, so what's different between XP and 
Windows 2000?

Thanks,

Gordon


Configuration files follow.

-------------------------
# smb.conf:
[global]
 workgroup = D1
 realm = D1.DOMAIN.COM
 security = ADS
 password server = d1dc02.d1.domain.com
 log file = /etc/samba/samba.log

[t]
 comment = Test Share
 path = /tmp
 read only = No
 guest ok = Yes
 browseable = Yes

-------------------------
# krb5.conf:
[logging]
 default = FILE:/var/log/krb5.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = D1.DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
# According to 
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and
des-cbc-crc."
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html 
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
 
[realms]
 D1.DOMAIN.COM = {
  kdc = d1dc01.d1.domain.com
 }
 D2.DOMAIN.COM = {
  kdc = d2dc01.d2.domain.com
 }
 
------------------------------
# from an XP machine in the d2 Domain
C:\>net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
 
The command completed successfully.
 
-----------------------------
# from an XP machine NOT in the Domain
C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
 
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
 
The command completed successfully.
 
------------------------------
# from a Windows 2000 machine in the d2 Domain:

C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
 
Type the password for \\samba07\t:
System error 1326 has occurred.
 
Logon failure: unknown user name or bad password.

C:\>net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
 
Type the password for \\samba07\t :
System error 1326 has occurred.
 
Logon failure: unknown user name or bad password.

# I get this message in the samba.log:
 
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
 
----------------------------
# List of relevant packages (These are the latest updates available for 
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E

----------------------------

Hi,
AFAIR, this is a known problem with w2k clients.
You have to upgrade your kerberos to something > 1.3xxxx
preferably to the latest available version.
Christoph

Gordon Hopper schrieb:
> I am using Samba with Active Directory.  I have successfully joined my 
> Samba server to the domain D1 ( net ads join -U username@D2.DOMAIN.COM 
> ).  I am able to succesfully connect from Windows XP clients ( with no 
> password ), but not from Windows 2000 ( even when specifying a password 
> ).  With w2k, I always get "Failed to verify incoming ticket!".
> 
> I think it has something to do with the key type of the Kerberos tickets 
> ( etype or enctype in krb5.conf ).  Does Windows 2000 speak the same 
> Kerberos 5 as Windows XP?  Which key types are used by Windows?  How do 
> I know which enctype I need, and why doesn't the default enctype
setting
> negotiate something that works?
> 
> It might also have something to do with trust relationships, since my 
> samba machine is in domain D1.DOMAIN.COM, but my users are in domain 
> D2.DOMAIN.COM.  (And my client machine is in D3.DOMAIN.COM).  Each of 
> these domains is an active directory tree, with trust relationships 
> between them...
> 
> But it works with an XP client, so what's different between XP and 
> Windows 2000?
> 
> Thanks,
> 
> Gordon
> 
> 
> Configuration files follow.
> 
> -------------------------
> # smb.conf:
> [global]
> workgroup = D1
> realm = D1.DOMAIN.COM
> security = ADS
> password server = d1dc02.d1.domain.com
> log file = /etc/samba/samba.log
> 
> [t]
> comment = Test Share
> path = /tmp
> read only = No
> guest ok = Yes
> browseable = Yes
> 
> -------------------------
> # krb5.conf:
> [logging]
> default = FILE:/var/log/krb5.log
> 
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = D1.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> # According to 
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
> # "the only supported encryption types are des3-hmac-sha1 and
des-cbc-crc."
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> # However, http://lists.samba.org/archive/samba/2004-October/093761.html 
> suggests:
> # default_tgs_enctypes = des-cbc-crc des-cbc-md5
> # default_tkt_enctypes = des-cbc-crc des-cbc-md5
> 
> [realms]
> D1.DOMAIN.COM = {
>  kdc = d1dc01.d1.domain.com
> }
> D2.DOMAIN.COM = {
>  kdc = d2dc01.d2.domain.com
> }
> 
> ------------------------------
> # from an XP machine in the d2 Domain
> C:\>net use * \\samba07\t
> Drive Y: is now connected to \\samba07\t .
> 
> The command completed successfully.
> 
> -----------------------------
> # from an XP machine NOT in the Domain
> C:\>net use * \\samba07\t
> The password or user name is invalid for \\samba07\t .
> 
> Enter the user name for 'samba07': d2\username
> Enter the password for samba07:
> Drive Z: is now connected to \\samba07\t .
> 
> The command completed successfully.
> 
> ------------------------------
> # from a Windows 2000 machine in the d2 Domain:
> 
> C:\>net use * \\samba07\t
> The password or user name is invalid for \\samba07\t.
> 
> Type the password for \\samba07\t:
> System error 1326 has occurred.
> 
> Logon failure: unknown user name or bad password.
> 
> C:\>net use * \\samba07\t /USER:d2\username
> The password or user name is invalid for \\samba07\t .
> 
> Type the password for \\samba07\t :
> System error 1326 has occurred.
> 
> Logon failure: unknown user name or bad password.
> 
> # I get this message in the samba.log:
> 
> [2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>  Failed to verify incoming ticket!
> 
> ----------------------------
> # List of relevant packages (These are the latest updates available for 
> RHEL 3)
> $ rpm -qa | egrep 'krb5|samba'
> krb5-devel-1.2.7-28
> krb5-libs-1.2.7-28
> krb5-workstation-1.2.7-28
> samba-3.0.7-1.3E
> samba-client-3.0.7-1.3E
> samba-common-3.0.7-1.3E
> 
> ----------------------------
>

Gordon Hopper wrote:
> # According to 
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
> # "the only supported encryption types are des3-hmac-sha1 and 
> des-cbc-crc."
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> # However, 
> http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
> # default_tgs_enctypes = des-cbc-crc des-cbc-md5
> # default_tkt_enctypes = des-cbc-crc des-cbc-md5 

At the time, I was working from the MS KB article on permitted enctypes
http://support.microsoft.com/default.aspx?scid=kb;en-us;296842

and the IBM AIX security guide for authenticating to a 2000 ADS domain 
controller with an older version kerberos
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/securitytfrm.htm

It may very well be the only acceptable enctype is des-cbc-crc 
considering the limitation of that version of kerberos.  But MS seems to 
suggest the only acceptable ecntypes for AD are rc4-hmac, des-cbc-crc 
and des-cbc-md5

Regards, Doug