[Samba] Can't maintain a connection to the Server 2003 ADS on a subdomain

Doug VanLeuven roamdad at sonic.net
Mon Jun 13 16:22:45 GMT 2005

Daniel Kvitko wrote:

>Hello to every Samba expert out there,
>We've been having a hard time figuring out a particular problem with Samba.
>After joining the Server 2003 ADS, which is on a different subnet - just
>going through a router, the membership would drop all of a sudden.
>Everything works great when the Samba server is on the same subnet as the
>Server 2003 ADS. I have posted some details on forums, here is a link if you
>need to see the configuration:
>I have been struggling for weeks and really need some insight from some
>experts. The purpose of the Samba servers is just for file sharing and we
>really do not want to install Microsoft Servers. If there is no one here
>that can offer any assistance, then I guess there isn't anyone out there
>that can.
Hi Dan,
While processing a TGS request for the target server 
host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have 
a suitable key for generating a Kerberos ticket (the missing key has an 
ID of 8). The requested etypes were 16.  The accounts available etypes 
were 23  -133  -128  3  1.

The requested enctype of 16 corresponds to DES3_CBC_SHA1.
The encryption types the 2003 server knows how to decode are
I don't know what encryption types -133 & -128 are.
If you do a
    klist -ke
on the samba machine, it will list the keys in /etc/krb5.keytab and what 
encryption types they are.
With your version of kerberos and samba, you should be joined normally 
without the flag for DES_CBC_MD5 encryption required.  As fas as I know, 
this implies the samba server will be using ARCFOUR_HMAC which is the 
native encryption type of windows 2003.
Would you mind verifying your keytab on the samba host still has a
    host/ops-server2003.rhb.local at RHB.LOCAL (ArcFour with HMAC/md5)
entry and that you ran the ktpass.exe on the windows 2003 server to 
generate the host entry for the samba machine?

Regards, Doug

More information about the samba mailing list