ADS - CIFS Server Single Sign On stopped working after upgrade from 3.2.4 to 4.5.11

Rowland Penny rpenny at
Tue Jan 1 15:23:27 UTC 2019

On Tue, 1 Jan 2019 20:35:24 +0530
Silambarasan Madhappan via samba-technical
<samba-technical at> wrote:

> Hi Team,
> When upgrading CIFS Server from 3.2.4 to 4.5(it will be upgraded to
> 4.9 soon) in one setup, we are encountering below error while
> accessing the share from win10 client .
> [2018/11/29 15:39:43.489092,  1]
> ../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Checksum type hmac-sha1-96-aes256 is keyed, but the key type
> arcfour-hmac-md5 passed didn't have that checksum type as the keyed
> type]
> Please find the set up information.
> Samba/CIFS server : 4.5
> KDC server:  RHEL 5 with MIT Kerberos 1.6.1 AD : Windows 10
> That error is not seen when KDC server is based on MIT Kerberos 1.10
> on Redhat
> Please clarify below
> 1.       Is there any dependency on version of MIT Kerberos to be
> used as KDC. We are aware that there is a dependency on version of
> MIT to enable it during build (1.9 without ADDC, 1.15 for ADDC)
> 2.       Error is due to mismatch of checksum type and Key type. Can
> you please let me about what they correspond to (server or client or
> KDC) and in which scenarios that mismatch can occur

Your problem it that everything is just too old, never mind upgrading
Samba, you also need to upgrade your OS as well.

You should also be aware that if you are using MIT with a Samba AD DC,
then you should not use this DC in production, the use of MIT is

You should also ask questions like this on the samba mailing list.


More information about the samba-technical mailing list