BUG 1717 [was Re: [Samba] Re: Samba 3.0.6 Problems w/AD and Kerberos]

Doug VanLeuven roamdad at sonic.net
Sat Sep 11 16:45:49 GMT 2004

Blindauer Emmanuel wrote:

>Le samedi 11 Septembre 2004 00:17, Blindauer Emmanuel a écrit :
>>attached are log from smbd, krb5.conf and smb.conf
>   workgroup = DPTINFO
>   server string = %h server (Samba %v)
>   security = ads

>        [libdefaults]
>default_realm = DPTINFO.URS.LOCAL
>        krb4_config = /etc/krb.conf
>        krb4_realms = /etc/krb.realms
>        kdc_timesync = 1
>        ccache_type = 4
>        forwardable = true
>        proxiable = true
>        v4_instance_resolve = false
>        v4_name_convert = {
>                host = {
>                        rcmd = host
>                        ftp = ftp
>                }
>                plain = {
>                        something = something-else
>                }
>        }
>         kdc = canard.u-strasbg.fr
>        admin_server = canard.u-strasbg.fr
>        .u-strasbg.fr = DPTINFO.URS.LOCAL
>        u-strasbg.fr = DPTINFO.URS.LOCAL
Your situation looks a lot like mine.
Your realm and DNS names are not equivalent.
See https://bugzilla.samba.org/show_bug.cgi?id=1651
You'll find a workarond in there.

For you and your domain_realm mapping,
it looks like a client machine called hypothetically poem.u-strasbg.fr
in the realm DPTINFO.URS.LOCAL ought to have
a servicePrincipalName of HOST/poem.u-strasbg.fr at DPTINFO.URS.LOCAL
That would comply with your domain_realm mapping.

But if you checked the AD, it would probably have been created by samba
as HOST/poem.dptinfo.usr.local at DPTINFO.URS.LOCAL
Attempts to communicate by constructing the long form servicePrincipalName
using the HOST/fully-qualified-domain-name at REALM will fail.
Although samba mostly works OK because it mostly seems to use the short form
of the service name HOST/poem at DPTINFO.URS.LOCAL when it builds
servicePrincipalName or CIFS/poem at DPTINFO.URS.LOCAL.

The hardest part of Kerberos AD integration is trying to talk sensibly about
HOST/shorthostname at REALM and HOST/longhostname at REALM
in an environment where REALM and DOMAIN get used interchangably.

Also, I found I had to explicitly state my default enctypes to include 
or apply the hotfix from MS to allow des-cbc-crc enctypes

Also, if I want to make these log entries go away

[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
  ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type

I have to explicitly set the order of the permitted enctypes so the 
common case is the first in the list.
During debugging, I just listed every possible enctype in the permitted 
list and just haven't cleaned it up.

MS AD uses rc4-hmac (arcfour-hmac-md5).  If it's first in the default 
list, the first attempt will succeed.

This krb5.conf works with MIT kerberos 3.1.4.
Oh, and you have to add the real dns names in MS AD servicePrincipalName 
as HOST and CIFS

default_realm = NT.LDXNET.COM
 default_keytab_name = FILE:/etc/krb5.keytab
 default_keytab_name = /etc/krb5.keytab
 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 
des-cbc-md4 des3-cbc-sha1 des-cbc-md4 ...

  kdc = ranger1.nt.ldxnet.com:88
  admin_server = ranger1.nt.ldxnet.com:749
  default_domain = nt.ldxnet.com

 .nt.ldxnet.com = NT.LDXNET.COM
 nt.ldxnet.com = NT.LDXNET.COM
 gate.ldxnet.com = NT.LDXNET.COM
 ldxnet.com = NT.LDXNET.COM
 .ldxnet.com = NT.LDXNET.COM

Hope it helps.

Regards, Doug

More information about the samba mailing list