[Samba] Windows 2000 and krb5 tickets.

Tim Jordan timothy_jordan at labor.state.ak.us
Fri Dec 12 16:59:53 GMT 2003 

Perhaps we can work together.  Jerry mentioned in previous posts about
the encryption options if the krb5.conf.
The Official Samba How To states: " On a Windows 2000 client, try net
use * \\server\share.  You should be logged in with Kerberos without
needing to know a password.  If this fails then run klist tickets.   Did
you get a tecket for the server?  Does it have an encryption type of
DES-CBC-MD5?"

"Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
encoding."

I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
Jerry sugested:

/etc/krb5.conf:


> [root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/kerberos/krb5libs.log
>  kdc = FILE:/var/log/kerberos/krb5kdc.log
>  admin_server = FILE:/var/log/kerberos/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = LABOR.AK
>  default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>  default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>  permitted_enctypes = des-cbc-md5 des-cbc-crc
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_req_checksum_type = 2
>  checksum_type = 2
>  ccache_type = 1
>  forwardable = true
>  proxiable = true
> 
> [realms]
>  LABOR.AK = {
>   kdc = MY-KDC.LABOR.AK:88
>   admin_server = MY-KDC.LABOR.AK:749
>   default_domain = LABOR.AK
>  }
> 
> [domain_realm]
>  .LABOR.AK = LABOR.AK
> 
> [kdc]
>  profile = /etc/kerberos/krb5kdc/kdc.conf
> 
> [pam]
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000
>  forwardable = true
>  krb4_convert = false
> 
>  [login]
>  krb4_convert = false
>  krb4_get_tickets = fals



It did change the encryption ticket I'm getting when kinit as my
username.


> Valid starting     Expires            Service principal
> 12/11/03 16:00:49  12/12/03 02:01:00  krbtgt/LABOR.AK at LABOR.AK
>         renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0


Notice I'm getting "DES cbc mode with RSA-MD5".  

This did not solve the underlying problem of being able to view the samba shares from a w2k or xp client.

How would I be able to tell if I'm using MIT or Hemidal kerberos?  

I did get this working on a Gentoo system, so I know it works.  

Who knows encryption on the list that can advise....anyone?

Tim 


On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:

> Same problem. I have been with it for weeks. I can connect using IP
> address from the Win2k clients however with the netbios name I get the
> error.
> 
> Someone has told me today that this was solved in the new release
> samba-3.0.1rc2-1 , however I've already tested it and I still have the
> same problem.
> 
> Please any more clues.
> 
> Thanks,
> 
> Fernando.
> 
> 
> On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> > I'm getting same error about encryption ...
> >
> > I have taken Tom's lead and have provided the output below.  Is there a
> > certain version of krb5 that we should be running?
> >
> >
> > root at ANC-MDK-SMB3 tim]# smbd3 --version
> > Version 3.0.1pre3
> >
> > [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > KRB5_BRAND: krb5-1-3-final 1.3 20030708
> >
> > I'm running Mandrake 9.2
> >
> > Thank You Samba Team!
> > Tim
> >
> > On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > OK. I've done some more research, and here's what I get.
> > >
> > > smbd --version
> > > Version 3.0.0
> > >
> > > strings libkrb5.so.3.2 | grep BRAND
> > > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> > >
> > > Everything seems to work, but trying to access the Samba server results in:
> > >
> > > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308)
> > > ~  ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt
> > > integrity check failed
> > > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316)
> > > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> > > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > > ~  Failed to verify incoming ticket!
> > > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > > NT_STATUS_LOGON_FAILURE
> > >
> > > This is the same error you get if you're running the wrong KRB5 libs,
> > > but I've the right ones. The windows 2000 machine is 5.00.2195
> > >
> > > Windows 2000 clients connect to the ADS server fine, and will connect to
> > > the Samba server if you enter Username/Password. The 2000 server cannot
> > > connect to the Samba machine at all, even with the right username/pass.
> > >
> > > Is there a magic registry setting I'm missing? I've changed the
> > > Administrator password at least once.
> > >
> > > - -Tom
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > > F9F+8BTOPIyoybZBYIlCouU=
> > > =94FA
> > > -----END PGP SIGNATURE-----
>

More information about the samba mailing list