[Samba] Problems with ADS membership with win2k domain

Sat Apr 16 15:02:45 GMT 2005

I'm having problems with ADS membership for samba.  I had a "mostly"
working version with RHES v2.1, krb5 v1.2, samba v3.0.5.

I knew to get to a fully functioning version I would need krb5 v1.3
or later.  So finally I had an opertunity to junk RH's crufty krb5
and build from scratch with:

RHES v2.1
MIT krb5 v1.4
samba v3.0.13

This works fine on another server.  Now to the problem:

I can join the domain.  smbclient works flawlessly.  kinit(1) works
fine.  However on another I try from a win2k client I get the
authentication dialog box and keep getting in log.w.x.y.z:

[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type
[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encr
yption type
[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2005/04/16 00:56:10, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
[2005/04/16 00:56:10, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(233)
  ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type
[2005/04/16 00:56:10, 10] passdb/secrets.c:secrets_named_mutex_release(714)
  secrets_named_mutex: released mutex for replay cache mutex
[2005/04/16 00:56:10, 3] libads/kerberos_verify.c:ads_verify_ticket(346)
  ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)

...and of course the fun part is we DO NOT have a win2k3 ADS; we have
win2k ADS.  So I decided to try samba v3.0.14a since it just came out.

However, I still have the same issue.

krb5 v1.4 built with:

./configure  --prefix=/usr/local
make
make check (all tests pass)
sudo make install

/etc/krb5.conf:
| [libdefaults]
|  default_realm = US1.FOO.COM
| 
| [realms]
|  US1.FOO.COM = {
|   kdc = dc1.us1.foo.com
|  }
| 
| [domain_realm]
|  .dc1.us1.foo.com = US1.FOO.COM

samba 3.0.14a built with:

./configure --prefix=/usr/local --with-krb5=/usr/local
make
sudo make install

/usr/local/lib/smb.conf:
| [global]
| workgroup = FOO
| netbios name = TOKEN
| 
| log file = /usr/local/var/log.%m
| 
| realm = US1.FOO.COM
| security = ads
| password server = dc1.us1.foo.com dc2.us1.foo.com
| 
| idmap uid = 15000-20000
| idmap gid = 15000-20000
| winbind separator = +
| winbind enum users = true
| winbind enum groups = true
| winbind cache time = 10
| 
| load printers = no
| domain master = no
| 
| hosts deny = ALL
| hosts allow = 192.168.0.0/16 127.
| interfaces = eth1 lo
| bind interfaces only = yes
| 
| [tmp]
|         comment = tmp files
|         path = /tmp
|         read only = yes

To me this seems like it shouldn't be rocket science.  I did the
same configuration on a sister system running RHES v2.1, krb5 v1.4,
etc (same right down to the RPM verions reported by "rpm -q -a")
and it worked flawlessly.

I've even tried the binaries that "work" from the sister machine
on the problematic machine to no avail.

I'm out of ideas of where to look next for additional debug.  Hints?
Ideas?  Is it time to break out the sniffer and MD5 all the libraries
and executables?