Slow Kerberos Authentication

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Slow Kerberos Authentication

Samba - General mailing list
Hi All,

I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos authentication
is working but it takes around 30 seconds on first access. This is an
active directory domain with 2008r2 DC's.
I've tracked it down to what looks like the incorrect encryption type being
used according to the debug output below, as you can see it fails twice
with enc type of 17 and 18 but succeeds with 23... Which according to the
RFC is rc4-hmac which is all windows DCs talk from what I can find out.
How can I get it so the correct encryption is chosen first time?

Log excerpt:

[2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
ego_negotiate)

  reply_spnego_negotiate: Got secblob of size 3264

[2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Bad encryption type

[2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Bad encryption type

[2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
ds_secrets_verify_ticket)

  libads/kerberos_verify.c:423: enc type [23] decrypted message !

[2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
smb_session_key)

  Got KRB5 session key of length 16
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
Hai,

You may need to add the the following in krb5.conf

[libdefaults]
 allow_weak_crypto = true

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Can you try that.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Paul
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: [hidden email]
> Onderwerp: [Samba] Slow Kerberos Authentication
>
> Hi All,
>
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect
> encryption type being
> used according to the debug output below, as you can see it
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can
> find out.
> How can I get it so the correct encryption is chosen first time?
>
> Log excerpt:
>
> [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
>
>   reply_spnego_negotiate: Got secblob of size 3264
>
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [18] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [17] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:423: enc type [23] decrypted message !
>
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
>
>   Got KRB5 session key of length 16
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
Hai Paul,
 
hmm, i think its time.. to upgrade your samba.
 
I dont think the other krb5.conf options work, but you might give it a try.
See man krb5.conf, where i took it from.
add /change in krb5.conf

 [kdc]
tgt-use-strongest-session-key = BOOL
svc-use-strongest-session-key = BOOL
preauth-use-strongest-session-key= BOOL
use-strongest-server-key = BOOL
encode_as_rep_as_tgs_rep = BOOL
 
BOOL = true or false.
 
You might set the default windows encryption in krb5.conf as standard, but imo, that are changes which might give other problems.
And is not my best advice..
 
So best advice is .. upgrade to samba 4, and packages are available.
https://linux.oracle.com/errata/ELSA-2017-1271.html 
 
 
Greetz,
 
Louis
 



 
Van: Paul [mailto:[hidden email]]
Verzonden: vrijdag 10 november 2017 9:57
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Slow Kerberos Authentication



Thanks, however that didn't work even after a reboot, still the same error.

On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <[hidden email]> wrote:
Hai,

You may need to add the the following in krb5.conf

[libdefaults]
 allow_weak_crypto = true

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Can you try that.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Paul
> via samba
> Verzonden: donderdag 9 november 2017 16:45
> Aan: [hidden email]
> Onderwerp: [Samba] Slow Kerberos Authentication
>
> Hi All,
>
> I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> authentication
> is working but it takes around 30 seconds on first access. This is an
> active directory domain with 2008r2 DC's.
> I've tracked it down to what looks like the incorrect
> encryption type being
> used according to the debug output below, as you can see it
> fails twice
> with enc type of 17 and 18 but succeeds with 23... Which
> according to the
> RFC is rc4-hmac which is all windows DCs talk from what I can
> find out.
> How can I get it so the correct encryption is chosen first time?
>
> Log excerpt:
>
> [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> ego_negotiate)
>
>   reply_spnego_negotiate: Got secblob of size 3264
>
> [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [18] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:435: enc type [17] failed to
> decrypt with error
> Bad encryption type
>
> [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> ds_secrets_verify_ticket)
>
>   libads/kerberos_verify.c:423: enc type [23] decrypted message !
>
> [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> smb_session_key)
>
>   Got KRB5 session key of length 16

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
I'll look into it and update if I find anything out :)
Any idea why it would try enc type 17, then 18, then pause for 30 seconds?

