samba - Oct 2012 - Win2k auth on named share fails on mixed Windows network.

Hi there,

Background:

Samba 3.6.6 compiled from source on Debian Squeeze using the Debian-
installed Kerberos (1.8.3) libraries.  Running in an Active directory
domain with mixed Win2k Server and Win2k3 Server DCs.  Yes, I've been
trying to persuade them.  Both WINS and DNS name resolution work on
the system.  Samba uses the DCs for WINS, and the DCs are also name
servers with an additional forwarder (dnsmasq) running on a firewall.
Under normal circumstances, Windows 7 Pro and XP Pro clients have no
problems (although a power failure does generally throw a spanner in
the works for several hours - may be the subject of another thread).

With the appropriate credentials, 'smbclient' running on the Linux
server can connect to shares, but using the same credentials Windows
2000 Pro client workstations can access shares only by IP, not name.
Searching the archives, this seems to be a very common problem which
has sometimes been solved and sometimes not.

I've tried setting "kerberos method = secrets and keytab" in
smb.conf
and KB833708, both to no avail.

8<----------------------------------------------------------------------
c:\>net view palatine
System error 5 has occurred.

Access is denied.

c:\>net view 192.168.0.250
Shared resources at 192.168.0.250

Samba server

Share name ...
8<----------------------------------------------------------------------

Samba logs show in this case:

[2012/10/17 12:07:02.607012,  3]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
    libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error
Encryption type not permitted

which indicates that the Kerberos libraries are not permitting the
encryption type, either because it is not available in the libraries
or because it's restricted by the config.  I believe the encryption
type to be available in these libraries, so my guess is that it is not
being permitted for some reason.  I postulate that it's considered a
weak type, so I propose to permit weak encryption types.

Questions:

1. If for example I were to make a change in /etc/krb5.conf to permit
less secure encryption types by setting

[libdefaults]
    allow_weak_crypto = 1

do I have to restart Samba for the change to take effect?  The reason
for the question is that restarting Samba in this situation causes a
good deal of grief for the users, so I'd rather not have to do it.

2. Is there a way to ask Samba what encryption types will be allowed
and what types will not be allowed?

3. Is there a definitive list of the encryption types and the integers
used to refer to them in the Samba logs?

4. Is there some kind of 'graceful' Samba restart which users
wouldn't
dislike so much? :)

I've been R-ing the FM and searching archives for a couple of weeks
solid now and it's starting to hurt, so any pointers to bits of the FM
to R will be more than welcome.

--

73,
Ged.

There was a problem with Debian Squeeze in early 2010 while still in 
testing, but it was fixed before being released as stable, so may not be 
the exact same problem.
The problem was related to libkrb5-3.  For me, it affected both w2k and 
xp systems - there were no Vista/Win7 systems here at that time.

Check to see if this is relevant to you:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977

'smbcontrol [all/smbd/nmbd/winbindd] reload-config' might be the 
graceful restart for which you are looking.

Dale


On 10/17/2012 9:06 AM, G.W. Haywood wrote:
> Hi there,
>
> Background:
>
> Samba 3.6.6 compiled from source on Debian Squeeze using the Debian-
> installed Kerberos (1.8.3) libraries.  Running in an Active directory
> domain with mixed Win2k Server and Win2k3 Server DCs.  Yes, I've been
> trying to persuade them.  Both WINS and DNS name resolution work on
> the system.  Samba uses the DCs for WINS, and the DCs are also name
> servers with an additional forwarder (dnsmasq) running on a firewall.
> Under normal circumstances, Windows 7 Pro and XP Pro clients have no
> problems (although a power failure does generally throw a spanner in
> the works for several hours - may be the subject of another thread).
>
> With the appropriate credentials, 'smbclient' running on the Linux
> server can connect to shares, but using the same credentials Windows
> 2000 Pro client workstations can access shares only by IP, not name.
> Searching the archives, this seems to be a very common problem which
> has sometimes been solved and sometimes not.
>
> I've tried setting "kerberos method = secrets and keytab" in
smb.conf
> and KB833708, both to no avail.
>
> 8<----------------------------------------------------------------------
> c:\>net view palatine
> System error 5 has occurred.
>
> Access is denied.
>
> c:\>net view 192.168.0.250
> Shared resources at 192.168.0.250
>
> Samba server
>
> Share name ...
> 8<----------------------------------------------------------------------
>
> Samba logs show in this case:
>
> [2012/10/17 12:07:02.607012,  3] 
> libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
>    libads/kerberos_verify.c:429: enc type [23] failed to decrypt with 
> error Encryption type not permitted
>
> which indicates that the Kerberos libraries are not permitting the
> encryption type, either because it is not available in the libraries
> or because it's restricted by the config.  I believe the encryption
> type to be available in these libraries, so my guess is that it is not
> being permitted for some reason.  I postulate that it's considered a
> weak type, so I propose to permit weak encryption types.
>
> Questions:
>
> 1. If for example I were to make a change in /etc/krb5.conf to permit
> less secure encryption types by setting
>
> [libdefaults]
>    allow_weak_crypto = 1
>
> do I have to restart Samba for the change to take effect?  The reason
> for the question is that restarting Samba in this situation causes a
> good deal of grief for the users, so I'd rather not have to do it.
>
> 2. Is there a way to ask Samba what encryption types will be allowed
> and what types will not be allowed?
>
> 3. Is there a definitive list of the encryption types and the integers
> used to refer to them in the Samba logs?
>
> 4. Is there some kind of 'graceful' Samba restart which users
wouldn't
> dislike so much? :)
>
> I've been R-ing the FM and searching archives for a couple of weeks
> solid now and it's starting to hurt, so any pointers to bits of the FM
> to R will be more than welcome.
>
> -- 
>
> 73,
> Ged.