Hai,
You may need to add the the following in krb5.conf
[libdefaults]
allow_weak_crypto = true
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
Can you try that.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Slow Kerberos Authentication
>
> Hi All,
>
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect
> encryption type being
> used according to the debug output below, as you can see it
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can
> find out.
> How can I get it so the correct encryption is chosen first time?
>
> Log excerpt:
>
> [2017/11/09 10:18:04.174379, 3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
>
> reply_spnego_negotiate: Got secblob of size 3264
>
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:435: enc type [18] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:435: enc type [17] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:423: enc type [23] decrypted message !
>
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
>
> Got KRB5 session key of length 16
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Hai Paul, hmm, i think its time.. to upgrade your samba. I dont think the other krb5.conf options work, but you might give it a try. See man krb5.conf, where i took it from. add /change in krb5.conf [kdc] tgt-use-strongest-session-key = BOOL svc-use-strongest-session-key = BOOL preauth-use-strongest-session-key= BOOL use-strongest-server-key = BOOL encode_as_rep_as_tgs_rep = BOOL BOOL = true or false. You might set the default windows encryption in krb5.conf as standard, but imo, that are changes which might give other problems. And is not my best advice.. So best advice is .. upgrade to samba 4, and packages are available. https://linux.oracle.com/errata/ELSA-2017-1271.html Greetz, Louis Van: Paul [mailto:bluescreen08 at gmail.com] Verzonden: vrijdag 10 november 2017 9:57 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Slow Kerberos Authentication Thanks, however that didn't work even after a reboot, still the same error. On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 Can you try that. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul > via samba > Verzonden: donderdag 9 november 2017 16:45 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Slow Kerberos Authentication > > Hi All, > > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos > authentication > is working but it takes around 30 seconds on first access. This is an > active directory domain with 2008r2 DC's. > I've tracked it down to what looks like the incorrect > encryption type being > used according to the debug output below, as you can see it > fails twice > with enc type of 17 and 18 but succeeds with 23... Which > according to the > RFC is rc4-hmac which is all windows DCs talk from what I can > find out. > How can I get it so the correct encryption is chosen first time? > > Log excerpt: > > [2017/11/09 10:18:04.174379, 3] smbd/sesssetup.c:662(reply_spn > ego_negotiate) > > reply_spnego_negotiate: Got secblob of size 3264 > > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:435: enc type [18] failed to > decrypt with error > Bad encryption type > > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:435: enc type [17] failed to > decrypt with error > Bad encryption type > > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:423: enc type [23] decrypted message ! > > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_ > smb_session_key) > > Got KRB5 session key of length 16> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
I'll look into it and update if I find anything out :) Any idea why it would try enc type 17, then 18, then pause for 30 seconds? It feels like a timeout is being hit but I don't understand enough about samba/Kerberos to figure out what it is. On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Paul, > > hmm, i think its time.. to upgrade your samba. > > I dont think the other krb5.conf options work, but you might give it a try. > See man krb5.conf, where i took it from. > add /change in krb5.conf > > [kdc] > tgt-use-strongest-session-key = BOOL > svc-use-strongest-session-key = BOOL > preauth-use-strongest-session-key= BOOL > use-strongest-server-key = BOOL > encode_as_rep_as_tgs_rep = BOOL > > BOOL = true or false. > > You might set the default windows encryption in krb5.conf as standard, but > imo, that are changes which might give other problems. > And is not my best advice.. > > So best advice is .. upgrade to samba 4, and packages are available. > https://linux.oracle.com/errata/ELSA-2017-1271.html > > > Greetz, > > Louis > > > > > > Van: Paul [mailto:bluescreen08 at gmail.com] > Verzonden: vrijdag 10 november 2017 9:57 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Slow Kerberos Authentication > > > > Thanks, however that didn't work even after a reboot, still the same error. > > On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba at lists.samba.org> > wrote: > Hai, > > You may need to add the the following in krb5.conf > > [libdefaults] > allow_weak_crypto = true > > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > ; for Windows 2008 with AES > default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > > Can you try that. