Hi there, Background:
Samba 3.6.6 compiled from source on Debian Squeeze using the Debian- installed Kerberos (1.8.3) libraries. Running in an Active directory domain with mixed Win2k Server and Win2k3 Server DCs. Yes, I've been trying to persuade them. Both WINS and DNS name resolution work on the system. Samba uses the DCs for WINS, and the DCs are also name servers with an additional forwarder (dnsmasq) running on a firewall. Under normal circumstances, Windows 7 Pro and XP Pro clients have no problems (although a power failure does generally throw a spanner in the works for several hours - may be the subject of another thread). With the appropriate credentials, 'smbclient' running on the Linux server can connect to shares, but using the same credentials Windows 2000 Pro client workstations can access shares only by IP, not name. Searching the archives, this seems to be a very common problem which has sometimes been solved and sometimes not. I've tried setting "kerberos method = secrets and keytab" in smb.conf and KB833708, both to no avail. 8<---------------------------------------------------------------------- c:\>net view palatine System error 5 has occurred. Access is denied. c:\>net view 192.168.0.250 Shared resources at 192.168.0.250 Samba server Share name ... 8<---------------------------------------------------------------------- Samba logs show in this case: [2012/10/17 12:07:02.607012, 3] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Encryption type not permitted which indicates that the Kerberos libraries are not permitting the encryption type, either because it is not available in the libraries or because it's restricted by the config. I believe the encryption type to be available in these libraries, so my guess is that it is not being permitted for some reason. I postulate that it's considered a weak type, so I propose to permit weak encryption types. Questions: 1. If for example I were to make a change in /etc/krb5.conf to permit less secure encryption types by setting [libdefaults] allow_weak_crypto = 1 do I have to restart Samba for the change to take effect? The reason for the question is that restarting Samba in this situation causes a good deal of grief for the users, so I'd rather not have to do it. 2. Is there a way to ask Samba what encryption types will be allowed and what types will not be allowed? 3. Is there a definitive list of the encryption types and the integers used to refer to them in the Samba logs? 4. Is there some kind of 'graceful' Samba restart which users wouldn't dislike so much? :) I've been R-ing the FM and searching archives for a couple of weeks solid now and it's starting to hurt, so any pointers to bits of the FM to R will be more than welcome. -- 73, Ged. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba