[Samba] Samba 3.0.6 Problems w/AD and Kerberos

Rick Brown Rick.Brown at oit.gatech.edu
Wed Sep 8 16:56:53 GMT 2004 

On Sun, 5 Sep 2004, Christian Merrill wrote:

> Gerald (Jerry) Carter wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Christian Merrill wrote:
> > | Running into a lot of people upgrading to the 3.0.6
> > | package that all of a sudden begin to experience
> > | the "Failed to verify incoming ticket!" errors
> > | etc., that are generally associated with a kerberos
> > | package incompatibility.
> > |
> > | However many of these people are running later
> > | versions of kerberos *and* reverting to a previous
> > | version of Samba appears to fix the issue.  Is there
> > | something new setting wise that has taken place, is
> > | something really wrong with this new package, or
> > | is this all just a strange coincidence?
> >
> > I've not been able to reproduce this or track it down.
> > Is there a consensus whether this is an specific issue
> > with using MIT or Heimdal ?  Or with Windows 2000 or
> > 2003 DCs ?
> >
> > Any details would be helpful.  I've created bug report at
> > https://bugzilla.samba.org/show_bug.cgi?id=1739
>
> Well from my end (Redhat) the behavior is indicative of a known issue
> with the MIT kerberos 1.2.x packages that we currently support and
> Win2k3 DC's...however Win2k DC's have been operating fine as far as I
> know.  What I am seeing are customers who were previously running
> upgrade to the 3.0.6 samba package and then start to encounter these
> errors.  If they downgrade the samba package the problem goes away.
> I've also noticed a few other posts from users on other distros such as
> Debian encountering very similar behavior.
>
> On the surface it really looks like a kerberos problem, but people are
> reporting that it seems to be directly linked to the samba package.  My
> current test environment is on 2k3 so I'm still in the process of
> setting up a 2k AD environment to do testing on...at this point just
> relaying feedback that I am getting from others.

I've seen this problem on a new machine/samba install..
Our DC recently changed from 2k to 2k3, and I believe that might
be part of the cause of the problem.   I have 2 samba machines (running
3.0.2) that I joined into the realm when our DC was 2k, they still work
great.   Last week I brought a new machine online (running 3.0.4) joined
the realm with no problems, but then proceeded to get the following error:

 ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed

when authenticating..  I've since downgraded to 3.0.2 with no success,
and tried upgrading to 3.0.6 with no success.

Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
red tape...   so that's not an option.   IMO, MIT krb is not the problem, as
the two existing machines still work fine.   I think it might have
something to do with the way AD in 2k3 is storing the cifs and host
keys.

[         Rick Brown               ][      (404) 894-6175           ]
[ Office of Information Technology ][    rick at oit.gatech.edu 	    ]
[ Georgia Institute of Technology  ][  258 4th street. Atlanta, GA  ]

More information about the samba mailing list