Web lists-archives.com

Re: [Samba] Slow Kerberos Authentication




Hai Paul, 
 
hmm, i think its time.. to upgrade your samba. 
 
I dont think the other krb5.conf options work, but you might give it a try. 
See man krb5.conf, where i took it from. 
add /change in krb5.conf 

 [kdc]
tgt-use-strongest-session-key = BOOL
svc-use-strongest-session-key = BOOL
preauth-use-strongest-session-key= BOOL
use-strongest-server-key = BOOL
encode_as_rep_as_tgs_rep = BOOL
 
BOOL = true or false. 
 
You might set the default windows encryption in krb5.conf as standard, but imo, that are changes which might give other problems. 
And is not my best advice.. 
 
So best advice is .. upgrade to samba 4, and packages are available. 
https://linux.oracle.com/errata/ELSA-2017-1271.html ;
 
 
Greetz,
 
Louis
 



 
Van: Paul [mailto:bluescreen08@xxxxxxxxx] 
Verzonden: vrijdag 10 november 2017 9:57
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Slow Kerberos Authentication



Thanks, however that didn't work even after a reboot, still the same error.

On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
Hai,

You may need to add the the following in krb5.conf

[libdefaults]
 allow_weak_crypto = true

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Can you try that.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Paul
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Slow Kerberos Authentication
>
> Hi All,
>
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect
> encryption type being
> used according to the debug output below, as you can see it
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can
> find out.
> How can I get it so the correct encryption is chosen first time?
>
> Log excerpt:
>
> [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
>
>   reply_spnego_negotiate: Got secblob of size 3264
>
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [18] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [17] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:423: enc type [23] decrypted message !
>
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
>
>   Got KRB5 session key of length 16

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba