[Samba] Samba 3.0.6 Problems w/AD and Kerberos

Christian Merrill cmerrill at redhat.com
Wed Sep 8 18:20:27 GMT 2004 

Ross, Alex wrote:

>Christian,
> FYI: win2k SP4 on AD cause Win3K like behavior of forcing  Kerberos
>Ticket sighning 
>http://support.microsoft.com/default.aspx?scid=kb;en-us;811422
>
>So on win2k ad this breaks krb5 before 1.3.x...
>
>-Alex
>-----Original Message-----
>From: Christian Merrill [mailto:cmerrill at redhat.com] 
>Sent: Sunday, September 05, 2004 9:34 AM
>To: Rick Brown
>Cc: samba at lists.samba.org
>Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
>
>
>Rick Brown wrote:
>
>  
>
>>On Sun, 5 Sep 2004, Christian Merrill wrote:
>>
>> 
>>
>>    
>>
>>>Gerald (Jerry) Carter wrote:
>>>
>>>   
>>>
>>>      
>>>
>>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>>Hash: SHA1
>>>>
>>>>Christian Merrill wrote:
>>>>| Running into a lot of people upgrading to the 3.0.6
>>>>| package that all of a sudden begin to experience
>>>>| the "Failed to verify incoming ticket!" errors
>>>>| etc., that are generally associated with a kerberos
>>>>| package incompatibility.
>>>>|
>>>>| However many of these people are running later
>>>>| versions of kerberos *and* reverting to a previous
>>>>| version of Samba appears to fix the issue.  Is there
>>>>| something new setting wise that has taken place, is
>>>>| something really wrong with this new package, or
>>>>| is this all just a strange coincidence?
>>>>
>>>>I've not been able to reproduce this or track it down.
>>>>Is there a consensus whether this is an specific issue
>>>>with using MIT or Heimdal ?  Or with Windows 2000 or
>>>>2003 DCs ?
>>>>
>>>>Any details would be helpful.  I've created bug report at
>>>>https://bugzilla.samba.org/show_bug.cgi?id=1739
>>>>     
>>>>
>>>>        
>>>>
>>>Well from my end (Redhat) the behavior is indicative of a known issue
>>>with the MIT kerberos 1.2.x packages that we currently support and
>>>Win2k3 DC's...however Win2k DC's have been operating fine as far as I
>>>know.  What I am seeing are customers who were previously running
>>>upgrade to the 3.0.6 samba package and then start to encounter these
>>>errors.  If they downgrade the samba package the problem goes away.
>>>I've also noticed a few other posts from users on other distros such
>>>      
>>>
>as
>  
>
>>>Debian encountering very similar behavior.
>>>
>>>On the surface it really looks like a kerberos problem, but people are
>>>reporting that it seems to be directly linked to the samba package.
>>>      
>>>
>My
>  
>
>>>current test environment is on 2k3 so I'm still in the process of
>>>setting up a 2k AD environment to do testing on...at this point just
>>>relaying feedback that I am getting from others.
>>>   
>>>
>>>      
>>>
>>I've seen this problem on a new machine/samba install..
>>Our DC recently changed from 2k to 2k3, and I believe that might
>>be part of the cause of the problem.   I have 2 samba machines (running
>>3.0.2) that I joined into the realm when our DC was 2k, they still work
>>great.   Last week I brought a new machine online (running 3.0.4)
>>    
>>
>joined
>  
>
>>the realm with no problems, but then proceeded to get the following
>>    
>>
>error:
>  
>
>>ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
>>    
>>
>integrity check failed
>  
>
>>when authenticating..  I've since downgraded to 3.0.2 with no success,
>>and tried upgrading to 3.0.6 with no success.
>>
>>Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
>>Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
>>red tape...   so that's not an option.   IMO, MIT krb is not the
>>    
>>
>problem, as
>  
>
>>the two existing machines still work fine.   I think it might have
>>something to do with the way AD in 2k3 is storing the cifs and host
>>keys.
>>
>>[         Rick Brown               ][      (404) 894-6175           ]
>>[ Office of Information Technology ][    rick at oit.gatech.edu 	    ]
>>[ Georgia Institute of Technology  ][  258 4th street. Atlanta, GA  ]
>>
>> 
>>
>>    
>>
>I think the only accurate test would be in a 2k environment, I have 
>definately seen these issues on 2k3 with the pre 1.3.x kerberos packages
>
>regardless of what version of Samba is being used.  The behavior I tend 
>to see in a 2k3 environment is that Samba/Kerberos will work quite 
>happily for about 90 days and then the DC will issue a ticket that the 
>older versions of MIT kerberos can't handle.  However when using 2k this
>
>really didn't appear to be a problem until upgrading to the 3.0.6 
>versions.  Hopefully I'll be able to get a 2k environment setup soon to 
>test against...I don't understand how the Samba package could in any way
>
>be responsible for these kerberos-like problems but that is what appears
>
>to be the case at this point.
>
>I should also mention that Redhat's packages are somewhat different from
>
>the actual ones provided by samba.org -- I am mainly looking at this on 
>the RHEL3 platform, however I have seen some similar issues reported by 
>people using other distros.
>
>Christian
>
>  
>
Checking right now to see what SP level the affected customers are on.  
However if this is true I would have to assume that they are not running 
SP4 as they are using 1.2.x kerberos packages and (at least according to 
them) are functional on any version of Samba 3 prior to 3.0.6.

Christian

More information about the samba mailing list