Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos

[Christian Merrill]

Ross, Alex wrote:
Christian,
FYI: win2k SP4 on AD cause Win3K like behavior of forcing  Kerberos
Ticket sighning 
http://support.microsoft.com/default.aspx?scid=kb;en-us;811422

So on win2k ad this breaks krb5 before 1.3.x...
-Alex
-----Original Message-----
From: Christian Merrill [mailto:[EMAIL PROTECTED] 
Sent: Sunday, September 05, 2004 9:34 AM
To: Rick Brown
Cc: [EMAIL PROTECTED]
Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos

Rick Brown wrote:
 

On Sun, 5 Sep 2004, Christian Merrill wrote:

   

Gerald (Jerry) Carter wrote:
  

     

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christian Merrill wrote:
| Running into a lot of people upgrading to the 3.0.6
| package that all of a sudden begin to experience
| the "Failed to verify incoming ticket!" errors
| etc., that are generally associated with a kerberos
| package incompatibility.
|
| However many of these people are running later
| versions of kerberos *and* reverting to a previous
| version of Samba appears to fix the issue.  Is there
| something new setting wise that has taken place, is
| something really wrong with this new package, or
| is this all just a strange coincidence?
I've not been able to reproduce this or track it down.
Is there a consensus whether this is an specific issue
with using MIT or Heimdal ?  Or with Windows 2000 or
2003 DCs ?
Any details would be helpful.  I've created bug report at
https://bugzilla.samba.org/show_bug.cgi?id=1739
    

       

Well from my end (Redhat) the behavior is indicative of a known issue
with the MIT kerberos 1.2.x packages that we currently support and
Win2k3 DC's...however Win2k DC's have been operating fine as far as I
know.  What I am seeing are customers who were previously running
upgrade to the 3.0.6 samba package and then start to encounter these
errors.  If they downgrade the samba package the problem goes away.
I've also noticed a few other posts from users on other distros such
     

as
 

Debian encountering very similar behavior.
On the surface it really looks like a kerberos problem, but people are
reporting that it seems to be directly linked to the samba package.
     

My
 

current test environment is on 2k3 so I'm still in the process of
setting up a 2k AD environment to do testing on...at this point just
relaying feedback that I am getting from others.
  

     

I've seen this problem on a new machine/samba install..
Our DC recently changed from 2k to 2k3, and I believe that might
be part of the cause of the problem.   I have 2 samba machines (running
3.0.2) that I joined into the realm when our DC was 2k, they still work
great.   Last week I brought a new machine online (running 3.0.4)
   

joined
 

the realm with no problems, but then proceeded to get the following
   

error:
 

ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
   

integrity check failed
 

when authenticating..  I've since downgraded to 3.0.2 with no success,
and tried upgrading to 3.0.6 with no success.
Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
red tape...   so that's not an option.   IMO, MIT krb is not the
   

problem, as
 

the two existing machines still work fine.   I think it might have
something to do with the way AD in 2k3 is storing the cifs and host
keys.
[         Rick Brown               ][      (404) 894-6175           ]
[ Office of Information Technology ][    [EMAIL PROTECTED]          ]
[ Georgia Institute of Technology  ][  258 4th street. Atlanta, GA  ]

   

I think the only accurate test would be in a 2k environment, I have 
definately seen these issues on 2k3 with the pre 1.3.x kerberos packages

regardless of what version of Samba is being used.  The behavior I tend 
to see in a 2k3 environment is that Samba/Kerberos will work quite 
happily for about 90 days and then the DC will issue a ticket that the 
older versions of MIT kerberos can't handle.  However when using 2k this

really didn't appear to be a problem until upgrading to the 3.0.6 
versions.  Hopefully I'll be able to get a 2k environment setup soon to 
test against...I don't understand how the Samba package could in any way

be responsible for these kerberos-like problems but that is what appears
to be the case at this point.
I should also mention that Redhat's packages are somewhat different from
the actual ones provided by samba.org -- I am mainly looking at this on 
the RHEL3 platform, however I have seen some similar issues reported by 
people using other distros.

Christian
 

Checking right now to see what SP level the affected customers are on.  
However if this is true I would have to assume that they are not running 
SP4 as they are using 1.2.x kerberos packages and (at least according to 
them) are functional on any version of Samba 3 prior to 3.0.6.

Christian
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba