[Samba] Samba 3.0 & Windows 2003 server ADS

Gavin Davenport gavdav at gavdav.demon.co.uk
Mon Oct 6 10:22:44 GMT 2003 

Hi there

I'm having trouble getting winbindd working properly (I think).

My understanding is that winbindd uses a kerberos 5 session (with 2003
server) to authenticate the machine to ADS, before any users have logged in.
Then it uses that session ticket to authenticate all users of the smb
server.

Is that correct ?

I can run kinit ok, and klist shows me a krb5 ticket (using a Domain
Administrator ID)
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MYNETWORK.ISP.CO.UK

Valid starting     Expires            Service principal
10/06/03 10:05:23  10/06/03 20:05:23
krbtgt/MYNETWORK.ISP.CO.UK at MYNETWORK.ISP.CO.UK
10/06/03 10:16:20  10/06/03 20:05:23  bashful$@MYNETWORK.ISP.CO.UK
10/06/03 10:17:23  10/06/03 20:05:23  potato$@MYNETWORK.ISP.CO.UK

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Winbindd cannot appear to complete a secure dialog with ADS:

[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667)
  got principal=bashful$@MYNETWORK.ISP.CO.UK
[2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493)
  Doing kerberos session setup
[2003/10/06 10:51:19, 1] libsmb/smb_signing.c:signing_good(226)
  signing_good: SMB signature check failed on seq 1!
[2003/10/06 10:51:19, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
[2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(185)
  failed kerberos session setup with NT_STATUS_OK
[2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(226)
  failed anonymous session setup with NT_STATUS_OK
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_start_connection(1290)
  Connecting to host=BASHFUL
[2003/10/06 10:51:19, 3] lib/util_sock.c:open_socket_out(690)
  Connecting to 10.0.0.104 at port 445
[2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_spnego(635)
  Doing spnego session setup (blob length=117)
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
  got OID=1 2 840 48018 1 2 2
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
  got OID=1 2 840 113554 1 2 2
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
  got OID=1 2 840 113554 1 2 2 3
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
  got OID=1 3 6 1 4 1 311 2 2 10
[2003/10/06 10:51:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667)
  got principal=bashful$@MYNETWORK.ISP.CO.UK
[2003/10/06 10:51:19, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493)
  Doing kerberos session setup
[2003/10/06 10:51:19, 1] libsmb/smb_signing.c:signing_good(226)
  signing_good: SMB signature check failed on seq 1!
[2003/10/06 10:51:19, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
[2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(185)
  failed kerberos session setup with NT_STATUS_OK
[2003/10/06 10:51:19, 4] nsswitch/winbindd_cm.c:cm_open_connection(226)
  failed anonymous session setup with NT_STATUS_OK
<snip>

I'm now wondering how the winbind authenticates itself, as I can get wbinfo
to list me users and groups, but no clients can authenticate.

log of client attach:
[2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
[2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 2 840 48018 1 2 2
[2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 2 840 113554 1 2 2
[2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2003/10/06 10:39:07, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
  Got secblob of size 1224
[2003/10/06 10:39:07, 3] libads/kerberos_verify.c:ads_verify_ticket(308)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2003/10/06 10:39:07, 3] libads/kerberos_verify.c:ads_verify_ticket(316)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2003/10/06 10:39:07, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2003/10/06 10:39:07, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2003/10/06 10:39:07, 3] smbd/error.c:error_packet(109)
  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2003/10/06 10:39:07, 3] smbd/process.c:timeout_processing(1099)
  timeout_processing: End of file from client (client has disconnected).
[2003/10/06 10:39:07, 3] smbd/sec_ctx.c:set_sec_ctx(287)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/10/06 10:39:07, 2] smbd/server.c:exit_server(558)
  Closing connections
[2003/10/06 10:39:07, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2003/10/06 10:39:07, 3] smbd/connection.c:yield_connection(75)
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
[2003/10/06 10:39:07, 3] smbd/server.c:exit_server(601)
  Server exit (normal exit)

I suspect winbindd is bound to ADS as 'anonymous', which I imagine gives the
account read only and limited rights to do things.

Does winbindd need to authenticate to the PDC with a specific (krb5)
identify ?
How do I set that up ?

I can't successfully run kadmin
[root at potato samba]# kadmin
Authenticating as principal Administrator/admin at MYNETWORK.ISP.CO.UK with
password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface

The only example I can find for creating a /etc/krb5.keytab is
http://mailman.mit.edu/pipermail/kerberos/2002-June/001055.html
which talks about the FTP service key.

Do I need to have a /etc/krb5.keytab file, and if so how do I create one ??

Anyone any help - I'm not sure if I have a winbind problem or a krb5
problem - somewhere in between ?

Gavin Davenport

More information about the samba mailing list