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul > > via samba > > Verzonden: donderdag 9 november 2017 16:45 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Slow Kerberos Authentication > > > > Hi All, > > > > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos > > authentication > > is working but it takes around 30 seconds on first access. This is an > > active directory domain with 2008r2 DC's. > > I've tracked it down to what looks like the incorrect > > encryption type being > > used according to the debug output below, as you can see it > > fails twice > > with enc type of 17 and 18 but succeeds with 23... Which > > according to the > > RFC is rc4-hmac which is all windows DCs talk from what I can > > find out. > > How can I get it so the correct encryption is chosen first time? > > > > Log excerpt: > > > > [2017/11/09 10:18:04.174379, 3] smbd/sesssetup.c:662(reply_spn > > ego_negotiate) > > > > reply_spnego_negotiate: Got secblob of size 3264 > > > > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a > > ds_secrets_verify_ticket) > > > > libads/kerberos_verify.c:435: enc type [18] failed to > > decrypt with error > > Bad encryption type > > > > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a > > ds_secrets_verify_ticket) > > > > libads/kerberos_verify.c:435: enc type [17] failed to > > decrypt with error > > Bad encryption type > > > > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a > > ds_secrets_verify_ticket) > > > > libads/kerberos_verify.c:423: enc type [23] decrypted message ! > > > > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_ > > smb_session_key) > > > > Got KRB5 session key of length 16 > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
No, no idee, but really, upgrade to samba, best option, in my opinion. If thats not possible, it happens.. A timeout option can be set in krb5.conf for example : kdc_timeout = 5000 You have these for krb5.conf to try out also. the complete list. des-hmac-sha1 DES with HMAC/sha1 (weak) aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) des3 The triple DES family: des3-cbc-sha1 aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac try the lines i send before keep the allow weak encptions. try these, and add them at the beginning. arcfour-hmac Greetz, Louis ________________________________ Van: Paul [mailto:bluescreen08 at gmail.com] Verzonden: vrijdag 10 november 2017 12:03 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Slow Kerberos Authentication I'll look into it and update if I find anything out :) Any idea why it would try enc type 17, then 18, then pause for 30 seconds? It feels like a timeout is being hit but I don't understand enough about samba/Kerberos to figure out what it is. On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: Hai Paul, hmm, i think its time.. to upgrade your samba. I dont think the other krb5.conf options work, but you might give it a try. See man krb5.conf, where i took it from. add /change in krb5.conf [kdc] tgt-use-strongest-session-key = BOOL svc-use-strongest-session-key = BOOL preauth-use-strongest-session-key= BOOL use-strongest-server-key = BOOL encode_as_rep_as_tgs_rep = BOOL BOOL = true or false. You might set the default windows encryption in krb5.conf as standard, but imo, that are changes which might give other problems. And is not my best advice.. So best advice is .. upgrade to samba 4, and packages are available. https://linux.oracle.com/errata/ELSA-2017-1271.html <https://linux.oracle.com/errata/ELSA-2017-1271.html> Greetz, Louis Van: Paul [mailto:bluescreen08 at gmail.com] Verzonden: vrijdag 10 november 2017 9:57 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Slow Kerberos Authentication Thanks, however that didn't work even after a reboot, still the same error. On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 Can you try that. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens Paul > via samba > Verzonden: donderdag 9 november 2017 16:45 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Slow Kerberos Authentication > > Hi All, > > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos > authentication > is working but it takes around 30 seconds on first access. This is an > active directory domain with 2008r2 DC's. > I've tracked it down to what looks like the incorrect > encryption type being > used according to the debug output below, as you can see it > fails twice > with enc type of 17 and 18 but succeeds with 23... Which > according to the > RFC is rc4-hmac which is all windows DCs talk from what I can > find out. > How can I get it so the correct encryption is chosen first time? > > Log excerpt: > > [2017/11/09 10:18:04.174379, 3] smbd/sesssetup.c:662(reply_spn > ego_negotiate) > > reply_spnego_negotiate: Got secblob of size 3264 > > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:435: enc type [18] failed to > decrypt with error > Bad encryption type > > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:435: enc type [17] failed to > decrypt with error > Bad encryption type > > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a > ds_secrets_verify_ticket) > > libads/kerberos_verify.c:423: enc type [23] decrypted message ! > > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_ > smb_session_key) > > Got KRB5 session key of length 16 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>