Unable to authenticate with security=ADS

ZINKEVICIUS,MATT (HP-Loveland,ex1) matt.zinkevicius at hp.com
Wed Nov 13 06:01:02 GMT 2002


Howdy gang,
I am trying to use samba 3.0 to authenticate using kerberos/ldap to my ADS
server. It's not working. I am mostly going by tridge's ADS-HOWTO.

My Setup:
- Win2k ADS server (dc-native.home.sln)
- Realm name is HOME.SLN
- Linux running samba 3.0alpha21cvs from a couple days ago
(charlie.home.sln)
  - MIT kerberos5 1.2.6
  - OpenLDAP 2.1.5
- krb5.conf and smb.conf are attached

Here is what I am doing:

1. Start smbd/nmbd
2. Run "kdestroy" to empty the ticket cache
3. Run "net ads join -UAdministrator". It says it joined the realm
successfully.
4. Run "klist" (not "klist tickets" as mentioned in the HOWTO which errors
out)

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at HOME.SLN

Valid starting     Expires            Service principal
11/12/02 21:49:53  11/13/02 07:49:53  krbtgt/HOME.SLN at HOME.SLN
11/12/02 21:49:53  11/13/02 07:49:53  dc-native$@HOME.SLN
11/12/02 21:49:55  11/13/02 07:49:53  kadmin/changepw at HOME.SLN

5. Attempt to connect to a share from the dc-native box, which requests a
password :-(

The interesting (at least to me) part of log.smbd is:

[2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551)
  Doing spnego session setup
[2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259)
  Got OID 1 2 840 48018 1 2 2
[2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(266)
  Got secblob of size 1339
[2002/11/12 21:50:38, 3] libads/kerberos_verify.c:ads_verify_ticket(125)
  krb5_rd_req with auth failed (Decrypt integrity check failed)
[2002/11/12 21:50:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(134)
  Failed to verify incoming ticket!
[2002/11/12 21:50:38, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2002/11/12 21:50:38, 3] smbd/error.c:error_packet(113)
  error packet at smbd/sesssetup.c(136) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

Anybody have any idea what I am doing wrong? Full level 10 log available is
that helps.

Matt Zinkevicius
Software Engineer
Network Storage Array Solutions
Hewlett-Packard


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb.conf
Type: application/octet-stream
Size: 745 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021113/9d43277a/smb.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.conf
Type: application/octet-stream
Size: 57 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021113/9d43277a/krb5.obj


More information about the samba-technical mailing list