[Samba] Re: bad encryption type when accessing AD member server
On Thu, 2 Oct 2003, Derek T. Yarnell wrote: Can you send me your working krb5.conf file? I am having the same problem (not running debian) and trying to figure out what I need to have in it is a pain. Less is more in this case. Try _removing_ anything about the enctypes in krb5.conf and only define the realm, like mentioned in the Samba HOWTO collection: http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790 If you use the mentioned minimal config, everything should work fine. Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: bad encryption type when accessing AD member server
But that is not working correctly, [EMAIL PROTECTED] samba]# cat /etc/krb5.conf [libdefaults] default_realm = PC.CS.UMD.EDU [realms] PC.CS.UMD.EDU = { kdc = krycek.pc.cs.umd.edu:88 } Still won't work correctly, [2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) Anyone know that the encryption types [1,2,3] etc... are? Built with krb5-1.3.1, as far from the krb5 source I find that these are the encryption types, 0 des-cbc-crc 1 des-cbc-md4 2 des-cbc-md5 3 des 4 des-cbc-raw 5 des3-cbc-raw 6 des3-cbc-sha1 7 des3-hmac-sha1 8 des3-cbc-sha1-kd 9 des-hmac-sha1 10 arcfour-hmac 11 rc4-hmac 12 arcfour-hmac-md5 13 arcfour-hmac-exp 14 rc4-hmac-exp 15 arcfour-hmac-md5-exp 16 aes128-cts-hmac-sha1-96 17 aes128-cts 18 aes256-cts-hmac-sha1-96 19 aes256-cts On Thu, Oct 02, 2003 at 07:11:43PM +0200, Alexander List wrote: On Thu, 2 Oct 2003, Derek T. Yarnell wrote: Can you send me your working krb5.conf file? I am having the same problem (not running debian) and trying to figure out what I need to have in it is a pain. Less is more in this case. Try _removing_ anything about the enctypes in krb5.conf and only define the realm, like mentioned in the Samba HOWTO collection: http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790 If you use the mentioned minimal config, everything should work fine. Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: bad encryption type when accessing AD member server
On Thu, Oct 02, 2003 at 04:16:40PM -0400, Derek T. Yarnell wrote: But that is not working correctly, [EMAIL PROTECTED] samba]# cat /etc/krb5.conf [libdefaults] default_realm = PC.CS.UMD.EDU [realms] PC.CS.UMD.EDU = { kdc = krycek.pc.cs.umd.edu:88 } Still won't work correctly, [2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type [2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) Anyone know that the encryption types [1,2,3] etc... are? Built with krb5-1.3.1, as far from the krb5 source I find that these are the encryption types, 0 des-cbc-crc 1 des-cbc-md4 2 des-cbc-md5 3 des 4 des-cbc-raw 5 des3-cbc-raw 6 des3-cbc-sha1 7 des3-hmac-sha1 8 des3-cbc-sha1-kd 9 des-hmac-sha1 10 arcfour-hmac 11 rc4-hmac 12 arcfour-hmac-md5 13 arcfour-hmac-exp 14 rc4-hmac-exp 15 arcfour-hmac-md5-exp 16 aes128-cts-hmac-sha1-96 17 aes128-cts 18 aes256-cts-hmac-sha1-96 19 aes256-cts I think the enc-type you need is type 23 which I believe is rc4-md4. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: bad encryption type when accessing AD member server
So understanding that, I get this error, [2003/10/02 17:10:23, 3] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed Any suggestions to where to look to find this one? Could it be something with the Win2k3 server? [EMAIL PROTECTED] samba]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/02/03 17:06:16 10/03/03 03:06:20 krbtgt/[EMAIL PROTECTED] renew until 10/02/03 18:06:16, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So I am getting ArcFour tickets by default here. On Thu, Oct 02, 2003 at 03:53:34PM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: |14 rc4-hmac-exp |15 arcfour-hmac-md5-exp |16 aes128-cts-hmac-sha1-96 |17 aes128-cts |18 aes256-cts-hmac-sha1-96 |19 aes256-cts | | | I think the enc-type you need is type 23 which I believe is rc4-md4. I think you mean RC4-HMAC jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fJBOIR7qMdg1EfYRAuefAJ4nvtyRxA7kwJ6l3VgO3eQAbwXtvwCg0ffI DTqh5cC2hfbbHEcBcuBqazE= =HIcx -END PGP SIGNATURE- -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba