[Samba] Slow Kerberos Authentication
Paul
bluescreen08 at gmail.com
Sat Nov 11 10:01:42 UTC 2017
Just to update this, I'm going to upgrade to samba4 but it won't be for a
few days yet, I'll keep this thread updated with what happens.
On 10 Nov 2017 11:23, "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> No, no idee, but really, upgrade to samba, best option, in my opinion.
> If thats not possible, it happens..
>
> A timeout option can be set in krb5.conf
> for example : kdc_timeout = 5000
>
>
> You have these for krb5.conf to try out also.
> the complete list.
> des-hmac-sha1
> DES with HMAC/sha1 (weak)
>
> aes256-cts-hmac-sha1-96 aes256-cts AES-256
> CTS mode with 96-bit SHA-1 HMAC
>
> aes128-cts-hmac-sha1-96 aes128-cts AES-128
> CTS mode with 96-bit SHA-1 HMAC
>
> arcfour-hmac rc4-hmac arcfour-hmac-md5
> RC4 with HMAC/MD5
>
> arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
> Exportable RC4 with HMAC/MD5 (weak)
>
> camellia256-cts-cmac camellia256-cts
> Camellia-256 CTS mode with CMAC
>
> camellia128-cts-cmac camellia128-cts
> Camellia-128 CTS mode with CMAC
>
> des
> The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
>
> des3
> The triple DES family: des3-cbc-sha1
>
> aes
> The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
>
> rc4
> The RC4 family: arcfour-hmac
>
> camellia
> The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
>
>
> try the lines i send before keep the allow weak encptions.
> try these, and add them at the beginning.
> arcfour-hmac
>
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> ________________________________
>
> Van: Paul [mailto:bluescreen08 at gmail.com]
> Verzonden: vrijdag 10 november 2017 12:03
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
> I'll look into it and update if I find anything out :)
> Any idea why it would try enc type 17, then 18, then pause for 30
> seconds?
>
> It feels like a timeout is being hit but I don't understand enough
> about samba/Kerberos to figure out what it is.
>
> On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <
> samba at lists.samba.org> wrote:
>
>
> Hai Paul,
>
> hmm, i think its time.. to upgrade your samba.
>
> I dont think the other krb5.conf options work, but you
> might give it a try.
> See man krb5.conf, where i took it from.
> add /change in krb5.conf
>
> [kdc]
> tgt-use-strongest-session-key = BOOL
> svc-use-strongest-session-key = BOOL
> preauth-use-strongest-session-key= BOOL
> use-strongest-server-key = BOOL
> encode_as_rep_as_tgs_rep = BOOL
>
> BOOL = true or false.
>
> You might set the default windows encryption in krb5.conf
> as standard, but imo, that are changes which might give other problems.
> And is not my best advice..
>
> So best advice is .. upgrade to samba 4, and packages are
> available.
> https://linux.oracle.com/errata/ELSA-2017-1271.html <
> https://linux.oracle.com/errata/ELSA-2017-1271.html>
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Paul [mailto:bluescreen08 at gmail.com]
> Verzonden: vrijdag 10 november 2017 9:57
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
>
> Thanks, however that didn't work even after a reboot,
> still the same error.
>
> On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <
> samba at lists.samba.org> wrote:
> Hai,
>
> You may need to add the the following in krb5.conf
>
> [libdefaults]
> allow_weak_crypto = true
>
> ; for Windows 2003
> ; default_tgs_enctypes = rc4-hmac des-cbc-crc
> des-cbc-md5
> ; default_tkt_enctypes = rc4-hmac des-cbc-crc
> des-cbc-md5
> ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> Can you try that.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org
> <mailto:samba-bounces at lists.samba.org> ] Namens Paul
> > via samba
> > Verzonden: donderdag 9 november 2017 16:45
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Slow Kerberos Authentication
> >
> > Hi All,
> >
> > I've a problem with samba 3.6.23 on Oracle Linux 6,
> Kerberos
> > authentication
> > is working but it takes around 30 seconds on first
> access. This is an
> > active directory domain with 2008r2 DC's.
> > I've tracked it down to what looks like the incorrect
> > encryption type being
> > used according to the debug output below, as you can see
> it
> > fails twice
> > with enc type of 17 and 18 but succeeds with 23... Which
> > according to the
> > RFC is rc4-hmac which is all windows DCs talk from what
> I can
> > find out.
> > How can I get it so the correct encryption is chosen
> first time?
> >
> > Log excerpt:
> >
> > [2017/11/09 10:18:04.174379, 3]
> smbd/sesssetup.c:662(reply_spn
> > ego_negotiate)
> >
> > reply_spnego_negotiate: Got secblob of size 3264
> >
> > [2017/11/09 10:18:04.201392, 10]
> libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> > libads/kerberos_verify.c:435: enc type [18] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:04.214632, 10]
> libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> > libads/kerberos_verify.c:435: enc type [17] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:26.528850, 10]
> libads/kerberos_verify.c:423(a
> > ds_secrets_verify_ticket)
> >
> > libads/kerberos_verify.c:423: enc type [23] decrypted
> message !
> >
> > [2017/11/09 10:18:26.529143, 10]
> libsmb/clikrb5.c:955(get_krb5_
> > smb_session_key)
> >
> > Got KRB5 session key of length 16
>
> > --
> > To unsubscribe from this list go to the following URL
> and read the
> > instructions: https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions: https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions: https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list