bug? kerberos tickets with rc4-hmac: enc type [3] failed to decrypt with error Bad encryption type

Stefan Beck becks at itereu.de
Fri Feb 20 11:29:47 GMT 2004 

Hello,

I'm trying to use samba 3.0.2 on debian sid as win2k ads member.

Using kerberos from linux works perfectly, but accessing the samba server from a 
win2k domain member fails.

e.g. net view \\zzzgfs

system error 5 occured
Access denied

The samba log shows:

2004/02/20 12:18:26, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
   ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
[2004/02/20 12:18:26, 10] passdb/secrets.c:secrets_named_mutex_release(709)
   secrets_named_mutex: released mutex for replay cache mutex
[2004/02/20 12:18:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/02/20 12:18:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
   Failed to verify incoming ticket!
[2004/02/20 12:18:26, 3] smbd/error.c:error_packet(94)
   error string = No such file or directory
[2004/02/20 12:18:26, 3] smbd/error.c:error_packet(118)
   error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE


ethereal shows that the ticket uses rc4-hmac encryption:

        Security Blob: 6082049D06062B0601050502A0820491...
             GSS-API
                 OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                 SPNEGO
                     negTokenInit
                         mechType
                             OID: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft 
Kerberos 5)
                             OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                             OID: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft 
NTLM Security Support Provider)
                         mechToken
                             krb5_blob: 6082045B06092A864886F71201020201...
                                 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                 krb5_tok_id: KRB5_AP_REQ (0x0001)
                                 Kerberos
                                     Version: 5
                                     MSG Type: AP-REQ
                                     APOptions: 0020000000
                                     Ticket
                                         Version: 5
                                         Realm: ITEREU.DE
                                         Service Name: ZZZGFS$
                                             Type: Principal
                                             Name: ZZZGFS$
                                         Encrypted Data: Ticket data
                                             Type: rc4-hmac
                                             CipherText: 
6A3DF49E4BE43634F3410F5D180092D9...
                                     Encrypted Data: Authenticator
                                         Type: rc4-hmac
                                         CipherText: 
71766B81B2BEF3681D19749C747AFFAD...
         Native OS: Windows 2000 2195
         Native LAN Manager: Windows 2000 5.0



any hints from anybody

More information about the samba-technical mailing list