[Samba] v3.0.0, AD, 2k3 mumbles

tvsjr at sprynet.com tvsjr at sprynet.com
Tue Oct 28 18:53:01 GMT 2003


That's a most logical assumption... therefore it's incorrect!

To talk to a Win2k3 box, you will need to run MIT's Krb5 1.3.1 libraries. Hopefully you're not running Red Hat 9, or you'll have a whole new set of issues to deal with. If that's the case, let me know, I've already documented (barely) a fix.

Terry


-----Original Message-----
From: Magnus B{ckstr|m <b at etek.chalmers.se>
Sent: Oct 28, 2003 10:48 AM
To: "The Dancing... you don't want to know." <samba at lists.samba.org>
Subject: [Samba] v3.0.0, AD, 2k3 mumbles

I'm running a Samba 3.0.0 server in production in security = ADS mode
against a W2k ADS server.  Works just fine, thanks!

We're sort of under pressure to regrade to a 2003 AD server, which sent
me trying stuff out a bit.  Meager results.  The 3.0.0 I have (linked
with MIT krb5-1.2.8) refuses to verify incoming tickets:

  [2003/10/28 16:27:36, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
    ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

Some frantic googling later it is clear that Windows -really- wants to
use kerberos keytype 23, a. k. a. "arcfour-hmac-md5", which that particular
version of MIT kerberos won't digest.

  My doubt right now concerns a statement that this "arcfour-hmac-md5"
  choice applies already in AD2000 -- so howcome it works?

  (A) The 2k AD supports other types as well and makes peace with MIT krb5
      whereas 2k3 AD has been lambasted out of such fraternizing habits,

  (B) The 2k3 AD would support other types after the proper Magic Handwaving,
      i. e., tweaking of some well chosen registry keys.

Does anybody know to enlighten us on this?

It seems heimdal-0.6 and MIT 1.3.1 do support arcfour-hmac-md5;
tomorrow I will journey up the Repent, Recompile, Restart mountain
and then hopefully be one Microsoft wiser.

Magnus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba






More information about the samba mailing list