ADS DM Client Can Not Connect to Samba
Doug VanLeuven
roamdad at sonic.net
Sun Oct 3 09:34:20 GMT 2004
Doug VanLeuven wrote:
> John H Terpstra wrote:
>
>> Can anyone decode what the cause of the following level 10 log fragment
>> might be?
>>
>> [2004/09/30 12:18:14, 3]
>> libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
>> ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
>> Decrypt integrity check failed
>>
>
> There seems to be a consensus that this started with 2003 ADS and
> spread to 2000 server ADS.
>
> I have 2 machines out of 5 that hasn't generated this error in several
> days. 3 others do. Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605
> seem to be identically configured in global configs.
I chased down the occasional decrypt errors I was seeing. I had
forgotten I never applied the MS hotfix KB833708 to the test domain.
I had, as step one in June, gone thru the procedure of configuring an
AIX 5.1 client to a windows 2003 AD KDC as a proof of concept. It
evolved that I additionally needed the hotfix from MS KB833708. This
allowed the AIX clients to pick the kerberos enctypes of des-cbc-crc and
des-cbc-md5.
I switched over to the developement domain which was still at windows
server 2000. For this test, I upgraded the AIX & linux kerberos to MIT
1.3.4-1 and had samba manage the keytab thanks to Dan Perry. Joins
worked OK. Clients connect OK. Upgraded windows server 2000 to 2003.
Joins work OK. Clients work OK. Default tgs and tkt enctypes have been
set to rc4-hmac first. Occasional decrypt errors that always then
connect. Since I'm having samba manage the keytab, occasionaly the cron
job "net ads changetrustpw" would hang. Deleting the keytab and
changetrustpw then back to normal for a while.
I switched back to the production domain and installed samba svn 3_0 on
the AIX 5.2 development machine and a peripheral linux server all with
MIT precompiled kerberos-1.3.4-1, gcc 3.3.3-1 from UCLA on AIX and
gcc-3.2.2-5 on RH9. No -O optimizations otherwise samba fails some of
the string tests. No decrypt errors and no problems with cronjob "net
ads changetrustpw".
The samba servers in the production 2003 domain with the MS hotfix
833708 are error free on decryption going back to 08/12 svn 1665 thru
svn 2482 on linux and svn 2224 thru svn 2606 on AIX.
For 2 days now, since applying the MS hotfix KB833708 to the 2003 server
test domain, there have been no decrypt errors.
YMMV.
Regards, Doug
More information about the samba-technical
mailing list