ADS DM Client Can Not Connect to Samba
Doug VanLeuven
roamdad at sonic.net
Thu Sep 30 22:19:25 GMT 2004
John H Terpstra wrote:
>Jeremy/Folks,
>
>Can anyone decode what the cause of the following level 10 log fragment
>might be?
>
>[2004/09/30 12:18:14, 3]
>libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
> ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
>Decrypt integrity check failed
>
If one chases down KRB5KRB_AP_ERR_BAD_INTEGRITY in the kerberos lists,
and check the krb5-1.3.4 code of a program like kinit, one ends up
believing this is the krb5 way of saying incorrect password.
For example, check lines 835-836 of kinit.c
else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s: Password incorrect while %s\n", progname,
add to this that if multiple service principle entries exist in
/etc/krb5.keytab with the same enctype only the first matching kvno and
enctype will be used.
There seems to be a consensus that this started with 2003 ADS and spread
to 2000 server ADS.
I have 2 machines out of 5 that hasn't generated this error in several
days. 3 others do. Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605 seem
to be identically configured in global configs.
Regards, Doug
More information about the samba-technical
mailing list