Discussion:
[Samba] bad encryption type when accessing AD member server
Henning Holtschneider
2003-12-01 19:08:22 UTC
Permalink
Hi,

I'm trying to access a Samba 3.0 server (running on Debian unstable) in an
Active Directory environment. I successfully joined the domain, klist shows
my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000
server. However, when I try to access a share on the Samba machine from a
Windows 2000 client, I'm being asked for the password and Samba logs:

[2003/09/29 13:17:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to
verify incoming ticket!

I turned up logging to 5 and found this just before the "incoming ticket"
line:

[2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

"klist -e" shows my tickets as follows:

- ----- snip -----
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@DOMAIN.LOCAL

Valid starting Expires Service principal
09/29/03 13:31:30 09/29/03 23:31:26 krbtgt/***@DOMAIN.LOCAL
renew until 09/29/03 23:31:30, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
09/29/03 13:31:30 09/29/03 23:31:26 filepile-a$@DOMAIN.LOCAL
renew until 09/29/03 23:31:30, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- ----- snap -----

Did I make a mistake when setting up my Kerberos environment or is this a
Samba problem?

Thanks,

<-gninneH<-
- --
__ _ __ __ Henning Holtschneider
/ / ___ _______ _/ |/ /__ / /_ <***@loca.net>
/ /__/ _ \/ __/ _ `/ / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/ ...net happens!
Henning Holtschneider
2003-12-01 19:08:23 UTC
Permalink
Post by Henning Holtschneider
I'm trying to access a Samba 3.0 server (running on Debian unstable) in an
Active Directory environment. I successfully joined the domain, klist shows
my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000
server. However, when I try to access a share on the Samba machine from a
[...]
[2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
I replaced Debian's default krb5.conf (which looks like MIT Kerberos' sample
file) with the minimum configuration described in the Samba documentation and
finally the connection from the Windows clients works! Don't know why I
didn't try that earlier ...

Sorry about the noise,

<-gninneH<-
- --
__ _ __ __ Henning Holtschneider
/ / ___ _______ _/ |/ /__ / /_ <***@loca.net>
/ /__/ _ \/ __/ _ `/ / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/ ...net happens!
Derek T. Yarnell
2003-12-01 19:08:24 UTC
Permalink
Can you send the default debian krb5.conf? I would like to see what the
differences are with my krb5.conf.

Thanks.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Henning Holtschneider
I'm trying to access a Samba 3.0 server (running on Debian unstable) in an
Active Directory environment. I successfully joined the domain, klist shows
my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000
server. However, when I try to access a share on the Samba machine from a
[...]
[2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
I replaced Debian's default krb5.conf (which looks like MIT Kerberos' sample
file) with the minimum configuration described in the Samba documentation and
finally the connection from the Windows clients works! Don't know why I
didn't try that earlier ...
Sorry about the noise,
<-gninneH<-
- --
__ _ __ __ Henning Holtschneider
/ /__/ _ \/ __/ _ `/ / -_) __/
/____/\___/\__/\_,_/_/|_/\__/\__/ ...net happens!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/eVC/P9goCV2uudcRArZOAJ9RWeUl/H8umC19zZLZy8NZ58UHCACfcI3q
M0tr3nsdEy02fli9vC+2MAY=
=mnRw
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
***@cs.umd.edu
Alexander List
2003-12-01 19:08:31 UTC
Permalink
Post by Henning Holtschneider
Post by Henning Holtschneider
[2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
I replaced Debian's default krb5.conf (which looks like MIT Kerberos' sample
file) with the minimum configuration described in the Samba documentation and
finally the connection from the Windows clients works! Don't know why I
didn't try that earlier ...
The problem is that the Debian krb5-config package installed a default
krb5.conf that was too restrictive with the encryption types. I already
filed a bug against the krb5-config package which has been acknowledged by
the developer. I guess future new installations shouldn't expose this
problem.

Alex
--
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty not safety."
--Benjamin Franklin, 1759
Alexander List
2003-12-01 19:08:32 UTC
Permalink
Can you send me your working krb5.conf file? I am having the same
problem (not running debian) and trying to figure out what I need to
have in it is a pain.
Less is more in this case.

Try _removing_ anything about the enctypes in krb5.conf and only define
the realm, like mentioned in the Samba HOWTO collection:

http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790

If you use the mentioned minimal config, everything should work fine.

Alex
--
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty not safety."
--Benjamin Franklin, 1759
Derek T. Yarnell
2003-12-01 19:08:32 UTC
Permalink
But that is not working correctly,

[***@atlantis samba]# cat /etc/krb5.conf
[libdefaults]
default_realm = PC.CS.UMD.EDU

[realms]
PC.CS.UMD.EDU = {
kdc = krycek.pc.cs.umd.edu:88
}

Still won't work correctly,

[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709)
secrets_named_mutex: released mutex for replay cache mutex
[2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)

Anyone know that the encryption types [1,2,3] etc... are?

