[Samba] Client accessing Samba doesn't authenticate against A ctive Directory

Brian Spiegel BSpiegel at Matchnet.com
Thu Nov 13 17:09:55 GMT 2003 

| When a Windows client attempts to browse shares on a Samba 3.0 server
| authenticating against a Windows 2003 Active Directory domain, it
| requests credentials. Typing in user name and password fails

I am having this exact same issue.  Attached is a sample copy of my smb.conf
and krb5.conf along with some errors I got from the smbd logs (max debug
level).

smb.conf
----
[global]
        server string = Samba 3.0.0
        workgroup = DOMAIN
        hosts allow = 192.168.3. 127.
        security = ADS
        realm = DOMAIN.COM
        client use spnego = yes
        password server = ads.domain.com
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = no
        domain master = no
        preferred master = no
        domain logons = no
        name resolve order = host
        dns proxy = yes
 

[test]
        comment = Test Share
        path = /home/user/test
        read only = no
        browsable = yes
        writable = yes
        guest ok = yes

krb5.conf
----
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 

[realms]
  MATCHNET.COM = {
  kdc = ads.domain.com:88
  admin_server = ads.domain.com:749
  default_domain = domain.com
 }
 

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM
 

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

smb log snippet
----
[2003/11/12 17:54:31, 10] passdb/secrets.c:secrets_named_mutex(697)
  secrets_named_mutex: got mutex for replay cache mutex
[2003/11/12 17:54:31, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2003/11/12 17:54:31, 3] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2003/11/12 17:54:31, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
  ads_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2003/11/12 17:54:31, 10] passdb/secrets.c:secrets_named_mutex_release(709)
  secrets_named_mutex: released mutex for replay cache mutex
[2003/11/12 17:54:31, 3] libads/kerberos_verify.c:ads_verify_ticket(317)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2003/11/12 17:54:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2003/11/12 17:54:31, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2003/11/12 17:54:31, 3] smbd/error.c:error_packet(113)
  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Anyone run into this as well?

Thanks,
Brian


-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Thursday, November 13, 2003 8:49 AM
To: Jonathan Johnson
Cc: samba at lists.samba.org
Subject: Re: [Samba] Client accessing Samba doesn't authenticate against
Active Directory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Johnson wrote:
| When a Windows client attempts to browse shares on a Samba 3.0 server
| authenticating against a Windows 2003 Active Directory domain, it
| requests credentials. Typing in user name and password fails

Looks like you don't have the MIT krb5 1.3.1 libs or the
latest version of Heimdal (don't remembe which version
you need...cvs development snapshot maybe).

| Output of smbclient -k -L license -UAdministrator at 3KINGS.LOCAL
| [2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121)
|   SMB Signature verification failed on incoming packet!
| session setup failed: Server packet had invalid SMB signature!
...
| -----
| Interesting lines of /var/log/samba/log.192.168.254.202:
|
| [2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
|   Failed to verify incoming ticket!
|      (message is repeated twice)
|


cheers, jerry
- --
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/s7YNIR7qMdg1EfYRAre8AJ4tW64CC2OTjxDD/zaU7k+HFcPungCfdZmC
RLnMHyR095uIzJ48yg5EQ2Y=
=4M/D
-----END PGP SIGNATURE-----

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list