ADS DM Client Can Not Connect to Samba

Doug VanLeuven roamdad at
Sun Oct 3 09:34:20 GMT 2004

Doug VanLeuven wrote:

> John H Terpstra wrote:
>> Can anyone decode what the cause of the following level 10 log fragment
>> might be?
>> [2004/09/30 12:18:14, 3]
>> libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
>>  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
>> Decrypt integrity check failed
> There seems to be a consensus that this started with 2003 ADS and 
> spread to 2000 server ADS.
> I have 2 machines out of 5 that hasn't generated this error in several 
> days.  3 others do.  Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605 
> seem to be identically configured in global configs.

I chased down the occasional decrypt errors I was seeing.  I had 
forgotten I never applied the MS hotfix KB833708 to the test domain.

I had, as step one in June, gone thru the procedure of configuring an 
AIX 5.1 client to a windows 2003 AD KDC as a proof of concept.  It 
evolved that I additionally needed the hotfix from MS KB833708.  This 
allowed the AIX clients to pick the kerberos enctypes of des-cbc-crc and 

I switched over to the developement domain which was still at windows 
server 2000.  For this test, I upgraded the AIX & linux kerberos to MIT 
1.3.4-1 and had samba manage the keytab thanks to Dan Perry.  Joins 
worked OK.  Clients connect OK.  Upgraded windows server 2000 to 2003.  
Joins work OK.  Clients work OK.  Default tgs and tkt enctypes have been 
set to rc4-hmac first.  Occasional decrypt errors that always then 
connect.  Since I'm having samba manage the keytab, occasionaly the cron 
job "net ads changetrustpw" would hang.  Deleting the keytab and 
changetrustpw then back to normal for a while.

I switched back to the production domain and installed samba svn 3_0 on 
the AIX 5.2 development machine and a peripheral linux server all with 
MIT precompiled kerberos-1.3.4-1, gcc 3.3.3-1 from UCLA on AIX and 
gcc-3.2.2-5 on RH9.  No -O optimizations otherwise samba fails some of 
the string tests.  No decrypt errors and no problems with cronjob "net 
ads changetrustpw".

The samba servers in the production 2003 domain with the MS hotfix 
833708 are error free on decryption going back to 08/12 svn 1665 thru 
svn 2482 on linux and svn 2224 thru svn 2606 on AIX.

For 2 days now, since applying the MS hotfix KB833708 to the 2003 server 
test domain, there have been no decrypt errors.
Regards, Doug

More information about the samba-technical mailing list