Christian, FYI: win2k SP4 on AD cause Win3K like behavior of forcing Kerberos Ticket sighning http://support.microsoft.com/default.aspx?scid=kb;en-us;811422
So on win2k ad this breaks krb5 before 1.3.x... -Alex -----Original Message----- From: Christian Merrill [mailto:[EMAIL PROTECTED] Sent: Sunday, September 05, 2004 9:34 AM To: Rick Brown Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos Rick Brown wrote: >On Sun, 5 Sep 2004, Christian Merrill wrote: > > > >>Gerald (Jerry) Carter wrote: >> >> >> >>>-----BEGIN PGP SIGNED MESSAGE----- >>>Hash: SHA1 >>> >>>Christian Merrill wrote: >>>| Running into a lot of people upgrading to the 3.0.6 >>>| package that all of a sudden begin to experience >>>| the "Failed to verify incoming ticket!" errors >>>| etc., that are generally associated with a kerberos >>>| package incompatibility. >>>| >>>| However many of these people are running later >>>| versions of kerberos *and* reverting to a previous >>>| version of Samba appears to fix the issue. Is there >>>| something new setting wise that has taken place, is >>>| something really wrong with this new package, or >>>| is this all just a strange coincidence? >>> >>>I've not been able to reproduce this or track it down. >>>Is there a consensus whether this is an specific issue >>>with using MIT or Heimdal ? Or with Windows 2000 or >>>2003 DCs ? >>> >>>Any details would be helpful. I've created bug report at >>>https://bugzilla.samba.org/show_bug.cgi?id=1739 >>> >>> >>Well from my end (Redhat) the behavior is indicative of a known issue >>with the MIT kerberos 1.2.x packages that we currently support and >>Win2k3 DC's...however Win2k DC's have been operating fine as far as I >>know. What I am seeing are customers who were previously running >>upgrade to the 3.0.6 samba package and then start to encounter these >>errors. If they downgrade the samba package the problem goes away. >>I've also noticed a few other posts from users on other distros such as >>Debian encountering very similar behavior. >> >>On the surface it really looks like a kerberos problem, but people are >>reporting that it seems to be directly linked to the samba package. My >>current test environment is on 2k3 so I'm still in the process of >>setting up a 2k AD environment to do testing on...at this point just >>relaying feedback that I am getting from others. >> >> > >I've seen this problem on a new machine/samba install.. >Our DC recently changed from 2k to 2k3, and I believe that might >be part of the cause of the problem. I have 2 samba machines (running >3.0.2) that I joined into the realm when our DC was 2k, they still work >great. Last week I brought a new machine online (running 3.0.4) joined >the realm with no problems, but then proceeded to get the following error: > > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed > >when authenticating.. I've since downgraded to 3.0.2 with no success, >and tried upgrading to 3.0.6 with no success. > >Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched). >Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of >red tape... so that's not an option. IMO, MIT krb is not the problem, as >the two existing machines still work fine. I think it might have >something to do with the way AD in 2k3 is storing the cifs and host >keys. > >[ Rick Brown ][ (404) 894-6175 ] >[ Office of Information Technology ][ [EMAIL PROTECTED] ] >[ Georgia Institute of Technology ][ 258 4th street. Atlanta, GA ] > > > I think the only accurate test would be in a 2k environment, I have definately seen these issues on 2k3 with the pre 1.3.x kerberos packages regardless of what version of Samba is being used. The behavior I tend to see in a 2k3 environment is that Samba/Kerberos will work quite happily for about 90 days and then the DC will issue a ticket that the older versions of MIT kerberos can't handle. However when using 2k this really didn't appear to be a problem until upgrading to the 3.0.6 versions. Hopefully I'll be able to get a 2k environment setup soon to test against...I don't understand how the Samba package could in any way be responsible for these kerberos-like problems but that is what appears to be the case at this point. I should also mention that Redhat's packages are somewhat different from the actual ones provided by samba.org -- I am mainly looking at this on the RHEL3 platform, however I have seen some similar issues reported by people using other distros. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba