[Samba] "Failed to verify incoming ticket!" with Windows 2003 Server

Rodolfo Broco Manin rodolfo at ime.unicamp.br
Sat May 5 23:10:02 GMT 2007 

Hi, all!

I have the following environment here:

- A Windows 2000 domain, with one server running Windows 2003 Server
- A kerberos realm, using MIT Kerberos
- A samba server, with security=ads

The Windows 2003 server have a trust relationship with the MIT kerberos
realm.  Users logs on that kerberos realm on their Windows workstations,
and are supposed to have access to the shares at samba server.

All of it was working perfectly until some weeks ago, when the samba
server had a hardware failure.  The OS was re-installed (Fedora Core 6),
the server was re-joined to the windows domain, but, now, when the users
tryies to access the shares, they get a window asking for username and
password, and the following appears at samba's log:

--------------------------------------------------------------------------

[2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex(779)
  secrets_named_mutex: got mutex for replay cache mutex
[2007/05/05 19:42:53, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2007/05/05 19:42:53, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad
encryption type
[2007/05/05 19:42:53, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Bad encryption type
[2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex_release(791)
  secrets_named_mutex: released mutex for replay cache mutex
[2007/05/05 19:42:53, 3] libads/kerberos_verify.c:ads_verify_ticket(399)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2007/05/05 19:42:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
  Failed to verify incoming ticket!
[2007/05/05 19:42:53, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(204) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

--------------------------------------------------------------------------

I also tried using a samba server that was compiled against Heimdal
kerberos, but the result was the same.

Tryied to generate the windows server's keytab entry with 'ktpass', and
import it at samba server's keytab (setting "use kerberos keytab = yes" at
smb.conf), but the problem remains.

When I try to access the samba share via smbclient, I get:

--------------------------------------------------------------------------
smbclient -k //server/share

Doing spnego session setup (blob length=117)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/xxx.ime.unicamp.br at IME.UNICAMP.BR
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
Sun, 06 May 2007 05:53:09 BRT
ads_krb5_mk_req: Ticket (cifs/xxx.ime.unicamp.br at IME.UNICAMP.BR) in ccache
(FILE:/tmp/krb5cc_0) is valid until: (Sun, 06 May 2007 05:53:09 BRT -
1178441589)
Got KRB5 session key of length 16
write_socket(5,1364)
write_socket(5,1364) wrote 1364
read_socket_with_timeout: timeout read. EOF from client.
receive_smb_raw: length < 0!
client_receive_smb failed
size=0

--------------------------------------------------------------------------

and a "login failed" message.  After the try, se following principals get
cached:

Valid starting     Expires            Service principal
05/05/07 19:53:04  05/06/07 19:53:03 
krbtgt/ROOT.IME.UNICAMP.BR at ROOT.IME.UNICAMP.BR
05/05/07 19:53:09  05/06/07 19:53:03 
krbtgt/IME.UNICAMP.BR at ROOT.IME.UNICAMP.BR
05/05/07 19:53:09  05/06/07 05:53:09  cifs/xxx.ime.unicamp.br at IME.UNICAMP.BR

The only way our users can access the shares at samba server is logging in
at the Windows 2003 domain.

Googling arround, I found various issues concerning incompatibilities
between Windows 2003 and samba/kerberos tickets.  I tryied various
suggestions - such as forcing the samba server's computer account at
windows 2003 to use only DES crypt, mapping the computer account to an
user account and so on, but none of them worked for me.

Some idea?

(sorry the large e-mail - and my bad english)

Tnks in advice!

Rodolfo

More information about the samba mailing list