ADS - CIFS Server Single Sign On stopped working after upgrade from 3.2.4 to 4.5.11

L.P.H. van Belle belle at bazuin.nl
Tue Jan 1 17:00:53 UTC 2019 

what the TS can try/do

set the needed/preffered cyphers in idmap.conf

im on my phone so no example but ill if you google ‘samba idmap.conf windows preffered greetz louis’ 
then some should showup.
;-)

and make sure cifs/spn is available.

this is, i believe a bug.
the bug was, (from memory) a difference in the use of cyphers between the auth and cifs layers.


Greetz

Louis





> Op 1 jan. 2019 om 16:24 heeft Rowland Penny via samba-technical <samba-technical at lists.samba.org> het volgende geschreven:
> 
> On Tue, 1 Jan 2019 20:35:24 +0530
> Silambarasan Madhappan via samba-technical
> <samba-technical at lists.samba.org> wrote:
> 
>> Hi Team,
>> 
>> 
>> 
>> When upgrading CIFS Server from 3.2.4 to 4.5(it will be upgraded to
>> 4.9 soon) in one setup, we are encountering below error while
>> accessing the share from win10 client .
>> 
>> 
>> 
>> 
>> 
>> [2018/11/29 15:39:43.489092,  1]
>> ../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
>> Checksum type hmac-sha1-96-aes256 is keyed, but the key type
>> arcfour-hmac-md5 passed didn't have that checksum type as the keyed
>> type]
>> 
>> Please find the set up information.
>> 
>> Samba/CIFS server : 4.5
>> 
>> KDC server:  RHEL 5 with MIT Kerberos 1.6.1 AD : Windows 10
>> 
>> That error is not seen when KDC server is based on MIT Kerberos 1.10
>> on Redhat
>> Please clarify below
>> 
>> 1.       Is there any dependency on version of MIT Kerberos to be
>> used as KDC. We are aware that there is a dependency on version of
>> MIT to enable it during build (1.9 without ADDC, 1.15 for ADDC)
>> 
>> 2.       Error is due to mismatch of checksum type and Key type. Can
>> you please let me about what they correspond to (server or client or
>> KDC) and in which scenarios that mismatch can occur
>> 
> 
> 
> Your problem it that everything is just too old, never mind upgrading
> Samba, you also need to upgrade your OS as well.
> 
> You should also be aware that if you are using MIT with a Samba AD DC,
> then you should not use this DC in production, the use of MIT is
> experimental.
> 
> You should also ask questions like this on the samba mailing list.
> 
> Rowland
>

More information about the samba-technical mailing list