[Samba] failing to browse unix shares with samba 3.0.2a

[Jeremy Allison]

On Wed, Mar 31, 2004 at 10:03:45AM -0800, Moshe Shaham wrote:
> We upgraded our Solaris 9 samba server to version 3.0.2a and configured
> Kerberos MIT 1.3.2. 
> I was able to run kinit and join samba to our windows 2003 domain as a
> domain member, but when I am trying to browse the samba shares from a
> windows XP machine it is failing. When I am looking at the samba logs this
> is what I am getting:
>   [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
>   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94)
>   error string = No such file or directory
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> 
> I was trying to run smbclient -k '\\machine\share' and it failed. After
> initiating the kinit command I was then able to run the smbclient -k
> command. Accessing the shares from a windows box is still failing.

Your enctypes are incorrect. This is confirmed by the fact that smbclient -k
works (the enctype requested by kinit is compatible with the enctypes checked
for by smbd - they're using the same krb5.conf) and the Windows clients don't.

The enctype the Windows client is getting is type 23 - rc4-hmac.

Once you've got a ticket with kinit, use klist -e to display the enctypes
you have. I'm guessing the enctype kinit is getting isn't the same.

You can try setting :

default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac

in your krb5.conf file.

And go buy the O'Reilly book on Kerberos and read it :-).

Jeremy.