Here's an update for those of you struggling to get Samba working in an AD domain environment. Summary: in securirty = ads, clients can browse to the Samba member server via IP but not by name (either netbios or DNS). Kinit and wbinfo -t all work as expected. The apparent reason for this is that the 2k client uses NTLMSSP when you connect via IP which works. However the kerberos authentication always fails to decrypt the ticket. The log appears as ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) Failed to verify incoming ticket! The only way I have been able to reproduce this locally using MIT 1.3.1 is by setting a list of permitted_enctypes in /etc/krb5.conf. For example, [libdefaults] dns_lookup_kdc = true default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc Commenting out the last line solved things in my tests. Usually I have a very minimal krb5.conf which works correctly. [libdefaults] dns_lookup_kdc = true The end result is that this is a kerberos configuration issue and not a Samba bug (Of course you could call it our bug since kinit works and we don't). I would be grateful if the people experiencing this problem could either confirm or refute my theory.
decided it was a krb5 configuration issue. Win2k always sticks the RC4-HMAC-MD5 enctype in the ticket and krb5.conf specified that it was not permitted.