[Samba] Slow Kerberos Authentication
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 9 16:01:22 UTC 2017
Hai,
You may need to add the the following in krb5.conf
[libdefaults]
allow_weak_crypto = true
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Can you try that.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Slow Kerberos Authentication
>
> Hi All,
>
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect
> encryption type being
> used according to the debug output below, as you can see it
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can
> find out.
> How can I get it so the correct encryption is chosen first time?
>
> Log excerpt:
>
> [2017/11/09 10:18:04.174379, 3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
>
> reply_spnego_negotiate: Got secblob of size 3264
>
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:435: enc type [18] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:435: enc type [17] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
>
> libads/kerberos_verify.c:423: enc type [23] decrypted message !
>
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
>
> Got KRB5 session key of length 16
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list