Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
41424344454647484950
48
The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the
service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This
ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request
access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC
encryption. This is especially confusing, because our krb5.conf configuration specifies DES-CBC-CRC,
the kinit used only CRC, but the “net ads join” used a combination of CRC and MD5. Now, the
Windows client is authenticated to the KDC using RC4, and the actual “cifs atcux5” ticket is MD5. So
this particular configuration uses all of the common encryption types, in multiple combinations.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba).
Command: none.
The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the
previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the
Wireshark trace record 1423) is encrypted with DES-CBC-MD5.
The HP CIFS Server log entry is (grep crypt log.netbiosname):
ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [3] decrypted message !