Built with krb5-1.3.1, as far from the krb5 source I find that these are
the encryption types,

0 des-cbc-crc
1 des-cbc-md4
2 des-cbc-md5
3 des
4 des-cbc-raw
5 des3-cbc-raw
6 des3-cbc-sha1
7 des3-hmac-sha1
8 des3-cbc-sha1-kd
9 des-hmac-sha1
10 arcfour-hmac
11 rc4-hmac
12 arcfour-hmac-md5
13 arcfour-hmac-exp
14 rc4-hmac-exp
15 arcfour-hmac-md5-exp
16 aes128-cts-hmac-sha1-96
17 aes128-cts
18 aes256-cts-hmac-sha1-96
19 aes256-cts
Post by Alexander List
Can you send me your working krb5.conf file? I am having the same
problem (not running debian) and trying to figure out what I need to
have in it is a pain.
Less is more in this case.
Try _removing_ anything about the enctypes in krb5.conf and only define
http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790
If you use the mentioned minimal config, everything should work fine.
Alex
--
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty not safety."
--Benjamin Franklin, 1759
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
***@cs.umd.edu
Jeremy Allison
2003-12-01 19:08:32 UTC
Permalink
Post by Derek T. Yarnell
But that is not working correctly,
[libdefaults]
default_realm = PC.CS.UMD.EDU
[realms]
PC.CS.UMD.EDU = {
kdc = krycek.pc.cs.umd.edu:88
}
Still won't work correctly,
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2003/10/02 16:11:13, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type
[2003/10/02 15:40:25, 10] passdb/secrets.c:secrets_named_mutex_release(709)
secrets_named_mutex: released mutex for replay cache mutex
[2003/10/02 15:40:25, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
Anyone know that the encryption types [1,2,3] etc... are?
Built with krb5-1.3.1, as far from the krb5 source I find that these are
the encryption types,
0 des-cbc-crc
1 des-cbc-md4
2 des-cbc-md5
3 des
4 des-cbc-raw
5 des3-cbc-raw
6 des3-cbc-sha1
7 des3-hmac-sha1
8 des3-cbc-sha1-kd
9 des-hmac-sha1
10 arcfour-hmac
11 rc4-hmac
12 arcfour-hmac-md5
13 arcfour-hmac-exp
14 rc4-hmac-exp
15 arcfour-hmac-md5-exp
16 aes128-cts-hmac-sha1-96
17 aes128-cts
18 aes256-cts-hmac-sha1-96
19 aes256-cts
I think the enc-type you need is type 23 which I believe is rc4-md4.

Jeremy.
Gerald (Jerry) Carter
2003-12-01 19:08:32 UTC
Permalink
Jeremy Allison wrote:
....

|>14 rc4-hmac-exp
|>15 arcfour-hmac-md5-exp
|>16 aes128-cts-hmac-sha1-96
|>17 aes128-cts
|>18 aes256-cts-hmac-sha1-96
|>19 aes256-cts
|
|
| I think the enc-type you need is type 23 which I believe is rc4-md4.

I think you mean RC4-HMAC





jerry
Jeremy Allison
2003-12-01 19:08:32 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
....
|>14 rc4-hmac-exp
|>15 arcfour-hmac-md5-exp
|>16 aes128-cts-hmac-sha1-96
|>17 aes128-cts
|>18 aes256-cts-hmac-sha1-96
|>19 aes256-cts
|
|
| I think the enc-type you need is type 23 which I believe is rc4-md4.
I think you mean RC4-HMAC
Doh ! Thanks :-).

Jeremy.
Derek T. Yarnell
2003-12-01 19:08:32 UTC
Permalink
So understanding that, I get this error,

[2003/10/02 17:10:23, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed

Any suggestions to where to look to find this one? Could it be something
with the Win2k3 server?

[***@atlantis samba]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@PC.CS.UMD.EDU

Valid starting Expires Service principal
10/02/03 17:06:16 10/03/03 03:06:20 krbtgt/***@PC.CS.UMD.EDU
renew until 10/02/03 18:06:16, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

So I am getting ArcFour tickets by default here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
....
|>14 rc4-hmac-exp
|>15 arcfour-hmac-md5-exp
|>16 aes128-cts-hmac-sha1-96
|>17 aes128-cts
|>18 aes256-cts-hmac-sha1-96
|>19 aes256-cts
|
|
| I think the enc-type you need is type 23 which I believe is rc4-md4.
I think you mean RC4-HMAC
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/fJBOIR7qMdg1EfYRAuefAJ4nvtyRxA7kwJ6l3VgO3eQAbwXtvwCg0ffI
DTqh5cC2hfbbHEcBcuBqazE=
=HIcx
-----END PGP SIGNATURE-----
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
***@cs.umd.edu
Continue reading on narkive:
Loading...