Another tcpdumps

Matthieu Patou mat at samba.org
Sat Jun 12 16:43:33 MDT 2010 

Hi Lukasz,

So as a work around for you, you can just reprovision but with the level 
of 2003.
It will not generated AES keys just rc4 and it be just ok with samba3.

Otherwise can you try to do so:

* add
   default_tkt_enctypes =  aes256-cts rc4-hmac des3-cbc-sha1 
arcfour-hmac des-cbc-md5 des-cbc-crc
   default_tgs_enctypes =  aes256-cts rc4-hmac des3-cbc-sha1 
arcfour-hmac des-cbc-md5 des-cbc-crc
  to the libdefaults section of your /etc/krb5.conf

ie it should be something like:

[libdefaults]
   default_realm = HOME.MATWS.NET
   dns_lookup_realm = false
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   forwardable = yes
   default_tkt_enctypes =  aes256-cts rc4-hmac des3-cbc-sha1 
arcfour-hmac des-cbc-md5 des-cbc-crc
   #default_tkt_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac 
des-cbc-md5 des-cbc-crc
   default_tgs_enctypes =  aes256-cts rc4-hmac des3-cbc-sha1 
arcfour-hmac des-cbc-md5 des-cbc-crc
   #default_tgs_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac 
des-cbc-md5 des-cbc-crc

* do kdestroy
* do kinit user at DOMAIN
* do smbclient //orinoco/ipc\$ -k and see if it works.

The change that I introduced is to make your smb ticket be aes encoded 
instead of rc4-hmac, so that we can see if you have the pb on unix as well.

I made a few tests it seems that if we don't know the aes key for 
someone s4 return the correct encryption ticket, that means that if a 
user supporting aes is requesting a ticket for a principal which do not 
have a aes key, this ticket will be encoded with rc4 even if it can be 
wrapped into a aes encoded AS-REP message (if the s4 host has an aes key 
for itself).

The question is do we generate an aes key for a s3 host ? I think so 
even if the host didn't manage this encryption (I made the tests with a 
xp client and that isn't working and xp didn't support AES).


Matthieu.


On 11/06/2010 19:04, Lukasz Zalewski wrote:
> I have zipped the contents as the last message bounced, heres the text:
>
> Hi!
> As per our irc conversation
> s3 has use kerberos keytab = No
>
> attached are the following logs
> s4master.log d10 level of s4 (hostname golonka)
> s4tcpdump.cap tcp dump on golonka with the following syntax
> s3member.log d10 level of s3 (client log file)
>
> This is the tcp command
> tcpdump -i eth0 host 138.37.36.224 or host 138.37.37.245 -s 16000 -w
> /tmp/s4tcpdump.cap
>
> i have restricted the communication to the orinoco (s3) and itlyyy (w7
> client)
>
> Please let me know if you need more information
>
>
> Regards
>
> Luk
>
>


-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list