It feels like a timeout is being hit but I don't understand enough about
samba/Kerberos to figure out what it is.

On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <[hidden email]>
wrote:

> Hai Paul,
>
> hmm, i think its time.. to upgrade your samba.
>
> I dont think the other krb5.conf options work, but you might give it a try.
> See man krb5.conf, where i took it from.
> add /change in krb5.conf
>
>  [kdc]
> tgt-use-strongest-session-key = BOOL
> svc-use-strongest-session-key = BOOL
> preauth-use-strongest-session-key= BOOL
> use-strongest-server-key = BOOL
> encode_as_rep_as_tgs_rep = BOOL
>
> BOOL = true or false.
>
> You might set the default windows encryption in krb5.conf as standard, but
> imo, that are changes which might give other problems.
> And is not my best advice..
>
> So best advice is .. upgrade to samba 4, and packages are available.
> https://linux.oracle.com/errata/ELSA-2017-1271.html
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Paul [mailto:[hidden email]]
> Verzonden: vrijdag 10 november 2017 9:57
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
>
> Thanks, however that didn't work even after a reboot, still the same error.
>
> On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <[hidden email]>
> wrote:
> Hai,
>
> You may need to add the the following in krb5.conf
>
> [libdefaults]
>  allow_weak_crypto = true
>
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> Can you try that.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens Paul
> > via samba
> > Verzonden: donderdag 9 november 2017 16:45
> > Aan: [hidden email]
> > Onderwerp: [Samba] Slow Kerberos Authentication
> >
> > Hi All,
> >
> > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
> > authentication
> > is working but it takes around 30 seconds on first access. This is an
> > active directory domain with 2008r2 DC's.
> > I've tracked it down to what looks like the incorrect
> > encryption type being
> > used according to the debug output below, as you can see it
> > fails twice
> > with enc type of 17 and 18 but succeeds with 23... Which
> > according to the
> > RFC is rc4-hmac which is all windows DCs talk from what I can
> > find out.
> > How can I get it so the correct encryption is chosen first time?
> >
> > Log excerpt:
> >
> > [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
> > ego_negotiate)
> >
> >   reply_spnego_negotiate: Got secblob of size 3264
> >
> > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:435: enc type [18] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:435: enc type [17] failed to
> > decrypt with error
> > Bad encryption type
> >
> > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
> > ds_secrets_verify_ticket)
> >
> >   libads/kerberos_verify.c:423: enc type [23] decrypted message !
> >
> > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
> > smb_session_key)
> >
> >   Got KRB5 session key of length 16
>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
No, no idee, but really, upgrade to samba, best option, in my opinion.
If thats not possible, it happens..
 
A timeout option can be set in krb5.conf
for example :  kdc_timeout = 5000
 
 
You have these for krb5.conf to try out also.
the complete list.
des-hmac-sha1
        DES with HMAC/sha1 (weak)

aes256-cts-hmac-sha1-96 aes256-cts AES-256
        CTS mode with 96-bit SHA-1 HMAC
       
aes128-cts-hmac-sha1-96 aes128-cts AES-128
        CTS mode with 96-bit SHA-1 HMAC

arcfour-hmac rc4-hmac arcfour-hmac-md5
        RC4 with HMAC/MD5

arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
        Exportable RC4 with HMAC/MD5 (weak)
       
camellia256-cts-cmac camellia256-cts
        Camellia-256 CTS mode with CMAC

camellia128-cts-cmac camellia128-cts
        Camellia-128 CTS mode with CMAC
       
des
        The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)

des3
        The triple DES family: des3-cbc-sha1

aes
        The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96

rc4
        The RC4 family: arcfour-hmac
       
camellia
        The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac

 
try the lines i send before keep the allow weak encptions.
try these, and add them at the beginning.
arcfour-hmac



Greetz,
 
Louis
 

 



________________________________

        Van: Paul [mailto:[hidden email]]
        Verzonden: vrijdag 10 november 2017 12:03
        Aan: L.P.H. van Belle
        CC: [hidden email]
        Onderwerp: Re: [Samba] Slow Kerberos Authentication
       
       
        I'll look into it and update if I find anything out :)
        Any idea why it would try enc type 17, then 18, then pause for 30 seconds?

