[Samba] v3.0.0, AD, 2k3 mumbles

John H Terpstra jht at samba.org
Tue Oct 28 18:14:18 GMT 2003


I can confirm that you need MIT KRB5 1.3.1. I have not yet had sucess with
Heimdal 0.6.

On Tue, 28 Oct 2003, Magnus B{ckstr|m wrote:

> I'm running a Samba 3.0.0 server in production in security = ADS mode
> against a W2k ADS server.  Works just fine, thanks!
> We're sort of under pressure to regrade to a 2003 AD server, which sent
> me trying stuff out a bit.  Meager results.  The 3.0.0 I have (linked
> with MIT krb5-1.2.8) refuses to verify incoming tickets:
>   [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
>     ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> Some frantic googling later it is clear that Windows -really- wants to
> use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular
> version of MIT kerberos won't digest.
>   My doubt right now concerns a statement that this "arcfour-hmac-md5"
>   choice applies already in AD2000 -- so howcome it works?
>   (A) The 2k AD supports other types as well and makes peace with MIT krb5
>       whereas 2k3 AD has been lambasted out of such fraternizing habits,
>   (B) The 2k3 AD would support other types after the proper Magic Handwaving,
>       i. e., tweaking of some well chosen registry keys.
> Does anybody know to enlighten us on this?
> It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
> tomorrow I will journey up the Repent, Recompile, Restart mountain
> and then hopefully be one Microsoft wiser.
> Magnus

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list