[Samba] Win2k auth on named share fails on mixed Windows network.

G.W. Haywood samba at jubileegroup.co.uk
Wed Oct 17 08:06:04 MDT 2012 

Hi there,

Background:

Samba 3.6.6 compiled from source on Debian Squeeze using the Debian-
installed Kerberos (1.8.3) libraries.  Running in an Active directory
domain with mixed Win2k Server and Win2k3 Server DCs.  Yes, I've been
trying to persuade them.  Both WINS and DNS name resolution work on
the system.  Samba uses the DCs for WINS, and the DCs are also name
servers with an additional forwarder (dnsmasq) running on a firewall.
Under normal circumstances, Windows 7 Pro and XP Pro clients have no
problems (although a power failure does generally throw a spanner in
the works for several hours - may be the subject of another thread).

With the appropriate credentials, 'smbclient' running on the Linux
server can connect to shares, but using the same credentials Windows
2000 Pro client workstations can access shares only by IP, not name.
Searching the archives, this seems to be a very common problem which
has sometimes been solved and sometimes not.

I've tried setting "kerberos method = secrets and keytab" in smb.conf
and KB833708, both to no avail.

8<----------------------------------------------------------------------
c:\>net view palatine
System error 5 has occurred.

Access is denied.

c:\>net view 192.168.0.250
Shared resources at 192.168.0.250

Samba server

Share name ...
8<----------------------------------------------------------------------

Samba logs show in this case:

[2012/10/17 12:07:02.607012,  3] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
    libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Encryption type not permitted

which indicates that the Kerberos libraries are not permitting the
encryption type, either because it is not available in the libraries
or because it's restricted by the config.  I believe the encryption
type to be available in these libraries, so my guess is that it is not
being permitted for some reason.  I postulate that it's considered a
weak type, so I propose to permit weak encryption types.

Questions:

1. If for example I were to make a change in /etc/krb5.conf to permit
less secure encryption types by setting

[libdefaults]
    allow_weak_crypto = 1

do I have to restart Samba for the change to take effect?  The reason
for the question is that restarting Samba in this situation causes a
good deal of grief for the users, so I'd rather not have to do it.

2. Is there a way to ask Samba what encryption types will be allowed
and what types will not be allowed?

3. Is there a definitive list of the encryption types and the integers
used to refer to them in the Samba logs?

4. Is there some kind of 'graceful' Samba restart which users wouldn't
dislike so much? :)

I've been R-ing the FM and searching archives for a couple of weeks
solid now and it's starting to hurt, so any pointers to bits of the FM
to R will be more than welcome.

--

73,
Ged.

More information about the samba mailing list