On 22.11-10:58, Guenther Deschner wrote: > > > > -------------------------------------- 8< > > -------------------------------------- > > [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) > > smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption > > type > > [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) > > check_pac_checksum: PAC Verification failed: Bad encryption type > > (-1765328196) > > [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) > > decode_pac_data: failed to verify PAC server signature > > [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) > > ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED > > -------------------------------------- 8< > > -------------------------------------- > > Then you most probably are forced to use DES keys when authenticating with > Kerberos on your OS, right? PAC verification must then fail due to a bug > in Windows (which fails to put DES-based checksum into the PAC > signatures), so we can't verify the signature. What exact Kerberos library > are you using (version) ? >
Today, I recreated the AD computer account. After issuing the ktpass command on the domain controller, it said indeed: "Account has been set for DES-only encryption" Did I understand this correctly, that this is the desired behaviour? Or should I specify -DESOnly? -- ---------------------------------------------------------------------- Christoph Kaegi [EMAIL PROTECTED] ---------------------------------------------------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
