[Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes

Estevam Henrique Carvalho estevamh at bmf.com.br
Mon Apr 19 11:59:26 GMT 2004


Hi people,

I have a Linux box running Samba 3.0.2a in ADS mode MIT Kerberos 1.3.3. My
W2K e WXP users can't access the linux box by netbios name, the only access
that works is by IP address, I know that's caused because access thought IP
address don't make use of Kerberos. The most strange for me it's that the
same environment works fine with a W2K Active Directory, I read in same list
the problem was the kerberos 1.2.x, then I changed to 1.3.3, but the problem
remains.
I also have tried the following combinations of parameters in the krb5.conf

Test 1 - No permitted_enctypes

[libdefaults]
	default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
	default_tgs_enctypes = des-cbc-crc des-cbc-md5
	default_tkt_enctypes = des-cbc-crc des-cbc-md5
	#permitted_enctypes = des-cbc-crc des-cbc-md5

Result

[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] passdb/secrets.c:secrets_named_mutex_release(710)
  secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:38:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!


Test 2 - all enctypes that I know

[libdefaults]
	default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
	default_tgs_enctypes = des-cbc-crc des-cbc-md5
	default_tkt_enctypes = des-cbc-crc des-cbc-md5
	permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac arcfour-hmac-exp arcfour-hmac-md5 des des-cbc-crc des-cbc-md4
des-cbc-md5 des-cbc-raw des-cbc-rawv des-hmac-sha1 des3-cbc-raw
des3-cbc-sha1 des3-cbc-sha1-kd des3-hmac-sha1 rc4-hmac

Result


2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [24] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [4] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [8] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [6] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] passdb/secrets.c:secrets_named_mutex_release(710)
  secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:40:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

Could anybody help me ? 
Does anybody have a list of MIT Kerberos 1.3.3 enctypes ?
Does anybody know what are the enctypes for Windows 2003 Active Directory ?
What does mean "...failed to decrypt with error Decrypt integrity check
failed" in the enctype 3 ?

Thanks

Estevam Henrique


========================================================= 
Esta mensagem pode conter informacao confidencial e/ou privilegiada. Se voce
nao for o destinatario ou a pessoa autorizada a receber esta mensagem, nao
devera utilizar, copiar, alterar, divulgar a informacao nela contida ou
tomar qualquer acao baseada nessas informacoes. Se voce recebeu esta
mensagem por engano, por favor avise imediatamente o remetente, respondendo
o e-mail e em seguida apague-o. Agradecemos sua cooperacao. 

This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation. 
========================================================= 


More information about the samba mailing list