RE: [Samba] Kerberos enc type [xx] failed
Hi All, Little update: After installing kerberos 1.3.3 recompiling samba against those libs/include the problem went away!! I am a little unclear regarding what really needed to be put in krb5.conf At the moment I have them as suggested by Dimitri default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 So I don't understand what those defaults do, why put any default, and why encryption type that is not put in there should have a problem. Also, if I do need to list all supported etypes, what are they? What are all possible etypes that windows 200x using? And one more question. Does Kerberos has important files similar to secrets.tdb that are kept even after reboot and where does Kerberos keep them. Thanks again for the wonderful support in this complicated issue, Cheers, Ephi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 8:03 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: RE: [Samba] Kerberos enc type [xx] failed On Tue, 2005-06-14 at 19:04 -0700, Ephi Dror wrote: Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became Decrypt integrity check failed. Just checking, have you rebuilt Samba against the new libs/headers? We detect the older libs, and do workarounds that you don't want any more. Also, how did you upgrade the kerberos libs. I meant to say in my original mail that it is known to be a very painful process, so I wonder if the libs you installed are the ones you are using. Check what configure said, and what ldd says. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos enc type [xx] failed
Ephi, I think I had the same problem once upon a time. I haven't seen your krb5.conf, but I added the following to mine in the [libdefaults] section: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 That cleared up the problem. HTH. Dimitri On Tuesday June 14 2005 10:04 pm, Ephi Dror wrote: Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became Decrypt integrity check failed. I rebooted my AD server and the SAMBA server just in case. Here is the log: [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) Any idea? Did I forget to do something so obvious? Is it anything to do with keytab which I have noticed that if I specify use kerberos keytab = yes I get an error in net ads join that says: [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_add_entry(236) ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_create_default(418) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829) Error creating host keytab! Joined 'SSN217' to realm 'LONDON.STORADINC.COM' And last, is it to do with kerberos hot fix http://support.microsoft.com/kb/833708/ Just wondering. Thanks so much in advance for any hint in this complicated area. Cheers, Ephi -Original Message- From: Ephi Dror Sent: Tuesday, June 14, 2005 10:28 AM To: 'Andrew Bartlett' Cc: Samba (samba@lists.samba.org) Subject: RE: [Samba] Kerberos enc type [xx] failed Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: Hi All, I am getting Kerberos enc type problem that I can't explain: Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos enc type [xx] failed
On Wed, 2005-06-15 at 10:46 -0400, Dimitri Yioulos wrote: Ephi, I think I had the same problem once upon a time. I haven't seen your krb5.conf, but I added the following to mine in the [libdefaults] section: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 This is generally a bad idea. We want to use all the available enc types, not a restricted subset. I think Jerry had some further advise on this, but the jist of it was 'don't touch' :-) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos enc type [xx] failed
Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: Hi All, I am getting Kerberos enc type problem that I can't explain: Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos enc type [xx] failed
Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became Decrypt integrity check failed. I rebooted my AD server and the SAMBA server just in case. Here is the log: [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) Any idea? Did I forget to do something so obvious? Is it anything to do with keytab which I have noticed that if I specify use kerberos keytab = yes I get an error in net ads join that says: [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_add_entry(236) ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_create_default(418) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829) Error creating host keytab! Joined 'SSN217' to realm 'LONDON.STORADINC.COM' And last, is it to do with kerberos hot fix http://support.microsoft.com/kb/833708/ Just wondering. Thanks so much in advance for any hint in this complicated area. Cheers, Ephi -Original Message- From: Ephi Dror Sent: Tuesday, June 14, 2005 10:28 AM To: 'Andrew Bartlett' Cc: Samba (samba@lists.samba.org) Subject: RE: [Samba] Kerberos enc type [xx] failed Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: Hi All, I am getting Kerberos enc type problem that I can't explain: Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Kerberos enc type [xx] failed
On Tue, 2005-06-14 at 19:04 -0700, Ephi Dror wrote: Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became Decrypt integrity check failed. Just checking, have you rebuilt Samba against the new libs/headers? We detect the older libs, and do workarounds that you don't want any more. Also, how did you upgrade the kerberos libs. I meant to say in my original mail that it is known to be a very painful process, so I wonder if the libs you installed are the ones you are using. Check what configure said, and what ldd says. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos enc type [xx] failed
On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: Hi All, I am getting Kerberos enc type problem that I can't explain: Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
