[Samba] Problems with ADS membership in win2k domain

Doug VanLeuven roamdad at sonic.net
Sat Apr 16 12:30:47 GMT 2005 

Eric S. Hvozda wrote:

>[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
>  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encr
>yption type
>  
>
ENCTYPE_ARCFOUR_HMAC    0x0017
This is the encryption type of choice used by MS AD.  It's not being 
used.  Probably what you want, but the kdc isn't using it.

>[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
>  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
>  
>
ENCTYPE_DES_CBC_CRC     0x0001  /* DES cbc mode with CRC-32 */

>[2005/04/16 00:56:10, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
>  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
>  
>
ENCTYPE_DES_CBC_MD5     0x0003  /* DES cbc mode with RSA-MD5 */

This is what's being used, and the integrety check is failing.  "In 
general, this means that the encryption key stored in a keytab doesn't 
match the key stored in the KDC for a particular principal."

The windows kdc only issues this enctype if userAccountControl in the 
computer's AD account has the flag for UF_USE_DES_KEY_ONLY.  Samba only 
sets this flag if the kerberos detected by configure doesn't have rc4-hmac
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | 
UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY );
It looks like you had previously added this computer to the domain while 
you were running an older version of Kerberos.
If that's the case, subtract 0x200000 or 2097152 decimal. from 
userAccountControl or delete the account in AD and rejoin using the new 
samba that has rc4-hmac support.

And you must be using ktpass.exe on the windows kdc to generate the host 
key because I don't see the "use kerberos keytab" option in smb.conf.  
Could be some glitch between when it was cut on the kdc and installed on 
the the linux box.  In this instance, the user account that was used to 
map the key would be flagged for des only.

Regards, Doug

More information about the samba mailing list