Cross Realm SMB Signature Failure
Michael B Allen
mba2000 at ioplex.com
Fri May 4 15:19:01 GMT 2007
On Thu, 3 May 2007 20:21:30 -0700
"Dave Daugherty" <dave.daugherty at centrify.com> wrote:
> I think the signing key is communicated in the AP_REP coming back from
> the server. Maybe the Windows server does not like something about the
> AP_REQ packet.
Yeah. Maybe the MIT ticket is a little different (e.g. no PAC) and the
server code isn't trying hard enough to come up with a good session key
or it's using the wrong session key.
> Are you running the latest MIT Kerberos libraries?
Eah, 1.3.4 shipped with CentOS 4.4. Could be newer I suppose.
I just installed SP2 + SP2 update on the target Windows server. It had
> Subject: Cross Realm SMB Signature Failure
> When smbclient authenticates across realms (from MIT realm S.W.NET to
> W2K3 realm W.NET) I'm seeing the server is just echoing back the same
> signature sent by client. That signature of couse fails verification:
> $ kinit -f ioplex at S.W.NET
> Password for ioplex at S.W.NET:
> $ smbclient -k -U ioplex //dc1.w.net/tmp
> signing_good: BAD SIG: seq 1
> SMB Signature verification failed on incoming packet!
> session setup failed: Server packet had invalid SMB signature!
> If I use a W.NET cred it works fine and ssh works in the other direction
> so I think the trust is good.
> All enctypes are RC4. Haven't updated the W2K3 server since installing
> it. Trying that now ...
> I'm using stock 3.0.23c-2 on CentOS 5.0 with an unmodified smb.conf.
> Has anyone seen this before?
Michael B Allen
PHP Active Directory Kerberos SSO
More information about the samba-technical