[Samba] Kerberos enc type [xx] failed

Ephi Dror ephi at agami.com
Wed Jun 15 02:04:09 GMT 2005 

Hi Andrew,

I upgraded krb5 libs to 1.3.3 and now the error became "Decrypt
integrity check failed".

I rebooted my AD server and the SAMBA server just in case.

Here is the log:

[2005/06/14 18:14:30, 3, pid=17668]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
[2005/06/14 18:14:30, 3, pid=17668]
libads/kerberos_verify.c:ads_verify_ticket(307)
  ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)

Any idea?

Did I forget to do something so obvious?

Is it anything to do with keytab which I have noticed that if I specify
"use kerberos keytab = yes" I get an error in  net ads join that says:
[2005/06/14 18:50:43, 1, pid=23237]
libads/kerberos_keytab.c:ads_keytab_add_entry(236)
  ads_keytab_add_entry: adding entry to keytab failed (Cannot write to
specified key table)
[2005/06/14 18:50:43, 1, pid=23237]
libads/kerberos_keytab.c:ads_keytab_create_default(418)
  ads_keytab_create_default: ads_keytab_add_entry failed while adding
'host'.
[2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829)
  Error creating host keytab!
Joined 'SSN217' to realm 'LONDON.STORADINC.COM'

And last, is it to do with kerberos hot fix
http://support.microsoft.com/kb/833708/
Just wondering.

Thanks so much in advance for any hint in this complicated area.

Cheers,
Ephi



-----Original Message-----
From: Ephi Dror 
Sent: Tuesday, June 14, 2005 10:28 AM
To: 'Andrew Bartlett'
Cc: Samba (samba at lists.samba.org)
Subject: RE: [Samba] Kerberos enc type [xx] failed

Thank you Andrew for sharing with us your expertise and give us those
suggestions.

We really appreciate it.

Cheers,
Ephi 

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, June 13, 2005 10:15 PM
To: Ephi Dror
Cc: samba at lists.samba.org
Subject: Re: [Samba] Kerberos enc type [xx] failed

On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote:
> Hi All,
>  
> I am getting Kerberos "enc type" problem that I can't explain:
>  

> Just a quick background:
> 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My 
> Kerberos version is krb5 1.2.7.
> 4. Samba joined active directory that  has one KDC running win2003 
> (not
> sp1)
> 5. I switched between different domains and join as ADS and domain 
> many times, could it contribute to this problem?
>  
> At the moment, I can't switch to latest krb5 package. What is the 
> minimum Kerberos version required by SAMBA?

MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have
maintained since Samba 3.0.  Using less than this will cause issues with
clients that for one reason or another do not posses 'DES' kerberos
keys.

Kerberos library requirements have been quite a pain in Samba 3.0.
There are three basic solutions:

 - Upgrade your OS to one with a suitable kerberos
 - Upgrade the kerberos libraries on your OS
 - Statically link your Samba install to an upgraded kerberos.  

The latter option is what SerNet did/does for their Samba 3.0 packages.

In Samba4, we have noted the pain that kerberos has caused in Samba 3.0,
and the current plan is to ship with a built-in kerberos library.
(Options for later development allow this to possibly use a system lib,
but the aim is to shift the pain away from the administrator, who can't
help the situation much).

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba mailing list