[Samba] ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed

Tom Carroll tcarroll+samba at chimesnet.com
Thu Dec 18 20:57:53 GMT 2008 

Good day -

I am having problems with trusted domain authentication.  I have two AD 
domains, A and B.  Domain A trusts B.  I have a samba file server, 
version 3.2.5, as member of A.  Using smbclient, I can successfully 
access the share using principals from either domain.  Windows XP 
workstations who are members of A can access the shares, but XP 
workstations that are members of B fail. 

Using klist, I see that the members of B have a tgt from B with enctype 
RC4-HMAC [23]

 From the samba logs I see the following
[2008/12/18 15:28:21, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
  check_spnego_blob_complete: needed_len = 3038, pblob->length = 3038
[2008/12/18 15:28:21,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
  parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/12/18 15:28:21,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
  parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2
[2008/12/18 15:28:21,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
  parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/12/18 15:28:21,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
  reply_spnego_negotiate: Got secblob of size 2972
[2008/12/18 15:28:21,  3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error 
Decrypt integrity check failed
[2008/12/18 15:28:21, 10] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error 
Bad encryption type
[2008/12/18 15:28:21, 10] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error 
Bad encryption type
[2008/12/18 15:28:21,  3] libads/kerberos_verify.c:ads_verify_ticket(458)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2008/12/18 15:28:21, 10] libads/kerberos_verify.c:ads_verify_ticket(467)
  ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2008/12/18 15:28:21,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/12/18 15:28:21,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

Any help would be appreciated.

# smbd -V
Version 3.2.5
#

My smb.conf:
[global]
    workgroup = BEELINEWAN
    realm = BEELINEWAN.COM
    server string = %h server
    security = ADS
    obey pam restrictions = Yes
    client NTLMv2 auth = Yes
    log level = 10
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    domain master = No
    dns proxy = No
    panic action = /usr/share/samba/panic-action %d
    idmap uid = 10000-25000
    idmap gid = 10000-25000
    template homedir = /shares/%D/home/%U
    template shell = /bin/bash
    winbind use default domain = Yes

[public]
    path = /shares/public
    read only = No
    create mask = 0770
    valid users = "@A%wDomain Users" "@B%wDomain Users"

More information about the samba mailing list