Bug 424 - connecting from W2K ADS client to Samba ADS domain member fails
connecting from W2K ADS client to Samba ADS domain member fails
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.0preX
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-09 06:40 UTC by Alexander List
Modified: 2005-11-14 09:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander List 2003-09-09 06:40:01 UTC
I try to connect to a Samba 3.0.0rc3 server with the following share:

[admin]
    browsable = no
    path = /mnt/admin
    public = no
    write list = DOMAIN+username


[2003/09/09 12:02:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
  Got secblob of size 1529
[2003/09/09 12:02:20, 10] passdb/secrets.c:secrets_named_mutex(696)
  secrets_named_mutex: got mutex for replay cache mutex
[2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption t
ype
[2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption ty
pe
[2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption ty
pe


Version is 3.0.0rc3, running on Debian Woody, Kernel 2.4.21+xfs. Kerberos libs
are installed. I can get tickets and wbinfo [-g|-u] works fine.

Client is W2KproSP3. However, it doesn't work with smbclient (locally) either! I
get (NT_STATUS_LOGON_FAILURE)... Connecting to W2K servers works without problems.

I sniffed with tethereal and the SMB/LDAP auth requests all return with success...

Alex
Comment 1 Gerald (Jerry) Carter 2003-09-09 11:11:02 UTC
What kerberos distro?  What version of krb5 packages?
Comment 2 Alexander List 2003-09-10 02:33:54 UTC
Using the package available in Debian unstable...

Package: libkrb53
Version: 1.3-2
Description: MIT Kerberos runtime libraries

from /etc/krb5.conf:

[...]
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
[...]

This was the package default.
Comment 3 Alexander List 2003-09-10 04:00:57 UTC
I guess this is related to this problem reported on the mailing list:

http://www.mail-archive.com/samba@lists.samba.org/msg22411.html
Comment 4 Gerald (Jerry) Carter 2003-09-10 07:03:28 UTC
Can you try MIT krb 1.3.1.  It includes the RC4-HMAC 
implementation which is needed for full interoperability 
with kerberos smb signing.
Comment 5 Alexander List 2003-09-10 11:17:20 UTC
1.3-2 for Debian already includes HMAC-RC4, but thanks for that hint, you led me
on the right path to happiness :-)

Problem solution: 

/etc/krb5.conf contained the following lines:

# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#krb5.conf

tells me that there are sensible default values. After commenting out the above
lines in /etc/krb5.conf everything worked fine. Will file a bug against the .deb
package because these values are unnecessary IMHO.

Thanks a lot for your efforts! Please close the bug. I'll post this to the
mailing list...
Comment 6 Gerald (Jerry) Carter 2003-09-10 11:36:54 UTC
resolution was a MIT kerberos configuration issue.
Comment 7 Gerald (Jerry) Carter 2005-02-07 09:05:53 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 8 Gerald (Jerry) Carter 2005-11-14 09:27:13 UTC
database cleanup