ADS DM Client Can Not Connect to Samba

Doug VanLeuven roamdad at sonic.net
Thu Sep 30 22:19:25 GMT 2004


John H Terpstra wrote:

>Jeremy/Folks,
>
>Can anyone decode what the cause of the following level 10 log fragment
>might be?
>
>[2004/09/30 12:18:14, 3]
>libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
>  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
>Decrypt integrity check failed
>
If one chases down KRB5KRB_AP_ERR_BAD_INTEGRITY in the kerberos lists, 
and check the krb5-1.3.4 code of a program like kinit, one ends up 
believing this is the krb5 way of saying incorrect password.

For example, check lines 835-836 of kinit.c
        else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
            fprintf(stderr, "%s: Password incorrect while %s\n", progname,

add to this that if multiple service principle entries exist in 
/etc/krb5.keytab with the same enctype only the first matching kvno and 
enctype will be used.

There seems to be a consensus that this started with 2003 ADS and spread 
to 2000 server ADS.

I have 2 machines out of 5 that hasn't generated this error in several 
days.  3 others do.  Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605 seem 
to be identically configured in global configs.

Regards, Doug



More information about the samba-technical mailing list