        It feels like a timeout is being hit but I don't understand enough about samba/Kerberos to figure out what it is.

        On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <[hidden email]> wrote:
       

                Hai Paul,
                 
                hmm, i think its time.. to upgrade your samba.
                 
                I dont think the other krb5.conf options work, but you might give it a try.
                See man krb5.conf, where i took it from.
                add /change in krb5.conf
               
                 [kdc]
                tgt-use-strongest-session-key = BOOL
                svc-use-strongest-session-key = BOOL
                preauth-use-strongest-session-key= BOOL
                use-strongest-server-key = BOOL
                encode_as_rep_as_tgs_rep = BOOL
                 
                BOOL = true or false.
                 
                You might set the default windows encryption in krb5.conf as standard, but imo, that are changes which might give other problems.
                And is not my best advice..
                 
                So best advice is .. upgrade to samba 4, and packages are available.
                https://linux.oracle.com/errata/ELSA-2017-1271.html <https://linux.oracle.com/errata/ELSA-2017-1271.html>  
                 
                 
                Greetz,
                 
                Louis
                 
               
               
               
                 
                Van: Paul [mailto:[hidden email]]
                Verzonden: vrijdag 10 november 2017 9:57
                Aan: L.P.H. van Belle
                Onderwerp: Re: [Samba] Slow Kerberos Authentication
               
               
               
                Thanks, however that didn't work even after a reboot, still the same error.
               
                On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <[hidden email]> wrote:
                Hai,
               
                You may need to add the the following in krb5.conf
               
                [libdefaults]
                 allow_weak_crypto = true
               
                ; for Windows 2003
                ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
                ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
                ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
               
                ; for Windows 2008 with AES
                    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
                    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
                    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
               
                Can you try that.
               
                Greetz,
               
                Louis
               
               
               
                > -----Oorspronkelijk bericht-----
                > Van: samba [mailto:[hidden email] <mailto:[hidden email]> ] Namens Paul
                > via samba
                > Verzonden: donderdag 9 november 2017 16:45
                > Aan: [hidden email]
                > Onderwerp: [Samba] Slow Kerberos Authentication
                >
                > Hi All,
                >
                > I've a problem with samba 3.6.23 on Oracle Linux 6, Kerberos
                > authentication
                > is working but it takes around 30 seconds on first access. This is an
                > active directory domain with 2008r2 DC's.
                > I've tracked it down to what looks like the incorrect
                > encryption type being
                > used according to the debug output below, as you can see it
                > fails twice
                > with enc type of 17 and 18 but succeeds with 23... Which
                > according to the
                > RFC is rc4-hmac which is all windows DCs talk from what I can
                > find out.
                > How can I get it so the correct encryption is chosen first time?
                >
                > Log excerpt:
                >
                > [2017/11/09 10:18:04.174379,  3] smbd/sesssetup.c:662(reply_spn
                > ego_negotiate)
                >
                >   reply_spnego_negotiate: Got secblob of size 3264
                >
                > [2017/11/09 10:18:04.201392, 10] libads/kerberos_verify.c:435(a
                > ds_secrets_verify_ticket)
                >
                >   libads/kerberos_verify.c:435: enc type [18] failed to
                > decrypt with error
                > Bad encryption type
                >
                > [2017/11/09 10:18:04.214632, 10] libads/kerberos_verify.c:435(a
                > ds_secrets_verify_ticket)
                >
                >   libads/kerberos_verify.c:435: enc type [17] failed to
                > decrypt with error
                > Bad encryption type
                >
                > [2017/11/09 10:18:26.528850, 10] libads/kerberos_verify.c:423(a
                > ds_secrets_verify_ticket)
                >
                >   libads/kerberos_verify.c:423: enc type [23] decrypted message !
                >
                > [2017/11/09 10:18:26.529143, 10] libsmb/clikrb5.c:955(get_krb5_
                > smb_session_key)
                >
                >   Got KRB5 session key of length 16
               
