[Samba] Samba kerberos authentication issues with samba 3.0.7
roamdad at sonic.net
Wed Oct 27 18:12:01 GMT 2004
>*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type)
>*** ads_secrets_verify_ticket: enc type  failed to decrypt with error Decrypt integrity check failed
>*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
>*** Failed to verify incoming ticket!
>*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) [lnx251
enctype 3 is DES_CBC_MD5
#define ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */
>al at lnx135.company.com/home/al> klist -e
>Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5
>Default principal: al at NA.COMPANY.COM
>Valid starting Expires Service principal
>10/26/04 23:18:14 10/27/04 09:18:14 krbtgt/NA.COMPANY.COM at NA.COMPANY.COM
> renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>10/26/04 23:18:26 10/27/04 00:18:26 lnx251$@NA.COMPANY.COM
> renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
verified lnx251$ is using des-cbc-md5.
There are some issues with using des-cbc-md5 where the DNSdomain is not
the same as the REALM domain DNS. The salt used by MS will not be the
same as the salt used on the linux box
You need to get to rc4-hmac for authentication which doesn't use a salt.
You probably have a userAccountControl defined like this:
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT |
UF_DONT_EXPIRE_PASSWD |UF_USE_DES_KEY_ONLY );
Subtract 0x200000 (2097152 dec) from the field using adsiedit.msc. Then
the MS KDC will use rc4-hmac instead of DES encryption. Make sure the
KDC ticket cache is flushed of any reference to the DES ticket and try
However, if you didn't add the UF_USE_DES_KEY_ONLY, then samba added it
automatically because samba thinks you don't have rc4-hmac available.
libads/ldap.c line 1392 svn 2929
acct_control |= UF_USE_DES_KEY_ONLY;
So the compiled version of samba you have would have been compiled
against a version of kerberos that didn't have rc4-hmac available. No
way out of that except to recompile samba against your current kerberos
or get a different pre-compiled binary.
>o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames
>o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc. Afterwards, the keytab was populated with 'net ads keytab'.
For the instance of DNSdomain != REALM, I have to add the SPN for
host/fqdn like you did.
I also had to add a DNS record for lnx251.na.company.com for the MS KDC
as well as the lnx251.company.com for the linux box forward and reverse
lookups. Never tried it with hosts files. But
c:\winnt\system32\drivers\etc\hosts would need the lnx251.na.company.com
More information about the samba