[Samba] Samba 3.0.6 Problems w/AD and Kerberos
Alex.Ross at FMR.COM
Wed Sep 8 18:10:50 GMT 2004
FYI: win2k SP4 on AD cause Win3K like behavior of forcing Kerberos
So on win2k ad this breaks krb5 before 1.3.x...
From: Christian Merrill [mailto:cmerrill at redhat.com]
Sent: Sunday, September 05, 2004 9:34 AM
To: Rick Brown
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Rick Brown wrote:
>On Sun, 5 Sep 2004, Christian Merrill wrote:
>>Gerald (Jerry) Carter wrote:
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Christian Merrill wrote:
>>>| Running into a lot of people upgrading to the 3.0.6
>>>| package that all of a sudden begin to experience
>>>| the "Failed to verify incoming ticket!" errors
>>>| etc., that are generally associated with a kerberos
>>>| package incompatibility.
>>>| However many of these people are running later
>>>| versions of kerberos *and* reverting to a previous
>>>| version of Samba appears to fix the issue. Is there
>>>| something new setting wise that has taken place, is
>>>| something really wrong with this new package, or
>>>| is this all just a strange coincidence?
>>>I've not been able to reproduce this or track it down.
>>>Is there a consensus whether this is an specific issue
>>>with using MIT or Heimdal ? Or with Windows 2000 or
>>>2003 DCs ?
>>>Any details would be helpful. I've created bug report at
>>Well from my end (Redhat) the behavior is indicative of a known issue
>>with the MIT kerberos 1.2.x packages that we currently support and
>>Win2k3 DC's...however Win2k DC's have been operating fine as far as I
>>know. What I am seeing are customers who were previously running
>>upgrade to the 3.0.6 samba package and then start to encounter these
>>errors. If they downgrade the samba package the problem goes away.
>>I've also noticed a few other posts from users on other distros such
>>Debian encountering very similar behavior.
>>On the surface it really looks like a kerberos problem, but people are
>>reporting that it seems to be directly linked to the samba package.
>>current test environment is on 2k3 so I'm still in the process of
>>setting up a 2k AD environment to do testing on...at this point just
>>relaying feedback that I am getting from others.
>I've seen this problem on a new machine/samba install..
>Our DC recently changed from 2k to 2k3, and I believe that might
>be part of the cause of the problem. I have 2 samba machines (running
>3.0.2) that I joined into the realm when our DC was 2k, they still work
>great. Last week I brought a new machine online (running 3.0.4)
>the realm with no problems, but then proceeded to get the following
> ads_verify_ticket: enc type  failed to decrypt with error Decrypt
integrity check failed
>when authenticating.. I've since downgraded to 3.0.2 with no success,
>and tried upgrading to 3.0.6 with no success.
>Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
>Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
>red tape... so that's not an option. IMO, MIT krb is not the
>the two existing machines still work fine. I think it might have
>something to do with the way AD in 2k3 is storing the cifs and host
>[ Rick Brown ][ (404) 894-6175 ]
>[ Office of Information Technology ][ rick at oit.gatech.edu ]
>[ Georgia Institute of Technology ][ 258 4th street. Atlanta, GA ]
I think the only accurate test would be in a 2k environment, I have
definately seen these issues on 2k3 with the pre 1.3.x kerberos packages
regardless of what version of Samba is being used. The behavior I tend
to see in a 2k3 environment is that Samba/Kerberos will work quite
happily for about 90 days and then the DC will issue a ticket that the
older versions of MIT kerberos can't handle. However when using 2k this
really didn't appear to be a problem until upgrading to the 3.0.6
versions. Hopefully I'll be able to get a 2k environment setup soon to
test against...I don't understand how the Samba package could in any way
be responsible for these kerberos-like problems but that is what appears
to be the case at this point.
I should also mention that Redhat's packages are somewhat different from
the actual ones provided by samba.org -- I am mainly looking at this on
the RHEL3 platform, however I have seen some similar issues reported by
people using other distros.
To unsubscribe from this list go to the following URL and read the
More information about the samba