                > --
                > To unsubscribe from this list go to the following URL and read the
                > instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
                >
               
               
                --
                To unsubscribe from this list go to the following URL and read the
                instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
               
               
               
               
                --
                To unsubscribe from this list go to the following URL and read the
                instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
Just to update this, I'm going to upgrade to samba4 but it won't be for a
few days yet, I'll keep this thread updated with what happens.

On 10 Nov 2017 11:23, "L.P.H. van Belle via samba" <[hidden email]>
wrote:

> No, no idee, but really, upgrade to samba, best option, in my opinion.
> If thats not possible, it happens..
>
> A timeout option can be set in krb5.conf
> for example :  kdc_timeout = 5000
>
>
> You have these for krb5.conf to try out also.
> the complete list.
> des-hmac-sha1
>         DES with HMAC/sha1 (weak)
>
> aes256-cts-hmac-sha1-96 aes256-cts AES-256
>         CTS mode with 96-bit SHA-1 HMAC
>
> aes128-cts-hmac-sha1-96 aes128-cts AES-128
>         CTS mode with 96-bit SHA-1 HMAC
>
> arcfour-hmac rc4-hmac arcfour-hmac-md5
>         RC4 with HMAC/MD5
>
> arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
>         Exportable RC4 with HMAC/MD5 (weak)
>
> camellia256-cts-cmac camellia256-cts
>         Camellia-256 CTS mode with CMAC
>
> camellia128-cts-cmac camellia128-cts
>         Camellia-128 CTS mode with CMAC
>
> des
>         The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
>
> des3
>         The triple DES family: des3-cbc-sha1
>
> aes
>         The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
>
> rc4
>         The RC4 family: arcfour-hmac
>
> camellia
>         The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
>
>
> try the lines i send before keep the allow weak encptions.
> try these, and add them at the beginning.
> arcfour-hmac
>
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> ________________________________
>
>         Van: Paul [mailto:[hidden email]]
>         Verzonden: vrijdag 10 november 2017 12:03
>         Aan: L.P.H. van Belle
>         CC: [hidden email]
>         Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
>         I'll look into it and update if I find anything out :)
>         Any idea why it would try enc type 17, then 18, then pause for 30
> seconds?
>
>         It feels like a timeout is being hit but I don't understand enough
> about samba/Kerberos to figure out what it is.
>
>         On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <
> [hidden email]> wrote:
>
>
>                 Hai Paul,
>
>                 hmm, i think its time.. to upgrade your samba.
>
>                 I dont think the other krb5.conf options work, but you
> might give it a try.
>                 See man krb5.conf, where i took it from.
>                 add /change in krb5.conf
>
>                  [kdc]
>                 tgt-use-strongest-session-key = BOOL
>                 svc-use-strongest-session-key = BOOL
>                 preauth-use-strongest-session-key= BOOL
>                 use-strongest-server-key = BOOL
>                 encode_as_rep_as_tgs_rep = BOOL
>
>                 BOOL = true or false.
>
>                 You might set the default windows encryption in krb5.conf
> as standard, but imo, that are changes which might give other problems.
>                 And is not my best advice..
>
>                 So best advice is .. upgrade to samba 4, and packages are
> available.
>                 https://linux.oracle.com/errata/ELSA-2017-1271.html <
> https://linux.oracle.com/errata/ELSA-2017-1271.html>
>
>
>                 Greetz,
>
>                 Louis
>
>
>
>
>
>                 Van: Paul [mailto:[hidden email]]
>                 Verzonden: vrijdag 10 november 2017 9:57
>                 Aan: L.P.H. van Belle
>                 Onderwerp: Re: [Samba] Slow Kerberos Authentication
>
>
>
>                 Thanks, however that didn't work even after a reboot,
> still the same error.
>
>                 On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <
> [hidden email]> wrote:
>                 Hai,
>
>                 You may need to add the the following in krb5.conf
