[Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Jim McDonough
jmcd at us.ibm.com
Mon Apr 19 20:07:13 GMT 2004
This is a bug in Win2k3. See knowledgebase KB833708. The KB article
itself isn't correct, because it states that if you request des-cbc-crc
you'll get des-cbc-md5 tickets, but in reality you get rc4-hmac tickets.
The KB article points you to a hotfix or a registry setting.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
"Duran Munoz, Pedro" <Pedro.Duran at fujitsu-siemens.com>
Sent by: samba-bounces+jmcd=samba.org at lists.samba.org
04/19/2004 09:42 AM
To
"Estevam Henrique Carvalho" <estevamh at bmf.com.br>
cc
samba <samba at lists.samba.org>
Subject
RE: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Saludos / Best Regards
Pedro Durán Muñoz
Hello Henrique
Actually I have the same problem as you. Firts I had tried an ADS w2k3
and Samba 3.0.2a integration without any success ( Only works IP NTML
protocol, kerberos does not works ( hostaname instead IP address)) . After
I tried w2k and Samba 3.0.2a integration and works fine. But I need an ADS
w2k3 and Samba integration and for the moment does not works. We need the
Samba team help for solve this issue ASAP, Is it possible for us Samba
Team?
-----Original Message-----
From: samba-bounces+pedro.duran=fujitsu-siemens.com at lists.samba.org
[mailto:samba-bounces+pedro.duran=fujitsu-siemens.com at lists.samba.org] On
Behalf Of Estevam Henrique Carvalho
Sent: Monday, April 19, 2004 1:59 PM
To: samba
Subject: [Samba] Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
Hi people,
I have a Linux box running Samba 3.0.2a in ADS mode MIT Kerberos 1.3.3. My
W2K e WXP users can't access the linux box by netbios name, the only
access that works is by IP address, I know that's caused because access
thought IP address don't make use of Kerberos. The most strange for me
it's that the same environment works fine with a W2K Active Directory, I
read in same list the problem was the kerberos 1.2.x, then I changed to
1.3.3, but the problem remains.
I also have tried the following combinations of parameters in the
krb5.conf
Test 1 - No permitted_enctypes
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#permitted_enctypes = des-cbc-crc des-cbc-md5
Result
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:38:34, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:38:34, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:38:34, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:38:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Test 2 - all enctypes that I know
[libdefaults]
default_realm = HOME.EHC
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 arcfour-hmac arcfour-hmac-exp arcfour-hmac-md5 des
des-cbc-crc des-cbc-md4
des-cbc-md5 des-cbc-raw des-cbc-rawv des-hmac-sha1 des3-cbc-raw
des3-cbc-sha1 des3-cbc-sha1-kd des3-hmac-sha1 rc4-hmac
Result
2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [24] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [4] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [8] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [6] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/04/18 10:40:10, 10]
passdb/secrets.c:secrets_named_mutex_release(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/04/18 10:40:10, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/04/18 10:40:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Could anybody help me ?
Does anybody have a list of MIT Kerberos 1.3.3 enctypes ?
Does anybody know what are the enctypes for Windows 2003 Active Directory
?
What does mean "...failed to decrypt with error Decrypt integrity check
failed" in the enctype 3 ?
Thanks
Estevam Henrique
=========================================================
Esta mensagem pode conter informacao confidencial e/ou privilegiada. Se
voce nao for o destinatario ou a pessoa autorizada a receber esta
mensagem, nao devera utilizar, copiar, alterar, divulgar a informacao nela
contida ou tomar qualquer acao baseada nessas informacoes. Se voce recebeu
esta mensagem por engano, por favor avise imediatamente o remetente,
respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperacao.
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, change, take any action based on this
message or any information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail and delete
this message. Thank you for your cooperation.
=========================================================
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list