[Samba] v3.0.0, AD, 2k3 mumbles
b at etek.chalmers.se
Tue Oct 28 16:48:06 GMT 2003
I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server. Works just fine, thanks!
We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit. Meager results. The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:
[2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular
version of MIT kerberos won't digest.
My doubt right now concerns a statement that this "arcfour-hmac-md5"
choice applies already in AD2000 -- so howcome it works?
(A) The 2k AD supports other types as well and makes peace with MIT krb5
whereas 2k3 AD has been lambasted out of such fraternizing habits,
(B) The 2k3 AD would support other types after the proper Magic Handwaving,
i. e., tweaking of some well chosen registry keys.
Does anybody know to enlighten us on this?
It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.
More information about the samba