ADS - CIFS Server Single Sign On stopped working after upgrade from 3.2.4 to 4.5.11
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 1 17:00:53 UTC 2019
what the TS can try/do
set the needed/preffered cyphers in idmap.conf
im on my phone so no example but ill if you google ‘samba idmap.conf windows preffered greetz louis’
then some should showup.
;-)
and make sure cifs/spn is available.
this is, i believe a bug.
the bug was, (from memory) a difference in the use of cyphers between the auth and cifs layers.
Greetz
Louis
> Op 1 jan. 2019 om 16:24 heeft Rowland Penny via samba-technical <samba-technical at lists.samba.org> het volgende geschreven:
>
> On Tue, 1 Jan 2019 20:35:24 +0530
> Silambarasan Madhappan via samba-technical
> <samba-technical at lists.samba.org> wrote:
>
>> Hi Team,
>>
>>
>>
>> When upgrading CIFS Server from 3.2.4 to 4.5(it will be upgraded to
>> 4.9 soon) in one setup, we are encountering below error while
>> accessing the share from win10 client .
>>
>>
>>
>>
>>
>> [2018/11/29 15:39:43.489092, 1]
>> ../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
>> Checksum type hmac-sha1-96-aes256 is keyed, but the key type
>> arcfour-hmac-md5 passed didn't have that checksum type as the keyed
>> type]
>>
>> Please find the set up information.
>>
>> Samba/CIFS server : 4.5
>>
>> KDC server: RHEL 5 with MIT Kerberos 1.6.1 AD : Windows 10
>>
>> That error is not seen when KDC server is based on MIT Kerberos 1.10
>> on Redhat
>> Please clarify below
>>
>> 1. Is there any dependency on version of MIT Kerberos to be
>> used as KDC. We are aware that there is a dependency on version of
>> MIT to enable it during build (1.9 without ADDC, 1.15 for ADDC)
>>
>> 2. Error is due to mismatch of checksum type and Key type. Can
>> you please let me about what they correspond to (server or client or
>> KDC) and in which scenarios that mismatch can occur
>>
>
>
> Your problem it that everything is just too old, never mind upgrading
> Samba, you also need to upgrade your OS as well.
>
> You should also be aware that if you are using MIT with a Samba AD DC,
> then you should not use this DC in production, the use of MIT is
> experimental.
>
> You should also ask questions like this on the samba mailing list.
>
> Rowland
>
More information about the samba-technical
mailing list