KRB5_NOPERM_ETYPE error on kerberos authentication

Joey Collins joeycollins at charter.net
Thu Apr 21 03:58:36 GMT 2005 

Hi,
I'm trying to get a Windows 2000 PRO (no service packs) client to
authenticate to samba and I keep getting KRB5_NOPERM_ETYPE.  The WIN2000
PRO system is joined to the domain.  My krb5.conf is real simple:

[realms]
DOMAIN = {
  kdc = 10.57.15.78
}

The relavant parts of smb.conf are:

[global]
  realm = DOMAIN
  ads server = 10.57.15.78
  security = ADS
  encrypt passwords = yes
  netbios name = sambatest
  wins server = 10.57.15.78

I have another windows 2000 (server) that is able to connect fine (it is
also joined to the domain) -- it is running with service pack 4.  I
narrowed where I'm getting the KRB5_NOPERM_ETYPE to the following in the
MIT krb5 library:

rd_req_dec.c :

245             if ((!krb5_is_permitted_enctype(context,
246                                            
req->ticket->enc_part.enctype)) ||
247                 (!krb5_is_permitted_enctype(context,
248                                            
req->ticket->enc_part2->session->enctype)) ||
249                 (((*auth_context)->authentp->subkey) &&
250                  !krb5_is_permitted_enctype(context,
251                                            
(*auth_context)->authentp->subkey->enctype))) {
252                 retval = KRB5_NOPERM_ETYPE;
253                 goto cleanup;

the encryption type for req->ticket->enc_part.enctype = 23; the enctype
for req->ticket->enc_part2->session->enctype = 23.  But, for the Windows
2000 client that fails, (*auth_context)->authentp->subkey->enctype =
24.  krb5.h knows about all of these:

#define ENCTYPE_ARCFOUR_HMAC	0x0017
#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018

but, 24 isn't in the list of "permitted enctypes" (confirmed by stepping
through krb5_is_permitted_enctype)  Interestingly enough, for the
Windows 2000 server that works fine, all three of the enctypes above are
23.

So, to cure my ills, I added the following line to my krb5.conf:

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
des3-cbc-sha1 arcfour-hmac-md5 arcfour-hmac-exp des-cbc-crc des-cbc-md5
des-cbc-md4

the key addition being "arcfour-hmac-exp", and it worked fine.

So, the $64,000 question is, why does some versions of windows choose
the exportable version of ArcFour w/ HMAC/MD5?  Both copies of windows I
am using are U.S. English.

Regards,
Joey Collins.

More information about the samba-technical mailing list