[Samba] Solution -- can connect via IP but not by name

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 27 21:02:09 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's an update for those of you struggling to get Samba
working in an AD domain environment.

~  Summary:  in securirty = ads, clients can browse to the
~    Samba member server via IP but not by name (either netbios
~    or DNS).  Kinit and wbinfo -t all work as expected.

The apparent reason for this is that the 2k client uses
NTLMSSP when you connect via IP which works.  However
the kerberos authentication always fails to decrypt
the ticket.  The log appears as

~  ads_verify_ticket: enc type [16] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: enc type [1] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: enc type [3] failed to decrypt with
~     error Bad encryption type
~  ads_verify_ticket: krb5_rd_req with auth failed (Bad
~     encryption type)
~  Failed to verify incoming ticket!

The only way I have been able to reproduce this locally
using MIT 1.3.1 is by setting a list of permitted_enctypes
in /etc/krb5.conf.  For example,

~ [libdefaults]
~   dns_lookup_kdc = true
~   default_tgs_enctypes = des-cbc-md5
~   default_tkt_enctypes = des-cbc-md5
~   permitted_enctypes = des-cbc-md5 des-cbc-crc

Commenting out the last line solved things in my tests.  Usually
I have a very minimal krb5.conf which works correctly.

~  [libdefaults]
~     dns_lookup_kdc = true

The end result is that this is a kerberos configuration issue
and not a Samba bug (Of course you could call it our bug
since kinit works and we don't).  I would be grateful if the
people experiencing this problem could either confirm or
refute my theory.

Thanks.



cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAFtHRIR7qMdg1EfYRAs6vAKDmRRs8WfMcjh8JZ2rlckEwj2VTUQCgmJMr
nM0LK2YCsl9PanYV1p0Z5cU=
=CQ+c
-----END PGP SIGNATURE-----

More information about the samba mailing list