[Samba] member server and kerberos

Thomas Constans thomas.constans at opendoor.fr
Wed Oct 20 09:49:48 GMT 2004 

hello

i have finally set up the following configuration:
debian testing / samba-3.07 member of a w2k Active Directory, security
=ads

now i am able to:
- list users and group with wbinfo -u | -g

- authenticate domain users via pam_winbind

- list and connect to share on AD server with kerberos ( smbclient -k )

- list and connect to share on SAMBA server _from_samba_server_  (
smbclient -k //SAMBA_SERVER/

_BUT_  trying to connect to samba share from AD server (net use *
\\SAMBA_SERVER\share ) prompt me for a password and log gives me the
famous "failed to verify incoming ticket" : 

[2004/10/20 09:24:42, 3] smbd/server.c:exit_server(614)
  Server exit (process_smb: send_smb failed.)
[2004/10/20 09:24:42, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2004/10/20 09:24:42, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/10/20 09:24:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/10/20 09:24:42, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

i have try to play with enc-type in krb5.conf to no avail.

here is my krb5.conf:
[libdefaults]
   default_realm = OPENDOOR.NET
[realms]
OPENDOOR.NET = {
   kdc = nicotine.opendoor.net:88
}

output of klist -5e :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur at OPENDOOR.NET

Valid starting     Expires            Service principal
10/20/04 11:40:14  10/20/04 21:40:14  krbtgt/OPENDOOR.NET at OPENDOOR.NET
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
10/20/04 11:40:33  10/20/04 21:40:14  melatonine$@OPENDOOR.NET   	(
samba server )
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
10/20/04 11:40:49  10/20/04 21:40:14  nicotine$@OPENDOOR.NET
	( AD server )
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

installed package:
debian testing
samba 		3.0.7-1
samba-common 	3.0.7-1
libkrb53	1.3.4-4
krb5-user	1.3.4-4

any idea ?


-- 
-- Thomas Constans --

http://www.opendoor.fr
thomas.constans at opendoor.fr
04 78 68 17 34

More information about the samba mailing list