Web lists-archives.com

Re: [Samba] Slow Kerberos Authentication




I'll look into it and update if I find anything out :)
Any idea why it would try enc type 17, then 18, then pause for 30 seconds?

It feels like a timeout is being hit but I don't understand enough about
samba/Kerberos to figure out what it is.

On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
wrote:

> Hai Paul,
>
> hmm, i think its time.. to upgrade your samba.
>
> I dont think the other krb5.conf options work, but you might give it a try.
> See man krb5.conf, where i took it from.
> add /change in krb5.conf
>
>  [kdc]
> tgt-use-strongest-session-key = BOOL
> svc-use-strongest-session-key = BOOL
> preauth-use-strongest-session-key= BOOL
> use-strongest-server-key = BOOL
> encode_as_rep_as_tgs_rep = BOOL
>
> BOOL = true or false.
>
> You might set the default windows encryption in krb5.conf as standard, but
> imo, that are changes which might give other problems.
> And is not my best advice..
>
> So best advice is .. upgrade to samba 4, and packages are available.
> https://linux.oracle.com/errata/ELSA-2017-1271.html
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Paul [mailto:bluescreen08@xxxxxxxxx]
> Verzonden: vrijdag 10 november 2017 9:57
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
>
> Thanks, however that didn't work even after a reboot, still the same error.
>
> On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
> wrote:
> Hai,
>
> You may need to add the the following in krb5.conf
>
> [libdefaults]
>  allow_weak_crypto = true
>
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> Can you try that.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Paul
> > via samba
> > Verzonden: donderdag 9 november 2017 16:45
> > Aan: samba@xxxxxxxxxxxxxxx
> > Onderwerp: [Samba] Slow Kerberos Authentication
> >
> > Hi All,
> >
> > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> > authentication
> > is working but it takes around 30 seconds on first access. This is an
> > active directory domain with 2008r2 DC's.
> > I've tracked it down to what looks like the incorrect
> > encryption type being
> > used according to the debug output below, as you can see it
> > fails twice
> > with enc type of 17 and 18 but succeeds with 23... Which
> > according to the
> > RFC is rc4-hmac which is all windows DCs talk from what I can
> > find out.
> > How can I get it so the correct encryption is chosen first time?
> >
> > Log excerpt:
> >
> > [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> > ego_negotiate)
> >
> >   reply_spnego_negotiate: Got secblob of size 3264
> >
> > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:435: enc type [18] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:435: enc type [17] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:423: enc type [23] decrypted message !
> >
> > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> > smb_session_key)
> >
> >   Got KRB5 session key of length 16
>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba