[Samba] Re: Solution -- can connect via IP but not by name

John H Terpstra jht at samba.org
Tue Jan 27 21:25:59 GMT 2004 

On Tue, 27 Jan 2004, Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Here's an update for those of you struggling to get Samba
> working in an AD domain environment.
>
> ~  Summary:  in securirty = ads, clients can browse to the
> ~    Samba member server via IP but not by name (either netbios
> ~    or DNS).  Kinit and wbinfo -t all work as expected.
>
> The apparent reason for this is that the 2k client uses
> NTLMSSP when you connect via IP which works.  However
> the kerberos authentication always fails to decrypt
> the ticket.  The log appears as
>
> ~  ads_verify_ticket: enc type [16] failed to decrypt with
> ~     error Bad encryption type
> ~  ads_verify_ticket: enc type [1] failed to decrypt with
> ~     error Bad encryption type
> ~  ads_verify_ticket: enc type [3] failed to decrypt with
> ~     error Bad encryption type
> ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad
> ~     encryption type)
> ~  Failed to verify incoming ticket!
>
> The only way I have been able to reproduce this locally
> using MIT 1.3.1 is by setting a list of permitted_enctypes
> in /etc/krb5.conf.  For example,
>
> ~ [libdefaults]
> ~   dns_lookup_kdc = true
> ~   default_tgs_enctypes = des-cbc-md5
> ~   default_tkt_enctypes = des-cbc-md5
> ~   permitted_enctypes = des-cbc-md5 des-cbc-crc

The current Samba-HOWTO-Collection.pdf Section 7.4.2 says:

"With both MIT and Heimdal Kerberos, it is unnecessary to configure the
/etc/krb5.conf, and it may be detrimental."

The above configuration is specifically given for use only with Heimdal
version 0.6. The documentation could possibly be clearer. Anyone have
comments on that?

> Commenting out the last line solved things in my tests.  Usually
> I have a very minimal krb5.conf which works correctly.
>
> ~  [libdefaults]
> ~     dns_lookup_kdc = true

That should work Ok. If anyone can suggest better wording or more
appropriate notations to eliminate potential for the documentation to be
misleading or inaccurate I would appreciate some feedback.

>
> The end result is that this is a kerberos configuration issue
> and not a Samba bug (Of course you could call it our bug
> since kinit works and we don't).  I would be grateful if the
> people experiencing this problem could either confirm or
> refute my theory.

At the end of the day, either it works or it doesn't.

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list