Web lists-archives.com

[Samba] Slow Kerberos Authentication




Hi All,

I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos authentication
is working but it takes around 30 seconds on first access. This is an
active directory domain with 2008r2 DC's.
I've tracked it down to what looks like the incorrect encryption type being
used according to the debug output below, as you can see it fails twice
with enc type of 17 and 18 but succeeds with 23... Which according to the
RFC is rc4-hmac which is all windows DCs talk from what I can find out.
How can I get it so the correct encryption is chosen first time?

Log excerpt:

[2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
ego_negotiate)

  reply_spnego_negotiate: Got secblob of size 3264

[2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Bad encryption type

[2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Bad encryption type

[2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:423: enc type [23] decrypted message !

[2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
smb_session_key)

  Got KRB5 session key of length 16
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba