Bug 1010 - kinit works but smbd does not (connect via IP but not name)
kinit works but smbd does not (connect via IP but not name)
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.1
Other other
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-27 13:11 UTC by Gerald (Jerry) Carter
Modified: 2004-01-27 13:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter 2004-01-27 13:11:31 UTC
Here's an update for those of you struggling to get Samba
working in an AD domain environment.

  Summary:  in securirty = ads, clients can browse to the
    Samba member server via IP but not by name (either netbios
    or DNS).  Kinit and wbinfo -t all work as expected.

The apparent reason for this is that the 2k client uses
NTLMSSP when you connect via IP which works.  However
the kerberos authentication always fails to decrypt
the ticket.  The log appears as

  ads_verify_ticket: enc type [16] failed to decrypt with
     error Bad encryption type
  ads_verify_ticket: enc type [1] failed to decrypt with
     error Bad encryption type
  ads_verify_ticket: enc type [3] failed to decrypt with
     error Bad encryption type
  ads_verify_ticket: krb5_rd_req with auth failed (Bad
     encryption type)
  Failed to verify incoming ticket!

The only way I have been able to reproduce this locally
using MIT 1.3.1 is by setting a list of permitted_enctypes
in /etc/krb5.conf.  For example,

 [libdefaults]
   dns_lookup_kdc = true
   default_tgs_enctypes = des-cbc-md5
   default_tkt_enctypes = des-cbc-md5
   permitted_enctypes = des-cbc-md5 des-cbc-crc

Commenting out the last line solved things in my tests.  Usually
I have a very minimal krb5.conf which works correctly.

  [libdefaults]
     dns_lookup_kdc = true

The end result is that this is a kerberos configuration issue
and not a Samba bug (Of course you could call it our bug
since kinit works and we don't).  I would be grateful if the
people experiencing this problem could either confirm or
refute my theory.
Comment 1 Gerald (Jerry) Carter 2004-01-27 13:29:14 UTC
decided it was a krb5 configuration issue.  Win2k always 
sticks the RC4-HMAC-MD5 enctype in the ticket and krb5.conf 
specified that it was not permitted.