Issue With Kerberizing OS X and Samba

Michael R. Bowden mbowden at bowdoin.edu
Thu Feb 3 14:01:44 EST 2005 

Hello,

If this is too far of a stretch I understand :-)  Thanks for looking


The following is a synopsis of the OS X \ Kerberos issue we are having  
along with steps I have taken.  I would appreciate if anyone has any  
ideas.

The Problem is that samba (OS X) is not accepting or understanding the  
kerberos tickets presented by Windows machines for access to files on  
an OS X server.   AFP services hosted on OS X work fine, not requiring  
additional authentication.

Not sure if this is of any consequence but the problem is reminiscent  
of an issue I had with the Network Appliance during my initial attempts  
to get kerberos authentication for the Macs working.  The issue  
(determined by Network Appliance) was that Windows was using a shorter  
checksum value 14 bits?, where as the OS X machines were using a longer  
value, 21 bits? This caused the actually "valid" kerberos ticket with a  
21 bit checksum to be thrown away because the checksum could not be  
verified as the filer was expecting a 14 bit checksum.  (Network  
Appliance has since fixed the issue on the filer.) This theory seems to  
be "supported" in the log file at the bottom.

Environment
Windows 2000 Domain
OS X 10.3.5
OS 10.3.7

The Steps we have followed;

We have built up a 10.3.5 box "sheep" and joined it to our Active  
Directory Domain "Bowdoincollege"
Next we used tdbtool to root out the password of "sheeps" machine  
account
Next we then moved to the Domain controller and used ktpass to create 2  
keytabs, afpserver, and host.
Then moved the keytabs back to OS X "sheep" and used ktutil to combine  
the keytabs into a krb5.keytab file in /etc
klist -ke showed a "proper" keytab.
Next I edited the com.apple.AppleFileServer.plist
Finally I added the folllowing lines to the smb.conf file
	[global]
         workgroup = BOWDOINCOLLEGE
         security = ads
         realm = BOWDOINCOLLEGE.EDU
         spnego = yes

After a reboot the Kerberized AFP services work as expected, single  
sign on from Mac clients.  The windows  clients require a second sign  
on.

The Log puked the following;

[2005/02/03 09:15:56, 3]  
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: 
reply_spnego_negotiate(430)
   Got secblob of size 1251
[2005/02/03 09:15:56, 3]  
/SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c: 
ads_verify_ticket(323)
   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt  
integrity check failed
[2005/02/03 09:15:56, 3]  
/SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c: 
ads_verify_ticket(330)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2005/02/03 09:15:56, 1]  
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: 
reply_spnego_kerberos(173)
   Failed to verify incoming ticket!

I then upgraded to 10.3.7 same behavior persists.  ARGH!

In addition,

All Mac clients currently authenticate from ldap and obtain kerberos  
tickets from 2k Domain Controller.  They are able to access windows  
shares without re-authenticating campus wide.

if I log into the OS X server I can mount smb shares on other windows  
machines without re-authenticating.

Any Additional question Please let me know

Mike



Michael Bowden
Lab Manager, Bowdoin College
9600 College Station
Brunswick Me 04011
207-798-7111

More information about the Kerberos mailing list