>
>                 [libdefaults]
>                  allow_weak_crypto = true
>
>                 ; for Windows 2003
>                 ;    default_tgs_enctypes = rc4-hmac des-cbc-crc
> des-cbc-md5
>                 ;    default_tkt_enctypes = rc4-hmac des-cbc-crc
> des-cbc-md5
>                 ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
>                 ; for Windows 2008 with AES
>                     default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>                     default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>                     permitted_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
>                 Can you try that.
>
>                 Greetz,
>
>                 Louis
>
>
>
>                 > -----Oorspronkelijk bericht-----
>                 > Van: samba [mailto:[hidden email]
> <mailto:[hidden email]> ] Namens Paul
>                 > via samba
>                 > Verzonden: donderdag 9 november 2017 16:45
>                 > Aan: [hidden email]
>                 > Onderwerp: [Samba] Slow Kerberos Authentication
>                 >
>                 > Hi All,
>                 >
>                 > I've a problem with samba 3.6.23 on Oracle Linux 6,
> Kerberos
>                 > authentication
>                 > is working but it takes around 30 seconds on first
> access. This is an
>                 > active directory domain with 2008r2 DC's.
>                 > I've tracked it down to what looks like the incorrect
>                 > encryption type being
>                 > used according to the debug output below, as you can see
> it
>                 > fails twice
>                 > with enc type of 17 and 18 but succeeds with 23... Which
>                 > according to the
>                 > RFC is rc4-hmac which is all windows DCs talk from what
> I can
>                 > find out.
>                 > How can I get it so the correct encryption is chosen
> first time?
>                 >
>                 > Log excerpt:
>                 >
>                 > [2017/11/09 10:18:04.174379,  3]
> smbd/sesssetup.c:662(reply_spn
>                 > ego_negotiate)
>                 >
>                 >   reply_spnego_negotiate: Got secblob of size 3264
>                 >
>                 > [2017/11/09 10:18:04.201392, 10]
> libads/kerberos_verify.c:435(a
>                 > ds_secrets_verify_ticket)
>                 >
>                 >   libads/kerberos_verify.c:435: enc type [18] failed to
>                 > decrypt with error
>                 > Bad encryption type
>                 >
>                 > [2017/11/09 10:18:04.214632, 10]
> libads/kerberos_verify.c:435(a
>                 > ds_secrets_verify_ticket)
>                 >
>                 >   libads/kerberos_verify.c:435: enc type [17] failed to
>                 > decrypt with error
>                 > Bad encryption type
>                 >
>                 > [2017/11/09 10:18:26.528850, 10]
> libads/kerberos_verify.c:423(a
>                 > ds_secrets_verify_ticket)
>                 >
>                 >   libads/kerberos_verify.c:423: enc type [23] decrypted
> message !
>                 >
>                 > [2017/11/09 10:18:26.529143, 10]
> libsmb/clikrb5.c:955(get_krb5_
>                 > smb_session_key)
>                 >
>                 >   Got KRB5 session key of length 16
>
>                 > --
>                 > To unsubscribe from this list go to the following URL
> and read the
>                 > instructions:  https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>                 >
>
>
>                 --
>                 To unsubscribe from this list go to the following URL and
> read the
>                 instructions:  https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>
>
>
>
>                 --
>                 To unsubscribe from this list go to the following URL and
> read the
>                 instructions:  https://lists.samba.org/
> mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Slow Kerberos Authentication

Samba - General mailing list
Update: I installed samba4 with the existing config, it's sped up slightly
but I'm seeing another error
After it's started gensec submechanism gse_krb5 it takes around 40 seconds
to resolve the hostname to FQDN
HOSTNAME -> hostname.local

I've got the entry in hosts and it's correct in DNS, what could be the
problem?

