[Samba] Kerberos enc type [xx] failed

Dimitri Yioulos dyioulos at firstbhph.com
Wed Jun 15 14:46:16 GMT 2005 

Ephi,

I think I had the same problem once upon a time.  I haven't seen your 
krb5.conf, but I added the following to mine in the [libdefaults] section:

 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5

That cleared up the problem.

HTH.

Dimitri


On Tuesday June 14 2005 10:04 pm, Ephi Dror wrote:
> Hi Andrew,
>
> I upgraded krb5 libs to 1.3.3 and now the error became "Decrypt
> integrity check failed".
>
> I rebooted my AD server and the SAMBA server just in case.
>
> Here is the log:
>
> [2005/06/14 18:14:30, 3, pid=17668]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
>   ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
> Decrypt integrity check failed
> [2005/06/14 18:14:30, 3, pid=17668]
> libads/kerberos_verify.c:ads_verify_ticket(307)
>   ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
>
> Any idea?
>
> Did I forget to do something so obvious?
>
> Is it anything to do with keytab which I have noticed that if I specify
> "use kerberos keytab = yes" I get an error in  net ads join that says:
> [2005/06/14 18:50:43, 1, pid=23237]
> libads/kerberos_keytab.c:ads_keytab_add_entry(236)
>   ads_keytab_add_entry: adding entry to keytab failed (Cannot write to
> specified key table)
> [2005/06/14 18:50:43, 1, pid=23237]
> libads/kerberos_keytab.c:ads_keytab_create_default(418)
>   ads_keytab_create_default: ads_keytab_add_entry failed while adding
> 'host'.
> [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829)
>   Error creating host keytab!
> Joined 'SSN217' to realm 'LONDON.STORADINC.COM'
>
> And last, is it to do with kerberos hot fix
> http://support.microsoft.com/kb/833708/
> Just wondering.
>
> Thanks so much in advance for any hint in this complicated area.
>
> Cheers,
> Ephi
>
>
>
> -----Original Message-----
> From: Ephi Dror
> Sent: Tuesday, June 14, 2005 10:28 AM
> To: 'Andrew Bartlett'
> Cc: Samba (samba at lists.samba.org)
> Subject: RE: [Samba] Kerberos enc type [xx] failed
>
> Thank you Andrew for sharing with us your expertise and give us those
> suggestions.
>
> We really appreciate it.
>
> Cheers,
> Ephi
>
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Monday, June 13, 2005 10:15 PM
> To: Ephi Dror
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Kerberos enc type [xx] failed
>
> On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote:
> > Hi All,
> >
> > I am getting Kerberos "enc type" problem that I can't explain:
> >
> >
> > Just a quick background:
> > 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My
> > Kerberos version is krb5 1.2.7.
> > 4. Samba joined active directory that  has one KDC running win2003
> > (not
> > sp1)
> > 5. I switched between different domains and join as ADS and domain
> > many times, could it contribute to this problem?
> >
> > At the moment, I can't switch to latest krb5 package. What is the
> > minimum Kerberos version required by SAMBA?
>
> MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have
> maintained since Samba 3.0.  Using less than this will cause issues with
> clients that for one reason or another do not posses 'DES' kerberos
> keys.
>
> Kerberos library requirements have been quite a pain in Samba 3.0.
> There are three basic solutions:
>
>  - Upgrade your OS to one with a suitable kerberos
>  - Upgrade the kerberos libraries on your OS
>  - Statically link your Samba install to an upgraded kerberos.
>
> The latter option is what SerNet did/does for their Samba 3.0 packages.
>
> In Samba4, we have noted the pain that kerberos has caused in Samba 3.0,
> and the current plan is to ship with a built-in kerberos library.
> (Options for later development allow this to possibly use a system lib,
> but the aim is to shift the pain away from the administrator, who can't
> help the situation much).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba mailing list