[Samba] v3.0.0, AD, 2k3 mumbles
John H Terpstra
jht at samba.org
Tue Oct 28 18:14:18 GMT 2003
Magnus,
I can confirm that you need MIT KRB5 1.3.1. I have not yet had sucess with
Heimdal 0.6.
On Tue, 28 Oct 2003, Magnus B{ckstr|m wrote:
> I'm running a Samba 3.0.0 server in production in security = ADS mode
> against a W2k ADS server. Works just fine, thanks!
>
> We're sort of under pressure to regrade to a 2003 AD server, which sent
> me trying stuff out a bit. Meager results. The 3.0.0 I have (linked
> with MIT krb5-1.2.8) refuses to verify incoming tickets:
>
> [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>
> Some frantic googling later it is clear that Windows -really- wants to
> use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular
> version of MIT kerberos won't digest.
>
> My doubt right now concerns a statement that this "arcfour-hmac-md5"
> choice applies already in AD2000 -- so howcome it works?
>
> (A) The 2k AD supports other types as well and makes peace with MIT krb5
> whereas 2k3 AD has been lambasted out of such fraternizing habits,
>
> (B) The 2k3 AD would support other types after the proper Magic Handwaving,
> i. e., tweaking of some well chosen registry keys.
>
> Does anybody know to enlighten us on this?
>
> It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
> tomorrow I will journey up the Repent, Recompile, Restart mountain
> and then hopefully be one Microsoft wiser.
>
> Magnus
>
- John T.
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list