On 11 Nov 2017 10:01, "Paul" <[hidden email]> wrote:

> Just to update this, I'm going to upgrade to samba4 but it won't be for a
> few days yet, I'll keep this thread updated with what happens.
>
> On 10 Nov 2017 11:23, "L.P.H. van Belle via samba" <[hidden email]>
> wrote:
>
>> No, no idee, but really, upgrade to samba, best option, in my opinion.
>> If thats not possible, it happens..
>>
>> A timeout option can be set in krb5.conf
>> for example :  kdc_timeout = 5000
>>
>>
>> You have these for krb5.conf to try out also.
>> the complete list.
>> des-hmac-sha1
>>         DES with HMAC/sha1 (weak)
>>
>> aes256-cts-hmac-sha1-96 aes256-cts AES-256
>>         CTS mode with 96-bit SHA-1 HMAC
>>
>> aes128-cts-hmac-sha1-96 aes128-cts AES-128
>>         CTS mode with 96-bit SHA-1 HMAC
>>
>> arcfour-hmac rc4-hmac arcfour-hmac-md5
>>         RC4 with HMAC/MD5
>>
>> arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
>>         Exportable RC4 with HMAC/MD5 (weak)
>>
>> camellia256-cts-cmac camellia256-cts
>>         Camellia-256 CTS mode with CMAC
>>
>> camellia128-cts-cmac camellia128-cts
>>         Camellia-128 CTS mode with CMAC
>>
>> des
>>         The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
>>
>> des3
>>         The triple DES family: des3-cbc-sha1
>>
>> aes
>>         The AES family: aes256-cts-hmac-sha1-96 and
>> aes128-cts-hmac-sha1-96
>>
>> rc4
>>         The RC4 family: arcfour-hmac
>>
>> camellia
>>         The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
>>
>>
>> try the lines i send before keep the allow weak encptions.
>> try these, and add them at the beginning.
>> arcfour-hmac
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>>
>> ________________________________
>>
>>         Van: Paul [mailto:[hidden email]]
>>         Verzonden: vrijdag 10 november 2017 12:03
>>         Aan: L.P.H. van Belle
>>         CC: [hidden email]
>>         Onderwerp: Re: [Samba] Slow Kerberos Authentication
>>
>>
>>         I'll look into it and update if I find anything out :)
>>         Any idea why it would try enc type 17, then 18, then pause for 30
>> seconds?
>>
>>         It feels like a timeout is being hit but I don't understand
>> enough about samba/Kerberos to figure out what it is.
>>
>>         On 10 Nov 2017 09:37, "L.P.H. van Belle via samba" <
>> [hidden email]> wrote:
>>
>>
>>                 Hai Paul,
>>
>>                 hmm, i think its time.. to upgrade your samba.
>>
>>                 I dont think the other krb5.conf options work, but you
>> might give it a try.
>>                 See man krb5.conf, where i took it from.
>>                 add /change in krb5.conf
>>
>>                  [kdc]
>>                 tgt-use-strongest-session-key = BOOL
>>                 svc-use-strongest-session-key = BOOL
>>                 preauth-use-strongest-session-key= BOOL
>>                 use-strongest-server-key = BOOL
>>                 encode_as_rep_as_tgs_rep = BOOL
>>
>>                 BOOL = true or false.
>>
>>                 You might set the default windows encryption in krb5.conf
>> as standard, but imo, that are changes which might give other problems.
>>                 And is not my best advice..
>>
>>                 So best advice is .. upgrade to samba 4, and packages are
>> available.
>>                 https://linux.oracle.com/errata/ELSA-2017-1271.html <
>> https://linux.oracle.com/errata/ELSA-2017-1271.html>
>>
>>
>>                 Greetz,
>>
>>                 Louis
>>
>>
>>
>>
>>
>>                 Van: Paul [mailto:[hidden email]]
>>                 Verzonden: vrijdag 10 november 2017 9:57
>>                 Aan: L.P.H. van Belle
>>                 Onderwerp: Re: [Samba] Slow Kerberos Authentication
>>
>>
>>
>>                 Thanks, however that didn't work even after a reboot,
>> still the same error.
>>
>>                 On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <
>> [hidden email]> wrote:
>>                 Hai,
>>
>>                 You may need to add the the following in krb5.conf
>>
>>                 [libdefaults]
>>                  allow_weak_crypto = true
