inconsistent drive mappings + many other errors

Grimes, David david.grimes at belointeractive.com
Thu Jul 15 17:23:13 GMT 2004


Thanks for the reply. 
AD server and samba box are running off the same time server and have a
precision of 12 usec's. Do you suggest the Kerberos problem is between the
samba and AD box or between the client and the samba box? If it were the
samba and AD I would assume all auth attempts would fail not just those from
2000 clients. I'm also not so sure that there is any Kerberos done between
the client and the samba server... please correct me if I am wrong. 
Also if there is ANY other info that I should provide to help in diagnosing
these please let me know.
As far as the network hardware the few machines that are using the samba box
are new dells with Intel GbE cards and a brand spankin new Cisco 5600 
Any how I appreciate the response. I've included krb5.conf below are these
encryption settings correct?

[libdefaults]
 ticket_lifetime = 24000
 default_realm = BELOCORP.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

Thanks!
DG
-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Thursday, July 15, 2004 12:09 PM
To: Grimes, David
Cc: samba-technical at lists.samba.org
Subject: Re: inconsistent drive mappings + many other errors

On Thu, Jul 15, 2004 at 11:34:17AM -0500, Grimes, David wrote:
> I have searched the web and mailing lists for a couple weeks on this one
and
> have come up empty handed on this one, I appreciate and thoughts or
> insights. Or ideas. Or suggestions. Or comments. Empathy is welcome....
> We have recently migrated to an 2003 AD and I have been tasked with
> upgrading the samba servers to 3.0. I've received new hardware (Dell 2650)
> and slapped ES 3.0 with all the latest updates. As it stands we have
problem
> with 2000 machines being unable to access shares (authentication fails)
> using the UNC. They can however open the share and authenticate
successfully
> by IP. If I tail the log on the samba server I get these errors....
> [2004/07/15 10:21:52, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!

Ok, you have a kerberos problem. Common problems here are wrong enc type,
and clock skew. Not enough info in this message to diagnose.

> Users on XP don't exhibit this problem. However, we all have an
intermittent
> problem getting a drive mapped on log in. Sometimes it just doesn't show
up.
> If we  log out and back in then the drive gets mapped. Tailing the logs
> shows this error in /var/log/messages..
> Jul 15 11:16:17 bifs2 pam_winbind[19990]: user 'ADDOMAIN+aduser' granted
> acces
> Jul 15 11:16:17 bifs2 pam_winbind[19990]: pam_parse: unknown option;
> service=system-auth
> Jul 15 11:16:52 bifs2 smbd[19991]: [2004/07/15 11:16:52, 0]
> lib/util_sock.c:get_peer_addr(952) 
> Jul 15 11:16:52 bifs2 smbd[19991]:   getpeername failed. Error was
Transport
> endpoint is not connected 
> Jul 15 11:16:52 bifs2 smbd[19991]: [2004/07/15 11:16:52, 0]
> lib/util_sock.c:write_socket_data(388) 
> Jul 15 11:16:52 bifs2 smbd[19991]:   write_socket_data: write failure.
Error
> = Connection reset by peer 

Looks like clients dropping connections. Check your network hardware.

Jeremy.


More information about the samba-technical mailing list