Rick Brown wrote:
I think the only accurate test would be in a 2k environment, I have definately seen these issues on 2k3 with the pre 1.3.x kerberos packages regardless of what version of Samba is being used. The behavior I tend to see in a 2k3 environment is that Samba/Kerberos will work quite happily for about 90 days and then the DC will issue a ticket that the older versions of MIT kerberos can't handle. However when using 2k this really didn't appear to be a problem until upgrading to the 3.0.6 versions. Hopefully I'll be able to get a 2k environment setup soon to test against...I don't understand how the Samba package could in any way be responsible for these kerberos-like problems but that is what appears to be the case at this point.On Sun, 5 Sep 2004, Christian Merrill wrote:
Gerald (Jerry) Carter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christian Merrill wrote: | Running into a lot of people upgrading to the 3.0.6 | package that all of a sudden begin to experience | the "Failed to verify incoming ticket!" errors | etc., that are generally associated with a kerberos | package incompatibility. | | However many of these people are running later | versions of kerberos *and* reverting to a previous | version of Samba appears to fix the issue. Is there | something new setting wise that has taken place, is | something really wrong with this new package, or | is this all just a strange coincidence?
I've not been able to reproduce this or track it down. Is there a consensus whether this is an specific issue with using MIT or Heimdal ? Or with Windows 2000 or 2003 DCs ?
Any details would be helpful. I've created bug report at
https://bugzilla.samba.org/show_bug.cgi?id=1739
Well from my end (Redhat) the behavior is indicative of a known issue with the MIT kerberos 1.2.x packages that we currently support and Win2k3 DC's...however Win2k DC's have been operating fine as far as I know. What I am seeing are customers who were previously running upgrade to the 3.0.6 samba package and then start to encounter these errors. If they downgrade the samba package the problem goes away. I've also noticed a few other posts from users on other distros such as Debian encountering very similar behavior.
On the surface it really looks like a kerberos problem, but people are
reporting that it seems to be directly linked to the samba package. My
current test environment is on 2k3 so I'm still in the process of
setting up a 2k AD environment to do testing on...at this point just
relaying feedback that I am getting from others.
I've seen this problem on a new machine/samba install.. Our DC recently changed from 2k to 2k3, and I believe that might be part of the cause of the problem. I have 2 samba machines (running 3.0.2) that I joined into the realm when our DC was 2k, they still work great. Last week I brought a new machine online (running 3.0.4) joined the realm with no problems, but then proceeded to get the following error:
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
when authenticating.. I've since downgraded to 3.0.2 with no success, and tried upgrading to 3.0.6 with no success.
Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched). Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of red tape... so that's not an option. IMO, MIT krb is not the problem, as the two existing machines still work fine. I think it might have something to do with the way AD in 2k3 is storing the cifs and host keys.
[ Rick Brown ][ (404) 894-6175 ] [ Office of Information Technology ][ [EMAIL PROTECTED] ] [ Georgia Institute of Technology ][ 258 4th street. Atlanta, GA ]
I should also mention that Redhat's packages are somewhat different from the actual ones provided by samba.org -- I am mainly looking at this on the RHEL3 platform, however I have seen some similar issues reported by people using other distros.
Christian
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
