[Samba] Samba 3.0.6 Problems w/AD and Kerberos

Ross, Alex Alex.Ross at FMR.COM
Wed Sep 8 18:10:50 GMT 2004

 FYI: win2k SP4 on AD cause Win3K like behavior of forcing  Kerberos
Ticket sighning 

So on win2k ad this breaks krb5 before 1.3.x...

-----Original Message-----
From: Christian Merrill [mailto:cmerrill at redhat.com] 
Sent: Sunday, September 05, 2004 9:34 AM
To: Rick Brown
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos

Rick Brown wrote:

>On Sun, 5 Sep 2004, Christian Merrill wrote:
>>Gerald (Jerry) Carter wrote:
>>>Hash: SHA1
>>>Christian Merrill wrote:
>>>| Running into a lot of people upgrading to the 3.0.6
>>>| package that all of a sudden begin to experience
>>>| the "Failed to verify incoming ticket!" errors
>>>| etc., that are generally associated with a kerberos
>>>| package incompatibility.
>>>| However many of these people are running later
>>>| versions of kerberos *and* reverting to a previous
>>>| version of Samba appears to fix the issue.  Is there
>>>| something new setting wise that has taken place, is
>>>| something really wrong with this new package, or
>>>| is this all just a strange coincidence?
>>>I've not been able to reproduce this or track it down.
>>>Is there a consensus whether this is an specific issue
>>>with using MIT or Heimdal ?  Or with Windows 2000 or
>>>2003 DCs ?
>>>Any details would be helpful.  I've created bug report at
>>Well from my end (Redhat) the behavior is indicative of a known issue
>>with the MIT kerberos 1.2.x packages that we currently support and
>>Win2k3 DC's...however Win2k DC's have been operating fine as far as I
>>know.  What I am seeing are customers who were previously running
>>upgrade to the 3.0.6 samba package and then start to encounter these
>>errors.  If they downgrade the samba package the problem goes away.
>>I've also noticed a few other posts from users on other distros such
>>Debian encountering very similar behavior.
>>On the surface it really looks like a kerberos problem, but people are
>>reporting that it seems to be directly linked to the samba package.
>>current test environment is on 2k3 so I'm still in the process of
>>setting up a 2k AD environment to do testing on...at this point just
>>relaying feedback that I am getting from others.
>I've seen this problem on a new machine/samba install..
>Our DC recently changed from 2k to 2k3, and I believe that might
>be part of the cause of the problem.   I have 2 samba machines (running
>3.0.2) that I joined into the realm when our DC was 2k, they still work
>great.   Last week I brought a new machine online (running 3.0.4)
>the realm with no problems, but then proceeded to get the following
> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
>when authenticating..  I've since downgraded to 3.0.2 with no success,
>and tried upgrading to 3.0.6 with no success.
>Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
>Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
>red tape...   so that's not an option.   IMO, MIT krb is not the
problem, as
>the two existing machines still work fine.   I think it might have
>something to do with the way AD in 2k3 is storing the cifs and host
>[         Rick Brown               ][      (404) 894-6175           ]
>[ Office of Information Technology ][    rick at oit.gatech.edu 	    ]
>[ Georgia Institute of Technology  ][  258 4th street. Atlanta, GA  ]
I think the only accurate test would be in a 2k environment, I have 
definately seen these issues on 2k3 with the pre 1.3.x kerberos packages

regardless of what version of Samba is being used.  The behavior I tend 
to see in a 2k3 environment is that Samba/Kerberos will work quite 
happily for about 90 days and then the DC will issue a ticket that the 
older versions of MIT kerberos can't handle.  However when using 2k this

really didn't appear to be a problem until upgrading to the 3.0.6 
versions.  Hopefully I'll be able to get a 2k environment setup soon to 
test against...I don't understand how the Samba package could in any way

be responsible for these kerberos-like problems but that is what appears

to be the case at this point.

I should also mention that Redhat's packages are somewhat different from

the actual ones provided by samba.org -- I am mainly looking at this on 
the RHEL3 platform, however I have seen some similar issues reported by 
people using other distros.


To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list