>>
>>                 ; for Windows 2003
>>                 ;    default_tgs_enctypes = rc4-hmac des-cbc-crc
>> des-cbc-md5
>>                 ;    default_tkt_enctypes = rc4-hmac des-cbc-crc
>> des-cbc-md5
>>                 ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>
>>                 ; for Windows 2008 with AES
>>                     default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>                     default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>                     permitted_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>
>>                 Can you try that.
>>
>>                 Greetz,
>>
>>                 Louis
>>
>>
>>
>>                 > -----Oorspronkelijk bericht-----
>>                 > Van: samba [mailto:[hidden email]
>> <mailto:[hidden email]> ] Namens Paul
>>                 > via samba
>>                 > Verzonden: donderdag 9 november 2017 16:45
>>                 > Aan: [hidden email]
>>                 > Onderwerp: [Samba] Slow Kerberos Authentication
>>                 >
>>                 > Hi All,
>>                 >
>>                 > I've a problem with samba 3.6.23 on Oracle Linux 6,
>> Kerberos
>>                 > authentication
>>                 > is working but it takes around 30 seconds on first
>> access. This is an
>>                 > active directory domain with 2008r2 DC's.
>>                 > I've tracked it down to what looks like the incorrect
>>                 > encryption type being
>>                 > used according to the debug output below, as you can
>> see it
>>                 > fails twice
>>                 > with enc type of 17 and 18 but succeeds with 23... Which
>>                 > according to the
>>                 > RFC is rc4-hmac which is all windows DCs talk from what
>> I can
>>                 > find out.
>>                 > How can I get it so the correct encryption is chosen
>> first time?
>>                 >
>>                 > Log excerpt:
>>                 >
>>                 > [2017/11/09 10:18:04.174379,  3]
>> smbd/sesssetup.c:662(reply_spn
>>                 > ego_negotiate)
>>                 >
>>                 >   reply_spnego_negotiate: Got secblob of size 3264
>>                 >
>>                 > [2017/11/09 10:18:04.201392, 10]
>> libads/kerberos_verify.c:435(a
>>                 > ds_secrets_verify_ticket)
>>                 >
>>                 >   libads/kerberos_verify.c:435: enc type [18] failed to
>>                 > decrypt with error
>>                 > Bad encryption type
>>                 >
>>                 > [2017/11/09 10:18:04.214632, 10]
>> libads/kerberos_verify.c:435(a
>>                 > ds_secrets_verify_ticket)
>>                 >
>>                 >   libads/kerberos_verify.c:435: enc type [17] failed to
>>                 > decrypt with error
>>                 > Bad encryption type
>>                 >
>>                 > [2017/11/09 10:18:26.528850, 10]
>> libads/kerberos_verify.c:423(a
>>                 > ds_secrets_verify_ticket)
>>                 >
>>                 >   libads/kerberos_verify.c:423: enc type [23] decrypted
>> message !
>>                 >
>>                 > [2017/11/09 10:18:26.529143, 10]
>> libsmb/clikrb5.c:955(get_krb5_
>>                 > smb_session_key)
>>                 >
>>                 >   Got KRB5 session key of length 16
>>
>>                 > --
>>                 > To unsubscribe from this list go to the following URL
>> and read the
>>                 > instructions:  https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>>                 >
>>
>>
>>                 --
>>                 To unsubscribe from this list go to the following URL and
>> read the
>>                 instructions:  https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>>
>>                 --
>>                 To unsubscribe from this list go to the following URL and
>> read the
>>                 instructions:  https://lists.samba.org/mailma
>> n/options/samba <https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba