[Samba] Kerberos verfy ticket failed
Aaron Rosenblum
arosenbl at mac.com
Wed Aug 11 22:37:58 GMT 2004
I am having this problem as well. In my case, "wbinfo -t" fails. My
kerberos version is 1.3.1 (MIT) and my config file is very minimal:
[libdefaults]
ticket_lifetime = 600
dns_fallback = no
[realms]
SUBDOMAIN.DOMAIN.EDU = {
kdc = myserver1.subdomain.domain.edu.:88
admin_server = myserver1.subdomain.domain.edu.
}
I see these messages in the smbd log:
[2004/07/25 10:19:16, 0]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
reply_sesssetup_and_X(645)
reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup
when it was not negoitiated.
[2004/07/29 16:33:54, 1]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/07/29 17:03:09, 2]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/07/29 17:03:09, 1]
/SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:
ads_verify_ticket(203)
ads_verify_ticket: failed to fetch machine password
On Aug 11, 2004, at 3:36 AM, Christoph Scheeder wrote:
> Hi,
> what's in your krb.conf?
> AFAIR it should be realy minimalistic. (in fact mine doesn't even
> exist,
> but i'm using a win2k server, not win2k3)
> espacialy there shouldn't be settings for default encryption types.
> Some persons reported these to produce problems.
> And you definitly need a kerberos-version >=1.3.3 if you use
> MIT-kerberos to get it working.
> Hope it helps.
> Christoph
>
> Raphael RIGNIER schrieb:
>
>> Hello list.
>> I've got a problem using samba-3.0.4 (RedHat AS 3.0)
>> the server is member of a Win2003 Active directory domain
>> All stuff about krb5 seems to work correctly
>> kinit user at REALM
>> klist
>> etc...
>> net ads join -U administrator has worked well too
>> But when any Windows client member of the domain try to connect to the
>> server it asks me for a user/pass.
>> here is the log.
>> [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>> wct=12 flg2=0xc807
>> [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>> close
>> all old resources.
>> [2004/08/10 18:56:42, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>> Doing spnego session setup
>> [2004/08/10 18:56:42, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
>> PrimaryDomain=[]
>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>> Got OID 1 2 840 48018 1 2 2
>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>> Got OID 1 2 840 113554 1 2 2
>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>> Got OID 1 3 6 1 4 1 311 2 2 10
>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>> Got secblob of size 1191
>> [2004/08/10 18:56:42, 3]
>> libads/kerberos_verify.c:ads_verify_ticket(185)
>> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
>> integrity check failed
>> [2004/08/10 18:56:43, 3]
>> libads/kerberos_verify.c:ads_verify_ticket(193)
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
>> type)
>> [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
>> Failed to verify incoming ticket!
>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
>> error string = Aucun fichier ou répertoire de ce type
>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
>> error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
>> NT_STATUS_LOGON_FAILURE
>> [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
>> timeout_processing: End of file from client (client has
>> disconnected).
>> [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
>> Closing connections
>> [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
>> Yielding connection to [2004/08/10 18:56:44, 3]
>> smbd/connection.c:yield_connection(76)
>> yield_connection: tdb_delete for name failed with error Record does
>> not exist.
>> [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
>> Server exit (normal exit)
>> I'm not sure it's due to Win2k3 server because enc type [3] is
>> des-cbc-md5.
>> I definitiveley Don't know what's wrong!
>> I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
>> without success.
>> Any help would be appretciated.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list