[Samba] Samba 3.0.6 Problems w/AD and Kerberos
Blindauer Emmanuel
samba at agat.net
Sat Sep 11 13:28:23 GMT 2004
Le vendredi 10 Septembre 2004 22:28, Gerald (Jerry) Carter a écrit :
>
> Tom, I'm not completely willing to cross this out as a redhat
> specific issue. I've sen at least one specific report
> with debian (krb 1.3.4 and samba 3.0.6 both compiled locally).
> However, krb5 is tricky to debug remotely like this :-\
>
> Can anyone shed any more light on any more platforms? Other
> than debian and redhat?
Yes!
I've spend some hours on looking on version used on other compulters, and I
have an Aurora sparc with kerberos 1.3.2, samba compiled from sources 3.0.6
with patch on winbind.
Here is the logs when I mount my share \\sparc\user:
********
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(177)
ads_verify_ticket: enc type [3] decrypted message !
[2004/09/11 15:09:14, 10] passdb/secrets.c:secrets_named_mutex_release(716)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:09:14, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(386)
Got KRB5 session key of length 8
*********
the same part, on debian (same samba 3.0.6 + winbind patch, same smb.conf, but
krb1.3.4) \\debian\user
********
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex(702)
secrets_named_mutex: got mutex for replay cache mutex
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex_release(714)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succès)
[2004/09/11 15:10:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/09/11 15:10:18, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
********
note the :
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succes)
There is probably a problem here too.
The krb5.conf on the sparc:
**********
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DPTINFO.URS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr:88
admin_server = canard.u-strasbg.fr:749
default_domain = u-strasbg.fr
[domain_realm]
u-strasbg.fr = DPTINFO.URS.LOCAL
.u-strasbg.fr = DPTINFO.URS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
************
the krb5 on the debian:
***********
libdefaults]
default_realm = DPTINFO.URS.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code
# are correct and overriding these specifications only serves to disable
# new encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
#permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr
admin_server = canard.u-strasbg.fr
}
[domain_realm]
.u-strasbg.fr = DPTINFO.URS.LOCAL
u-strasbg.fr = DPTINFO.URS.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
***********
More information about the samba
mailing list