Ephi, I think I had the same problem once upon a time. I haven't seen your krb5.conf, but I added the following to mine in the [libdefaults] section:
default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 That cleared up the problem. HTH. Dimitri On Tuesday June 14 2005 10:04 pm, Ephi Dror wrote: > Hi Andrew, > > I upgraded krb5 libs to 1.3.3 and now the error became "Decrypt > integrity check failed". > > I rebooted my AD server and the SAMBA server just in case. > > Here is the log: > > [2005/06/14 18:14:30, 3, pid=17668] > libads/kerberos_verify.c:ads_secrets_verify_ticket(193) > ads_secrets_verify_ticket: enc type [3] failed to decrypt with error > Decrypt integrity check failed > [2005/06/14 18:14:30, 3, pid=17668] > libads/kerberos_verify.c:ads_verify_ticket(307) > ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) > > Any idea? > > Did I forget to do something so obvious? > > Is it anything to do with keytab which I have noticed that if I specify > "use kerberos keytab = yes" I get an error in net ads join that says: > [2005/06/14 18:50:43, 1, pid=23237] > libads/kerberos_keytab.c:ads_keytab_add_entry(236) > ads_keytab_add_entry: adding entry to keytab failed (Cannot write to > specified key table) > [2005/06/14 18:50:43, 1, pid=23237] > libads/kerberos_keytab.c:ads_keytab_create_default(418) > ads_keytab_create_default: ads_keytab_add_entry failed while adding > 'host'. > [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829) > Error creating host keytab! > Joined 'SSN217' to realm 'LONDON.STORADINC.COM' > > And last, is it to do with kerberos hot fix > http://support.microsoft.com/kb/833708/ > Just wondering. > > Thanks so much in advance for any hint in this complicated area. > > Cheers, > Ephi > > > > -----Original Message----- > From: Ephi Dror > Sent: Tuesday, June 14, 2005 10:28 AM > To: 'Andrew Bartlett' > Cc: Samba (samba@lists.samba.org) > Subject: RE: [Samba] Kerberos enc type [xx] failed > > Thank you Andrew for sharing with us your expertise and give us those > suggestions. > > We really appreciate it. > > Cheers, > Ephi > > -----Original Message----- > From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > Sent: Monday, June 13, 2005 10:15 PM > To: Ephi Dror > Cc: samba@lists.samba.org > Subject: Re: [Samba] Kerberos enc type [xx] failed > > On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: > > Hi All, > > > > I am getting Kerberos "enc type" problem that I can't explain: > > > > > > Just a quick background: > > 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My > > Kerberos version is krb5 1.2.7. > > 4. Samba joined active directory that has one KDC running win2003 > > (not > > sp1) > > 5. I switched between different domains and join as ADS and domain > > many times, could it contribute to this problem? > > > > At the moment, I can't switch to latest krb5 package. What is the > > minimum Kerberos version required by SAMBA? > > MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have > maintained since Samba 3.0. Using less than this will cause issues with > clients that for one reason or another do not posses 'DES' kerberos > keys. > > Kerberos library requirements have been quite a pain in Samba 3.0. > There are three basic solutions: > > - Upgrade your OS to one with a suitable kerberos > - Upgrade the kerberos libraries on your OS > - Statically link your Samba install to an upgraded kerberos. > > The latter option is what SerNet did/does for their Samba 3.0 packages. > > In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, > and the current plan is to ship with a built-in kerberos library. > (Options for later development allow this to possibly use a system lib, > but the aim is to shift the pain away from the administrator, who can't > help the situation much). > > Andrew Bartlett > > -- > Andrew Bartlett > http://samba.org/~abartlet/ > Samba Developer, SuSE Labs, Novell Inc. http://suse.de > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba