Bug 6429 - ADS: spnego bad encryption type failure
ADS: spnego bad encryption type failure
Product: Samba 3.3
Classification: Unclassified
Component: Clustering
Other Linux
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-06-01 17:41 UTC by John H Terpstra
Modified: 2009-06-03 10:29 UTC (History)
0 users

See Also:

Network capture in PCAP format (220.08 KB, application/octet-stream)
2009-06-01 17:43 UTC, John H Terpstra
no flags Details
Loglevel 10 log file. (420.50 KB, text/plain)
2009-06-01 17:44 UTC, John H Terpstra
no flags Details
smb.conf file (from one cluster node) - all nodes are identically configured. (1.50 KB, text/plain)
2009-06-01 17:45 UTC, John H Terpstra
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra 2009-06-01 17:41:09 UTC
Use case of samba-3.3.4 with CTDB support on RHEL5.3.

Windows XP Pro users can map drives and use them without problem.
smbclient can connect using kerberos tickets without problems.

A business application that uses a UNC name and/or an already mapped drive connection fails attempting to do a connection setup.

Attached are:
    wireshark capture
    loglevel 10 log file

Any pointers to help resolve this?
Comment 1 John H Terpstra 2009-06-01 17:43:06 UTC
Created attachment 4230 [details]
Network capture in PCAP format
Comment 2 John H Terpstra 2009-06-01 17:44:35 UTC
Created attachment 4231 [details]
Loglevel 10 log file.
Comment 3 John H Terpstra 2009-06-01 17:45:18 UTC
Created attachment 4232 [details]
smb.conf file (from one cluster node) - all nodes are identically configured.
Comment 4 John H Terpstra 2009-06-01 17:50:49 UTC
Elevating priority because this problem is breaking application use.  Feel free to reset the priority level.
Comment 5 Jeremy Allison 2009-06-01 17:58:05 UTC
The relevent part of the log is here:

[2009/06/01 16:54:50,  3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed

See this page:


"In general, this means that the encryption key stored in a keytab doesn't
match the key stored in the KDC for a particular principal. As mentioned
above, generating a new key will fix this problem. Note that you'll need to
get rid of any old cached tickets by using kdestroy, otherwise the various
Kerberos programs will continue to use an old ticket encrypted with the
wrong encryption key."

Comment 6 John H Terpstra 2009-06-03 10:29:32 UTC
Thanks. The problem was due to errant application behavior as a result of incorrect configuration. The matter has been fully resolved.  Jeremy's feedback helped to locate the cause.

- John T.