The Samba-Bugzilla – Bug 6429
ADS: spnego bad encryption type failure
Last modified: 2009-06-03 10:29:32 UTC
Use case of samba-3.3.4 with CTDB support on RHEL5.3.
Windows XP Pro users can map drives and use them without problem.
smbclient can connect using kerberos tickets without problems.
A business application that uses a UNC name and/or an already mapped drive connection fails attempting to do a connection setup.
loglevel 10 log file
Any pointers to help resolve this?
Created attachment 4230 [details]
Network capture in PCAP format
Created attachment 4231 [details]
Loglevel 10 log file.
Created attachment 4232 [details]
smb.conf file (from one cluster node) - all nodes are identically configured.
Elevating priority because this problem is breaking application use. Feel free to reset the priority level.
The relevent part of the log is here:
[2009/06/01 16:54:50, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296)
ads_secrets_verify_ticket: enc type  failed to decrypt with error Decrypt integrity check failed
See this page:
"In general, this means that the encryption key stored in a keytab doesn't
match the key stored in the KDC for a particular principal. As mentioned
above, generating a new key will fix this problem. Note that you'll need to
get rid of any old cached tickets by using kdestroy, otherwise the various
Kerberos programs will continue to use an old ticket encrypted with the
wrong encryption key."
Thanks. The problem was due to errant application behavior as a result of incorrect configuration. The matter has been fully resolved. Jeremy's feedback helped to locate the cause.
- John T.