I try to connect to a Samba 3.0.0rc3 server with the following share: [admin] browsable = no path = /mnt/admin public = no write list = DOMAIN+username [2003/09/09 12:02:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(388) Got secblob of size 1529 [2003/09/09 12:02:20, 10] passdb/secrets.c:secrets_named_mutex(696) secrets_named_mutex: got mutex for replay cache mutex [2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption t ype [2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption ty pe [2003/09/09 12:02:20, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption ty pe Version is 3.0.0rc3, running on Debian Woody, Kernel 2.4.21+xfs. Kerberos libs are installed. I can get tickets and wbinfo [-g|-u] works fine. Client is W2KproSP3. However, it doesn't work with smbclient (locally) either! I get (NT_STATUS_LOGON_FAILURE)... Connecting to W2K servers works without problems. I sniffed with tethereal and the SMB/LDAP auth requests all return with success... Alex
What kerberos distro? What version of krb5 packages?
Using the package available in Debian unstable... Package: libkrb53 Version: 1.3-2 Description: MIT Kerberos runtime libraries from /etc/krb5.conf: [...] permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 [...] This was the package default.
I guess this is related to this problem reported on the mailing list: http://www.mail-archive.com/samba@lists.samba.org/msg22411.html
Can you try MIT krb 1.3.1. It includes the RC4-HMAC implementation which is needed for full interoperability with kerberos smb signing.
1.3-2 for Debian already includes HMAC-RC4, but thanks for that hint, you led me on the right path to happiness :-) Problem solution: /etc/krb5.conf contained the following lines: # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#krb5.conf tells me that there are sensible default values. After commenting out the above lines in /etc/krb5.conf everything worked fine. Will file a bug against the .deb package because these values are unnecessary IMHO. Thanks a lot for your efforts! Please close the bug. I'll post this to the mailing list...
resolution was a MIT kerberos configuration issue.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
database cleanup