[Samba] Samba kerberos authentication issues with samba 3.0.7

Doug VanLeuven roamdad at sonic.net
Wed Oct 27 18:12:01 GMT 2004

>*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type)
>*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
>*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
>*** Failed to verify incoming ticket!
>*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) [lnx251 
enctype 3 is DES_CBC_MD5
#define ENCTYPE_DES_CBC_MD5     0x0003  /* DES cbc mode with RSA-MD5 */

>al at lnx135.company.com/home/al> klist -e
>Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5
>Default principal: al at NA.COMPANY.COM
>Valid starting     Expires            Service principal
>10/26/04 23:18:14  10/27/04 09:18:14  krbtgt/NA.COMPANY.COM at NA.COMPANY.COM
>        renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
>10/26/04 23:18:26  10/27/04 00:18:26  lnx251$@NA.COMPANY.COM
>        renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 
verified lnx251$ is using des-cbc-md5.
There are some issues with using des-cbc-md5 where the DNSdomain is not 
the same as the REALM domain DNS.  The salt used by MS will not be the 
same as the salt used on the linux box
You need to get to rc4-hmac for authentication which doesn't use a salt.

You probably have a userAccountControl defined like this:
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | 
Subtract 0x200000 (2097152 dec) from the field using adsiedit.msc.  Then 
the MS KDC will use rc4-hmac instead of DES encryption.  Make sure the 
KDC ticket cache is flushed of any reference to the DES ticket and try 

However, if you didn't add the UF_USE_DES_KEY_ONLY, then samba added it 
automatically because samba thinks you don't have rc4-hmac available.
libads/ldap.c line 1392 svn 2929
        acct_control |= UF_USE_DES_KEY_ONLY;
So the compiled version of samba you have would have been compiled 
against a version of kerberos that didn't have rc4-hmac available.  No 
way out of that except to recompile samba against your current kerberos 
or get a different pre-compiled binary.

>o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames
>o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc.  Afterwards, the keytab was populated with 'net ads keytab'.
For the instance of DNSdomain != REALM, I have to add the SPN for 
host/fqdn like you did.
I also had to add a DNS record for lnx251.na.company.com for the MS KDC 
as well as the lnx251.company.com for the linux box forward and reverse 
lookups.  Never tried it with hosts files. But 
c:\winnt\system32\drivers\etc\hosts would need the lnx251.na.company.com

Regards, Doug

More information about the samba mailing list