[Fwd: Solution -- can connect via IP but not by name]

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 27 21:13:23 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just sent this to the main samba list.  So here it is
as an fyi in case anyone is seeing the problem.

But the lingering question is would this be considered our
bug instead of a krb5 configuration issue since kinit works
but smbd does not?

We should probably spend some time to track it down since
it can be a fairly fragile thing to setup.  Anyone want to
look into it?   The bugzilla entry is

~   https://bugzilla.samba.org/show_bug.cgi?id=1010





ciao, jerry

- -------- Original Message --------
Subject: Solution -- can connect via IP but not by name
Date: Tue, 27 Jan 2004 15:02:09 -0600
From: Gerald (Jerry) Carter <jerry at samba.org>
To: samba at samba.org

Here's an update for those of you struggling to get Samba
working in an AD domain environment.

~  Summary:  in securirty = ads, clients can browse to the
~    Samba member server via IP but not by name (either netbios
~    or DNS).  Kinit and wbinfo -t all work as expected.

The apparent reason for this is that the 2k client uses
NTLMSSP when you connect via IP which works.  However
the kerberos authentication always fails to decrypt
the ticket.  The log appears as

~  ads_verify_ticket: enc type [16] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: enc type [1] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: enc type [3] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: krb5_rd_req with auth failed (Bad
~     encryption type)
~  Failed to verify incoming ticket!

The only way I have been able to reproduce this locally
using MIT 1.3.1 is by setting a list of permitted_enctypes
in /etc/krb5.conf.  For example,

~ [libdefaults]
~   dns_lookup_kdc = true
~   default_tgs_enctypes = des-cbc-md5
~   default_tkt_enctypes = des-cbc-md5
~   permitted_enctypes = des-cbc-md5 des-cbc-crc

Commenting out the last line solved things in my tests.  Usually
I have a very minimal krb5.conf which works correctly.

~  [libdefaults]
~     dns_lookup_kdc = true

The end result is that this is a kerberos configuration issue
and not a Samba bug (Of course you could call it our bug
since kinit works and we don't).  I would be grateful if the
people experiencing this problem could either confirm or
refute my theory.

Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAFtRzIR7qMdg1EfYRAjmYAKDtCNnUmv2xT8AWfmk80d9NFCDIpACg5Yx6
iv1+P0UwEIGpQqvN35sC/PU=
=gYt2
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list