[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

Andrew Bartlett abartlet at samba.org
Fri Jan 28 07:02:48 UTC 2022

On Fri, 2022-01-28 at 09:51 +0300, Alex via samba wrote:
> Thanks Rowland.
> My issue is that k5start isn't able to get even the 1st ticket. Do
> you use system's keytab or create a user keytab for this test case?
> Can you show what "net ads keytab list ..." outputs?

Just one thought before the weekend:

Can you remind me how the keytab was obtained?

RC4 tickets work sometimes in places where AES does not because AES
tickets are salted, and if you use the wrong salt it all goes very

A keytab extracted using 'samba-tool domain exportkeytab' (there is an
option to extract just one principal) will always have the correct
salt, and all the right keys, as this is a direct copy from the DB.

I'll look over the .pcap when I get a chance.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list