[Samba] Slow Kerberos Authentication

L.P.H. van Belle belle at bazuin.nl
Thu Nov 9 16:01:22 UTC 2017 

Hai, 

You may need to add the the following in krb5.conf

[libdefaults]
 allow_weak_crypto = true

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Can you try that. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul 
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Slow Kerberos Authentication
> 
> Hi All,
> 
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos 
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect 
> encryption type being
> used according to the debug output below, as you can see it 
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which 
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can 
> find out.
> How can I get it so the correct encryption is chosen first time?
> 
> Log excerpt:
> 
> [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
> 
>   reply_spnego_negotiate: Got secblob of size 3264
> 
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
> 
>   libads/kerberos_verify.c:435: enc type [18] failed to 
> decrypt with error
> Bad encryption type
> 
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
> 
>   libads/kerberos_verify.c:435: enc type [17] failed to 
> decrypt with error
> Bad encryption type
> 
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
> 
>   libads/kerberos_verify.c:423: enc type [23] decrypted message !
> 
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
> 
>   Got KRB5 session key of length 16
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list