[Samba] bad encryption type in AD domain authentication

Philipoff, Andrew aphilipoff at medicine.ucsf.edu
Mon May 4 19:54:41 GMT 2009 

I used to create /etc/krb5.keytab files using ktpass but found an easier way:
 
1. Add "use kerberos keytab = Yes" to /etc/samba/smb.conf
2. Get a Kerberos ticket by running "kinit my_ad_username"
3. Run "net ads keytab create"
4. Verify the /etc/krb5.keytab by running "klist -ke"

Andrew Philipoff
Infrastructure Coordinator
Information Systems
Department of Medicine, UCSF

-----Original Message-----
From: samba-bounces+aphilipoff=medicine.ucsf.edu at lists.samba.org [mailto:samba-bounces+aphilipoff=medicine.ucsf.edu at lists.samba.org] On Behalf Of ravi channavajhala
Sent: Monday, May 04, 2009 12:22 PM
To: 'nilleb'; samba at lists.samba.org
Subject: RE: [Samba] bad encryption type in AD domain authentication

Decrypt integrity check usually means your Kerberos tickets are no good or
you don't have the entry in keytab which specifies the encryption method
expected.  The real way to fix is run the ktpass.exe from the ADS server,
ftp the generated krb keytab file to the Unix server to the /tmp.  Examine
it with klist -e -k /tmp/krb5.keytab, if all looks good, remove the
/etc/krb5 keytab file, run the ktutil to write the /tmp/krb5.keytab to
/etc/krb5 keytab.  The safest method I found is to use the default
DES-CBC-MD5 authentication only while generating the keytab file with
ktpass.  Run the ktpass something along the lines of

ktpass -princ host/FQDN at REALM -mapuser DOMAIN\hostname$ -crypto DES-CBC-MD5
-pass whatever -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab

You don't have to specify the -crypto option unless you would like to use
encryption method such as DES-CBC-CRC or arcfour etc.  In that case,
generate keytabs separately for each encryption method and merge them into
the keytab.

Two points, one is the FQDN should be literally of the form host.domain.com,
and secondly in the mapuser use the short form of domain name.

Honestly, I wish this isn't this complicated, but the interoperability of
(lin)u(ni)x with windows AD server isn't really seamless.  Now, the hard
part is what if you don't have never expiring passwds on the ADS, this
rigmarole of generating the keytabs will be an on going process.

-----Original Message-----
From: samba-bounces+ravi.channavajhala=dciera.com at lists.samba.org
[mailto:samba-bounces+ravi.channavajhala=dciera.com at lists.samba.org] On
Behalf Of nilleb
Sent: Monday, May 04, 2009 5:50 PM
To: samba at lists.samba.org
Subject: [Samba] bad encryption type in AD domain authentication

Hello,

I'm trying to access a samba share using an ADS user credentials. I always
get an error, and the debug traces (log level = 5) are giving me the output
in the follow.
I have searched the samba ML archives, and I have found the thread
http://lists.samba.org/archive/samba/2004-April/084545.html
but, before asking the system admin to apply the eventual KB fixes, I would
like to know if the problem is really the same: *what are the codes 296 and
471* which can be found in the follow? *do they show the algorithm used to
decrypt the token*? so, is this the same problem, since the email I linked
above shows a 323 code?* is there a list of codes/algorithms, if my
hypothesis is correct*? (I've tried the samba websvn, but it isn't currently
available)

[2009/05/04 11:29:45,  3] smbd/sesssetup.c:reply_spnego_negotiate(802)
  reply_spnego_negotiate: Got secblob of size 1445
[2009/05/04 11:29:45,  3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(296)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/05/04 11:29:45,  3] libads/kerberos_verify.c:ads_verify_ticket(471)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/05/04 11:29:45,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2009/05/04 11:29:45,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

and
[2009/05/04 11:29:51,  3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(296)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/05/04 11:29:51,  3] libads/kerberos_verify.c:ads_verify_ticket(471)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)


-- 
pgp.mit.edu:0A4D0FDD
http://www.nilleb.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list