Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the problem is really the same: *what are the codes 296 and 471* which can be found in the follow? *do they show the algorithm used to decrypt the token*? so, is this the same problem, since the email I linked above shows a 323 code?* is there a list of codes/algorithms, if my hypothesis is correct*? (I've tried the samba websvn, but it isn't currently available) [2009/05/04 11:29:45, 3] smbd/sesssetup.c:reply_spnego_negotiate(802) reply_spnego_negotiate: Got secblob of size 1445 [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/05/04 11:29:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/05/04 11:29:45, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE and [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) -- pgp.mit.edu:0A4D0FDD http://www.nilleb.com
ravi channavajhala
2009-May-04 19:21 UTC
[Samba] bad encryption type in AD domain authentication
Decrypt integrity check usually means your Kerberos tickets are no good or you don't have the entry in keytab which specifies the encryption method expected. The real way to fix is run the ktpass.exe from the ADS server, ftp the generated krb keytab file to the Unix server to the /tmp. Examine it with klist -e -k /tmp/krb5.keytab, if all looks good, remove the /etc/krb5 keytab file, run the ktutil to write the /tmp/krb5.keytab to /etc/krb5 keytab. The safest method I found is to use the default DES-CBC-MD5 authentication only while generating the keytab file with ktpass. Run the ktpass something along the lines of ktpass -princ host/FQDN@REALM -mapuser DOMAIN\hostname$ -crypto DES-CBC-MD5 -pass whatever -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab You don't have to specify the -crypto option unless you would like to use encryption method such as DES-CBC-CRC or arcfour etc. In that case, generate keytabs separately for each encryption method and merge them into the keytab. Two points, one is the FQDN should be literally of the form host.domain.com, and secondly in the mapuser use the short form of domain name. Honestly, I wish this isn't this complicated, but the interoperability of (lin)u(ni)x with windows AD server isn't really seamless. Now, the hard part is what if you don't have never expiring passwds on the ADS, this rigmarole of generating the keytabs will be an on going process. -----Original Message----- From: samba-bounces+ravi.channavajhala=dciera.com@lists.samba.org [mailto:samba-bounces+ravi.channavajhala=dciera.com@lists.samba.org] On Behalf Of nilleb Sent: Monday, May 04, 2009 5:50 PM To: samba@lists.samba.org Subject: [Samba] bad encryption type in AD domain authentication Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the problem is really the same: *what are the codes 296 and 471* which can be found in the follow? *do they show the algorithm used to decrypt the token*? so, is this the same problem, since the email I linked above shows a 323 code?* is there a list of codes/algorithms, if my hypothesis is correct*? (I've tried the samba websvn, but it isn't currently available) [2009/05/04 11:29:45, 3] smbd/sesssetup.c:reply_spnego_negotiate(802) reply_spnego_negotiate: Got secblob of size 1445 [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/05/04 11:29:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/05/04 11:29:45, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE and [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) -- pgp.mit.edu:0A4D0FDD http://www.nilleb.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Ivo Bellin Salarin
2009-May-12 13:31 UTC
[Samba] bad encryption type in AD domain authentication
Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the problem is really the same: *what are the codes 296 and 471* which can be found in the follow? *do they show the algorithm used to decrypt the token*? so, is this the same problem, since the email I linked above shows a 323 code?* is there a list of codes/algorithms, if my hypothesis is correct*? (I've tried the samba websvn, but it isn't currently available) [2009/05/04 11:29:45, 3] smbd/sesssetup.c:reply_spnego_negotiate(802) reply_spnego_negotiate: Got secblob of size 1445 [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/05/04 11:29:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/05/04 11:29:45, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE and [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) -- pgp.mit.edu:0A4D0FDD http://www.nilleb.com