[Samba] Slow Kerberos Authentication
Paul
bluescreen08 at gmail.com
Tue Nov 14 12:32:22 UTC 2017
Update: I installed samba4 with the existing config, it's sped up slightly
but I'm seeing another error
After it's started gensec submechanism gse_krb5 it takes around 40 seconds
to resolve the hostname to FQDN
HOSTNAME -> hostname.local
I've got the entry in hosts and it's correct in DNS, what could be the
problem?
On 11 Nov 2017 10:01, "Paul" <bluescreen08 at gmail.com> wrote:
> Just to update this, I'm going to upgrade to samba4 but it won't be for a
> few days yet, I'll keep this thread updated with what happens.
>
> On 10 Nov 2017 11:23, "L.P.H. van Belle via samba" <samba at lists.samba.org>
> wrote:
>
>> No, no idee, but really, upgrade to samba, best option, in my opinion.
>> If thats not possible, it happens..
>>
>> A timeout option can be set in krb5.conf
>> for example : kdc_timeout = 5000
>>
>>
>> You have these for krb5.conf to try out also.
>> the complete list.
>> des-hmac-sha1
>> DES with HMAC/sha1 (weak)
>>
>> aes256-cts-hmac-sha1-96 aes256-cts AES-256
>> CTS mode with 96-bit SHA-1 HMAC
>>
>> aes128-cts-hmac-sha1-96 aes128-cts AES-128
>> CTS mode with 96-bit SHA-1 HMAC
>>
>> arcfour-hmac rc4-hmac arcfour-hmac-md5
>> RC4 with HMAC/MD5
>>
>> arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
>> Exportable RC4 with HMAC/MD5 (weak)
>>
>> camellia256-cts-cmac camellia256-cts
>> Camellia-256 CTS mode with CMAC
>>
>> camellia128-cts-cmac camellia128-cts
>> Camellia-128 CTS mode with CMAC
>>
>> des
>> The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
>>
>> des3
>> The triple DES family: des3-cbc-sha1
>>
>> aes
>> The AES family: aes256-cts-hmac-sha1-96 and
>> aes128-cts-hmac-sha1-96
>>
>> rc4
>> The RC4 family: arcfour-hmac
>>
>> camellia
>> The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
>>
>>
>> try the lines i send before keep the allow weak encptions.
>> try these, and add them at the beginning.
>> arcfour-hmac
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>>
>> ________________________________
>>
>> Van: Paul [mailto:bluescreen08 at gmail.com]
>> Verzonden: vrijdag 10 november 2017 12:03
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>>
>>
>> I'll look into it and update if I find anything out :)
>> Any idea why it would try enc type 17, then 18, then pause for 30
>> seconds?
>>
>> It feels like a timeout is being hit but I don't understand
>> enough about samba/Kerberos to figure out what it is.
>>
>> On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <
>> samba at lists.samba.org> wrote:
>>
>>
>> Hai Paul,
>>
>> hmm, i think its time.. to upgrade your samba.
>>
>> I dont think the other krb5.conf options work, but you
>> might give it a try.
>> See man krb5.conf, where i took it from.
>> add /change in krb5.conf
>>
>> [kdc]
>> tgt-use-strongest-session-key = BOOL
>> svc-use-strongest-session-key = BOOL
>> preauth-use-strongest-session-key= BOOL
>> use-strongest-server-key = BOOL
>> encode_as_rep_as_tgs_rep = BOOL
>>
>> BOOL = true or false.
>>
>> You might set the default windows encryption in krb5.conf
>> as standard, but imo, that are changes which might give other problems.
>> And is not my best advice..
>>
>> So best advice is .. upgrade to samba 4, and packages are
>> available.
>> https://linux.oracle.com/errata/ELSA-2017-1271.html <
>> https://linux.oracle.com/errata/ELSA-2017-1271.html>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>> Van: Paul [mailto:bluescreen08 at gmail.com]
>> Verzonden: vrijdag 10 november 2017 9:57
>> Aan: L.P.H. van Belle
>> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>>
>>
>>
>> Thanks, however that didn't work even after a reboot,
>> still the same error.
>>
>> On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <
>> samba at lists.samba.org> wrote:
>> Hai,
>>
>> You may need to add the the following in krb5.conf
>>
>> [libdefaults]
>> allow_weak_crypto = true
>>
>> ; for Windows 2003
>> ; default_tgs_enctypes = rc4-hmac des-cbc-crc
>> des-cbc-md5
>> ; default_tkt_enctypes = rc4-hmac des-cbc-crc
>> des-cbc-md5
>> ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>
>> ; for Windows 2008 with AES
>> default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>
>> Can you try that.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org> ] Namens Paul
>> > via samba
>> > Verzonden: donderdag 9 november 2017 16:45
>> > Aan: samba at lists.samba.org
>> > Onderwerp: [Samba] Slow Kerberos Authentication
>> >
>> > Hi All,
>> >
>> > I've a problem with samba 3.6.23 on Oracle Linux 6,
>> Kerberos
>> > authentication
>> > is working but it takes around 30 seconds on first
>> access. This is an
>> > active directory domain with 2008r2 DC's.
>> > I've tracked it down to what looks like the incorrect
>> > encryption type being
>> > used according to the debug output below, as you can
>> see it
>> > fails twice
>> > with enc type of 17 and 18 but succeeds with 23... Which
>> > according to the
>> > RFC is rc4-hmac which is all windows DCs talk from what
>> I can
>> > find out.
>> > How can I get it so the correct encryption is chosen
>> first time?
>> >
>> > Log excerpt:
>> >
>> > [2017/11/09 10:18:04.174379, 3]
>> smbd/sesssetup.c:662(reply_spn
>> > ego_negotiate)
>> >
>> > reply_spnego_negotiate: Got secblob of size 3264
>> >
>> > [2017/11/09 10:18:04.201392, 10]
>> libads/kerberos_verify.c:435(a
>> > ds_secrets_verify_ticket)
>> >
>> > libads/kerberos_verify.c:435: enc type [18] failed to
>> > decrypt with error
>> > Bad encryption type
>> >
>> > [2017/11/09 10:18:04.214632, 10]
>> libads/kerberos_verify.c:435(a
>> > ds_secrets_verify_ticket)
>> >
>> > libads/kerberos_verify.c:435: enc type [17] failed to
>> > decrypt with error
>> > Bad encryption type
>> >
>> > [2017/11/09 10:18:26.528850, 10]
>> libads/kerberos_verify.c:423(a
>> > ds_secrets_verify_ticket)
>> >
>> > libads/kerberos_verify.c:423: enc type [23] decrypted
>> message !
>> >
>> > [2017/11/09 10:18:26.529143, 10]
>> libsmb/clikrb5.c:955(get_krb5_
>> > smb_session_key)
>> >
>> > Got KRB5 session key of length 16
>>
>> > --
>> > To unsubscribe from this list go to the following URL
>> and read the
>> > instructions: https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list