Wow I stand corrected. The circumstances around this problem totally mask
that it's an encryption problem. SO... I'm not sure how to interpret your
statement "you have not included the type 23 enctype used by Windows
(ENCTYPE_ARCFOUR_HMAC_MD5)". How do I this inclusion? Do I just flat out
remove those default* lines from krb5.conf?
Also....
rpm -qa | grep krb5
krb5-devel-1.2.7-24
krb5-workstation-1.2.7-24
krb5-libs-1.2.7-24
pam_krb5-1.73-1
Rectifying this now....

THANKS for the help!!!
DG

-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org]
Sent: Thursday, July 15, 2004 12:30 PM
To: Grimes, David
Cc: Jeremy Allison; samba-technical@lists.samba.org
Subject: Re: inconsistent drive mappings + many other errors

On Thu, Jul 15, 2004 at 12:23:13PM -0500, Grimes, David wrote:
> Thanks for the reply.
> AD server and samba box are running off the same time server and have a
> precision of 12 usec's. Do you suggest the Kerberos problem is between the
> samba and AD box or between the client and the samba box? If it were the
> samba and AD I would assume all auth attempts would fail not just those

from
> 2000 clients. I'm also not so sure that there is any Kerberos done between
> the client and the samba server... please correct me if I am wrong.
> Also if there is ANY other info that I should provide to help in

diagnosing
> these please let me know.
> As far as the network hardware the few machines that are using the samba

box
> are new dells with Intel GbE cards and a brand spankin new Cisco 5600
> Any how I appreciate the response. I've included krb5.conf below are these
> encryption settings correct?
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = BELOCORP.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> Thanks!


No - that's the problem. Don't use enctypes - you have not included
the type 23 enctype used by Windows (ENCTYPE_ARCFOUR_HMAC_MD5).

Just ensure you have a version of MIT later than 1.3.1 (I think).

Jeremy.