samba - Apr 2005 - Problems with ADS membership with win2k domain

I'm having problems with ADS membership for samba.  I had a
"mostly"
working version with RHES v2.1, krb5 v1.2, samba v3.0.5.

I knew to get to a fully functioning version I would need krb5 v1.3
or later.  So finally I had an opertunity to junk RH's crufty krb5
and build from scratch with:

RHES v2.1
MIT krb5 v1.4
samba v3.0.13

This works fine on another server.  Now to the problem:

I can join the domain.  smbclient works flawlessly.  kinit(1) works
fine.  However on another I try from a win2k client I get the
authentication dialog box and keep getting in log.w.x.y.z:

[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encr
yption type
[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2005/04/16 00:56:10, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2005/04/16 00:56:10, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2005/04/16 00:56:10, 10] passdb/secrets.c:secrets_named_mutex_release(714)
  secrets_named_mutex: released mutex for replay cache mutex
[2005/04/16 00:56:10, 3] libads/kerberos_verify.c:ads_verify_ticket(346)
  ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)

...and of course the fun part is we DO NOT have a win2k3 ADS; we have
win2k ADS.  So I decided to try samba v3.0.14a since it just came out.

However, I still have the same issue.

krb5 v1.4 built with:

./configure  --prefix=/usr/local
make
make check (all tests pass)
sudo make install

/etc/krb5.conf:
| [libdefaults]
|  default_realm = US1.FOO.COM
| 
| [realms]
|  US1.FOO.COM = {
|   kdc = dc1.us1.foo.com
|  }
| 
| [domain_realm]
|  .dc1.us1.foo.com = US1.FOO.COM

samba 3.0.14a built with:

./configure --prefix=/usr/local --with-krb5=/usr/local
make
sudo make install

/usr/local/lib/smb.conf:
| [global]
| workgroup = FOO
| netbios name = TOKEN
| 
| log file = /usr/local/var/log.%m
| 
| realm = US1.FOO.COM
| security = ads
| password server = dc1.us1.foo.com dc2.us1.foo.com
| 
| idmap uid = 15000-20000
| idmap gid = 15000-20000
| winbind separator = +
| winbind enum users = true
| winbind enum groups = true
| winbind cache time = 10
| 
| load printers = no
| domain master = no
| 
| hosts deny = ALL
| hosts allow = 192.168.0.0/16 127.
| interfaces = eth1 lo
| bind interfaces only = yes
| 
| [tmp]
|         comment = tmp files
|         path = /tmp
|         read only = yes

To me this seems like it shouldn't be rocket science.  I did the
same configuration on a sister system running RHES v2.1, krb5 v1.4,
etc (same right down to the RPM verions reported by "rpm -q -a")
and it worked flawlessly.

I've even tried the binaries that "work" from the sister machine
on the problematic machine to no avail.

I'm out of ideas of where to look next for additional debug.  Hints?
Ideas?  Is it time to break out the sniffer and MD5 all the libraries
and executables?

On Sat, 16 Apr 2005 11:02:45 -0400  "Eric S. Hvozda"
wrote:
> 
> I knew to get to a fully functioning version I would need krb5 v1.3
> or later.  So finally I had an opertunity to junk RH's crufty krb5
> and build from scratch with:
> 
> RHES v2.1
> MIT krb5 v1.4
> samba v3.0.13
> 
> This works fine on another server.  Now to the problem:
> 
> I can join the domain.  smbclient works flawlessly.  kinit(1) works
> fine.  However on another I try from a win2k client I get the
> authentication dialog box and keep getting in log.w.x.y.z:
Ok I was able to solve this.

Apparently even when building with an explict --with-krb5=/usr/local,
something still managed to use the libraries in /usr/kerberos/lib.

:-/

You can junk the libs on RHES v2.1 because a bunch of things depend
on them.  So my solution was to rename /usr/kerberos to /usr/kerberosX
and recompile samba.

I don't know whether to consider it a bug or a feechure that even
with the --with-krb5= option supplied to configure that either the
compiler, linker or configure gets the explict lib pick up wrong.

My problem is solved but just FYI on the behavior of --with-krb5= ...