Issue With Kerberizing OS X and Samba

Michael R. Bowden mbowden at
Thu Feb 3 14:01:44 EST 2005


If this is too far of a stretch I understand :-)  Thanks for looking

The following is a synopsis of the OS X \ Kerberos issue we are having  
along with steps I have taken.  I would appreciate if anyone has any  

The Problem is that samba (OS X) is not accepting or understanding the  
kerberos tickets presented by Windows machines for access to files on  
an OS X server.   AFP services hosted on OS X work fine, not requiring  
additional authentication.

Not sure if this is of any consequence but the problem is reminiscent  
of an issue I had with the Network Appliance during my initial attempts  
to get kerberos authentication for the Macs working.  The issue  
(determined by Network Appliance) was that Windows was using a shorter  
checksum value 14 bits?, where as the OS X machines were using a longer  
value, 21 bits? This caused the actually "valid" kerberos ticket with a  
21 bit checksum to be thrown away because the checksum could not be  
verified as the filer was expecting a 14 bit checksum.  (Network  
Appliance has since fixed the issue on the filer.) This theory seems to  
be "supported" in the log file at the bottom.

Windows 2000 Domain
OS X 10.3.5
OS 10.3.7

The Steps we have followed;

We have built up a 10.3.5 box "sheep" and joined it to our Active  
Directory Domain "Bowdoincollege"
Next we used tdbtool to root out the password of "sheeps" machine  
Next we then moved to the Domain controller and used ktpass to create 2  
keytabs, afpserver, and host.
Then moved the keytabs back to OS X "sheep" and used ktutil to combine  
the keytabs into a krb5.keytab file in /etc
klist -ke showed a "proper" keytab.
Next I edited the
Finally I added the folllowing lines to the smb.conf file
         workgroup = BOWDOINCOLLEGE
         security = ads
         realm = BOWDOINCOLLEGE.EDU
         spnego = yes

After a reboot the Kerberized AFP services work as expected, single  
sign on from Mac clients.  The windows  clients require a second sign  

The Log puked the following;

[2005/02/03 09:15:56, 3]  
   Got secblob of size 1251
[2005/02/03 09:15:56, 3]  
   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt  
integrity check failed
[2005/02/03 09:15:56, 3]  
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2005/02/03 09:15:56, 1]  
   Failed to verify incoming ticket!

I then upgraded to 10.3.7 same behavior persists.  ARGH!

In addition,

All Mac clients currently authenticate from ldap and obtain kerberos  
tickets from 2k Domain Controller.  They are able to access windows  
shares without re-authenticating campus wide.

if I log into the OS X server I can mount smb shares on other windows  
machines without re-authenticating.

Any Additional question Please let me know


Michael Bowden
Lab Manager, Bowdoin College
9600 College Station
Brunswick Me 04011

More information about the Kerberos mailing list