*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type)
*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
*** Failed to verify incoming ticket!
*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) [lnx251
enctype 3 is DES_CBC_MD5 #define ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */
verified lnx251$ is using des-cbc-md5.[EMAIL PROTECTED]/home/al> klist -e Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/26/04 23:18:14 10/27/04 09:18:14 krbtgt/[EMAIL PROTECTED]
renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 10/26/04 23:18:26 10/27/04 00:18:26 [EMAIL PROTECTED]
renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
There are some issues with using des-cbc-md5 where the DNSdomain is not the same as the REALM domain DNS. The salt used by MS will not be the same as the salt used on the linux box
You need to get to rc4-hmac for authentication which doesn't use a salt.
You probably have a userAccountControl defined like this:
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD |UF_USE_DES_KEY_ONLY );
Subtract 0x200000 (2097152 dec) from the field using adsiedit.msc. Then the MS KDC will use rc4-hmac instead of DES encryption. Make sure the KDC ticket cache is flushed of any reference to the DES ticket and try again.
However, if you didn't add the UF_USE_DES_KEY_ONLY, then samba added it automatically because samba thinks you don't have rc4-hmac available.
libads/ldap.c line 1392 svn 2929
#ifndef ENCTYPE_ARCFOUR_HMAC
acct_control |= UF_USE_DES_KEY_ONLY;
#endif
So the compiled version of samba you have would have been compiled against a version of kerberos that didn't have rc4-hmac available. No way out of that except to recompile samba against your current kerberos or get a different pre-compiled binary.
For the instance of DNSdomain != REALM, I have to add the SPN for host/fqdn like you did.o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc. Afterwards, the keytab was populated with 'net ads keytab'.
I also had to add a DNS record for lnx251.na.company.com for the MS KDC as well as the lnx251.company.com for the linux box forward and reverse lookups. Never tried it with hosts files. But c:\winnt\system32\drivers\etc\hosts would need the lnx251.na.company.com
Regards, Doug
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
