Kerberos auth. problems with Samba 3 & XP SP1

Jon Rabone Jon.Rabone at criticalblue.com
Sun Sep 28 21:59:27 GMT 2003 

Several others seem to have similar problems (see Samba 'main' mailing list)

I have Win2K Server SP4, Windows XP SP1 and Debian running the debian
packaged version of Samba 3.0RC4 (MIT Kerberos?). The XP box is member of
the ADS domain hosted by Win2K Server, but cannot authenticate itself to
Samba. Samba joined the domain OK, and can mount shares on both XP and Win2K
using Kerberos auth., but the other direction doesn't work!

I am getting the same "ads_verify_ticket: krb5_rd_req with auth failed (Bad
encryption type)" message that others are seeing - see log below.

On the Windows XP side I get a reasonable-looking Kerberos ticket for the
linux server of type RSADSI RC4-HMAC(NT).

Any ideas how to get AD authentication working?

Jon.

[2003/09/27 18:56:15, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2003/09/27 18:56:15, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 1204, global_oplock_port = 32821
[2003/09/27 18:56:15, 4] lib/time.c:get_serverzone(122)
  Serverzone is -3600
[2003/09/27 18:56:15, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 137
[2003/09/27 18:56:15, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 1204)
[2003/09/27 18:56:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LANMAN1.0]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [Windows for Workgroups 3.1a]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LM1.2X002]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LANMAN2.1]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [NT LM 0.12]
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_nt1(329)
  using SPNEGO
[2003/09/27 18:56:15, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LM 0.12
[2003/09/27 18:56:15, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 1450
[2003/09/27 18:56:15, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 1204)
[2003/09/27 18:56:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579)
  wct=12 flg2=0xc807
[2003/09/27 18:56:15, 2] smbd/sesssetup.c:setup_new_vc_session(535)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476)
  Doing spnego session setup
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 2 840 48018 1 2 2
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 2 840 113554 1 2 2
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2003/09/27 18:56:15, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
  Got secblob of size 1219
[2003/09/27 18:56:15, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2003/09/27 18:56:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2003/09/27 18:56:15, 3] smbd/error.c:error_packet(113)
  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2003/09/27 18:56:26, 3] smbd/process.c:timeout_processing(1099)
  timeout_processing: End of file from client (client has disconnected).
[2003/09/27 18:56:26, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/27 18:56:26, 2] smbd/server.c:exit_server(558)
  Closing connections
[2003/09/27 18:56:26, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2003/09/27 18:56:26, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
[2003/09/27 18:56:26, 3] smbd/server.c:exit_server(601)
  Server exit (normal exit)

More information about the samba-technical mailing list