Bug 2167 - bad signatures with krb1.2.7 (RHEL3 WS)
Summary: bad signatures with krb1.2.7 (RHEL3 WS)
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.10
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-12-16 09:46 UTC by Gerald (Jerry) Carter (dead mail address)
Modified: 2005-08-24 10:23 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter (dead mail address) 2004-12-16 09:46:00 UTC
while joined to a 2000 AD domain:

get_sequence_for_reply: found seq = 1 mid = 2
simple_packet_signature: sequence number 1
client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] 5F 98 69 62 2D 7D DD 91                           _.ib-}..
client_check_incoming_message: BAD SIG: got SMB signature of
[000] 0D 58 5E 2E 4A D3 CB E2                           .X^.J...
simple_packet_signature: sequence number 4294967292
simple_packet_signature: sequence number 4294967293
simple_packet_signature: sequence number 4294967294
simple_packet_signature: sequence number 4294967295
simple_packet_signature: sequence number 0
simple_packet_signature: sequence number 1
simple_packet_signature: sequence number 2
simple_packet_signature: sequence number 3
simple_packet_signature: sequence number 4
simple_packet_signature: sequence number 5
signing_good: BAD SIG: seq 1
SMB Signature verification failed on incoming packet!
failed kerberos session setup with Undetermined error
anonymous connection attempt to BLUE from RHEL3-WS
failed anonymous session setup with NT_STATUS_OK
secrets_named_mutex: released mutex for BLUE
add_failed_connection_entry: domain AQUA (BLUE) already tried and failed
Could not open a connection to AQUA for \PIPE\lsarpc


works fine on RH9 + krb1.3.1
Comment 1 Duane Rezac 2004-12-21 04:56:01 UTC
I'm not on the samba team, but I have seen this.  Can you do a kinit from the
krb1.2.7 system and get a ticket?   I have never been able to get at ticket from
a windows AD controller with 1.2.7.  I had to update to 1.3.1 in order to get a
ticket.  1.2.7 did not support the type of encryption our AD controller was
using.  I have had no problems after upgrading to 1.3.1.

Duane Rezac
Comment 2 Andrew Bartlett 2004-12-22 19:03:13 UTC
Isn't this the issue with key padding (pad from 8 to 16 bytes with zeros) that
RH reported and jra patched?
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-12-23 07:19:28 UTC
i dunno.  Haven't looked into it.  I filed the bug so I wouldn't forget about it.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-03 12:34:43 UTC
no one else has confirmed it so closing.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:23:27 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.