Unable to authenticate with security=ADS

José Alberto Patiño Limón jalbertop at aranea.com.mx
Wed Nov 13 19:05:24 GMT 2002 

On Tue, 2002-11-12 at 23:59, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:
> Howdy gang,
> I am trying to use samba 3.0 to authenticate using kerberos/ldap to my ADS
> server. It's not working. I am mostly going by tridge's ADS-HOWTO.
> 
> My Setup:
> - Win2k ADS server (dc-native.home.sln)
> - Realm name is HOME.SLN
> - Linux running samba 3.0alpha21cvs from a couple days ago
> (charlie.home.sln)
>   - MIT kerberos5 1.2.6
>   - OpenLDAP 2.1.5
> - krb5.conf and smb.conf are attached
> 
> Here is what I am doing:
> 
> 1. Start smbd/nmbd
> 2. Run "kdestroy" to empty the ticket cache
> 3. Run "net ads join -UAdministrator". It says it joined the realm
> successfully.
> 4. Run "klist" (not "klist tickets" as mentioned in the HOWTO which errors
> out)
> 
Did you try to run net ads join first and after run the smbd and nmbd
daemons later?

Try it. But now use net ads leave first to delete the computer account
in AD.
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at HOME.SLN
> 
> Valid starting     Expires            Service principal
> 11/12/02 21:49:53  11/13/02 07:49:53  krbtgt/HOME.SLN at HOME.SLN
> 11/12/02 21:49:53  11/13/02 07:49:53  dc-native$@HOME.SLN
> 11/12/02 21:49:55  11/13/02 07:49:53  kadmin/changepw at HOME.SLN
> 
> 5. Attempt to connect to a share from the dc-native box, which requests a
> password :-(
> 
> The interesting (at least to me) part of log.smbd is:
> 
> [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551)
>   Doing spnego session setup
> [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259)
>   Got OID 1 2 840 48018 1 2 2
> [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259)
>   Got OID 1 3 6 1 4 1 311 2 2 10
> [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(266)
>   Got secblob of size 1339
> [2002/11/12 21:50:38, 3] libads/kerberos_verify.c:ads_verify_ticket(125)
>   krb5_rd_req with auth failed (Decrypt integrity check failed)
> [2002/11/12 21:50:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(134)
>   Failed to verify incoming ticket!
> [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(94)
>   error string = No such file or directory
> [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(113)
>   error packet at smbd/sesssetup.c(136) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> 
> Anybody have any idea what I am doing wrong? Full level 10 log available is
> that helps.
> 
> Matt Zinkevicius
> Software Engineer
> Network Storage Array Solutions
> Hewlett-Packard
> 
>

More information about the samba-technical mailing list