[Samba] Re: bad encryption type when accessing AD member server
On Thu, 2 Oct 2003, Derek T. Yarnell wrote: Can you send me your working krb5.conf file? I am having the same problem (not running debian) and trying to figure out what I need to have in it is a pain. Less is more in this case. Try _removing_ anything about the enctypes in krb5.conf and only define the realm, like mentioned in the Samba HOWTO collection: http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790 If you use the mentioned minimal config, everything should work fine. Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: bad encryption type when accessing AD member server
But that is not working correctly,
[EMAIL PROTECTED] samba]# cat /etc/krb5.conf
[libdefaults]
default_realm = PC.CS.UMD.EDU
[realms]
PC.CS.UMD.EDU = {
kdc = krycek.pc.cs.umd.edu:88
}
Still won't work correctly,
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity
check failed
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709)
secrets_named_mutex: released mutex for replay cache mutex
[2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Anyone know that the encryption types [1,2,3] etc... are?
Built with krb5-1.3.1, as far from the krb5 source I find that these are
the encryption types,
0 des-cbc-crc
1 des-cbc-md4
2 des-cbc-md5
3 des
4 des-cbc-raw
5 des3-cbc-raw
6 des3-cbc-sha1
7 des3-hmac-sha1
8 des3-cbc-sha1-kd
9 des-hmac-sha1
10 arcfour-hmac
11 rc4-hmac
12 arcfour-hmac-md5
13 arcfour-hmac-exp
14 rc4-hmac-exp
15 arcfour-hmac-md5-exp
16 aes128-cts-hmac-sha1-96
17 aes128-cts
18 aes256-cts-hmac-sha1-96
19 aes256-cts
On Thu, Oct 02, 2003 at 07:11:43PM +0200, Alexander List wrote:
On Thu, 2 Oct 2003, Derek T. Yarnell wrote:
Can you send me your working krb5.conf file? I am having the same
problem (not running debian) and trying to figure out what I need to
have in it is a pain.
Less is more in this case.
Try _removing_ anything about the enctypes in krb5.conf and only define
the realm, like mentioned in the Samba HOWTO collection:
http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790
If you use the mentioned minimal config, everything should work fine.
Alex
--
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty not safety.
--Benjamin Franklin, 1759
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: bad encryption type when accessing AD member server
On Thu, Oct 02, 2003 at 04:16:40PM -0400, Derek T. Yarnell wrote:
But that is not working correctly,
[EMAIL PROTECTED] samba]# cat /etc/krb5.conf
[libdefaults]
default_realm = PC.CS.UMD.EDU
[realms]
PC.CS.UMD.EDU = {
kdc = krycek.pc.cs.umd.edu:88
}
Still won't work correctly,
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity
check failed
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709)
secrets_named_mutex: released mutex for replay cache mutex
[2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Anyone know that the encryption types [1,2,3] etc... are?
Built with krb5-1.3.1, as far from the krb5 source I find that these are
the encryption types,
0 des-cbc-crc
1 des-cbc-md4
2 des-cbc-md5
3 des
4 des-cbc-raw
5 des3-cbc-raw
6 des3-cbc-sha1
7 des3-hmac-sha1
8 des3-cbc-sha1-kd
9 des-hmac-sha1
10 arcfour-hmac
11 rc4-hmac
12 arcfour-hmac-md5
13 arcfour-hmac-exp
14 rc4-hmac-exp
15 arcfour-hmac-md5-exp
16 aes128-cts-hmac-sha1-96
17 aes128-cts
18 aes256-cts-hmac-sha1-96
19 aes256-cts
I think the enc-type you need is type 23 which I believe is rc4-md4.
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: bad encryption type when accessing AD member server
So understanding that, I get this error, [2003/10/02 17:10:23, 3] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed Any suggestions to where to look to find this one? Could it be something with the Win2k3 server? [EMAIL PROTECTED] samba]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/02/03 17:06:16 10/03/03 03:06:20 krbtgt/[EMAIL PROTECTED] renew until 10/02/03 18:06:16, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So I am getting ArcFour tickets by default here. On Thu, Oct 02, 2003 at 03:53:34PM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: |14 rc4-hmac-exp |15 arcfour-hmac-md5-exp |16 aes128-cts-hmac-sha1-96 |17 aes128-cts |18 aes256-cts-hmac-sha1-96 |19 aes256-cts | | | I think the enc-type you need is type 23 which I believe is rc4-md4. I think you mean RC4-HMAC jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fJBOIR7qMdg1EfYRAuefAJ4nvtyRxA7kwJ6l3VgO3eQAbwXtvwCg0ffI DTqh5cC2hfbbHEcBcuBqazE= =HIcx -END PGP SIGNATURE- -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
