Bug 6429 - ADS: spnego bad encryption type failure
Summary: ADS: spnego bad encryption type failure
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Clustering (show other bugs)
Version: 3.3.4
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-01 17:41 UTC by John H Terpstra (mail address dead(
Modified: 2009-06-03 10:29 UTC (History)
0 users

See Also:


Attachments
Network capture in PCAP format (220.08 KB, application/octet-stream)
2009-06-01 17:43 UTC, John H Terpstra (mail address dead(
no flags Details
Loglevel 10 log file. (420.50 KB, text/plain)
2009-06-01 17:44 UTC, John H Terpstra (mail address dead(
no flags Details
smb.conf file (from one cluster node) - all nodes are identically configured. (1.50 KB, text/plain)
2009-06-01 17:45 UTC, John H Terpstra (mail address dead(
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2009-06-01 17:41:09 UTC
Use case of samba-3.3.4 with CTDB support on RHEL5.3.

Windows XP Pro users can map drives and use them without problem.
smbclient can connect using kerberos tickets without problems.

A business application that uses a UNC name and/or an already mapped drive connection fails attempting to do a connection setup.

Attached are:
    smb.conf
    wireshark capture
    loglevel 10 log file

Any pointers to help resolve this?
Comment 1 John H Terpstra (mail address dead( 2009-06-01 17:43:06 UTC
Created attachment 4230 [details]
Network capture in PCAP format
Comment 2 John H Terpstra (mail address dead( 2009-06-01 17:44:35 UTC
Created attachment 4231 [details]
Loglevel 10 log file.
Comment 3 John H Terpstra (mail address dead( 2009-06-01 17:45:18 UTC
Created attachment 4232 [details]
smb.conf file (from one cluster node) - all nodes are identically configured.
Comment 4 John H Terpstra (mail address dead( 2009-06-01 17:50:49 UTC
Elevating priority because this problem is breaking application use.  Feel free to reset the priority level.
Comment 5 Jeremy Allison 2009-06-01 17:58:05 UTC
The relevent part of the log is here:

[2009/06/01 16:54:50,  3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed

See this page:

http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

"In general, this means that the encryption key stored in a keytab doesn't
match the key stored in the KDC for a particular principal. As mentioned
above, generating a new key will fix this problem. Note that you'll need to
get rid of any old cached tickets by using kdestroy, otherwise the various
Kerberos programs will continue to use an old ticket encrypted with the
wrong encryption key."

Jeremy.
Comment 6 John H Terpstra (mail address dead( 2009-06-03 10:29:32 UTC
Thanks. The problem was due to errant application behavior as a result of incorrect configuration. The matter has been fully resolved.  Jeremy's feedback helped to locate the cause.

- John T.