Cross Realm SMB Signature Failure

Dave Daugherty dave.daugherty at centrify.com
Fri May 4 17:20:48 GMT 2007


From: Michael B Allen [mailto:mba2000 at ioplex.com] Friday, May 04, 2007
8:19 

> Yeah. Maybe the MIT ticket is a little different (e.g. no PAC) and the
> server code isn't trying hard enough to come up with a good session
key
> or it's using the wrong session key.

>> Are you running the latest MIT Kerberos libraries?

> Eah, 1.3.4 shipped with CentOS 4.4. Could be newer I suppose.

> I just installed SP2 + SP2 update on the target Windows server. It had
> no effect.

> Mike

This is throwing spaghetti against the wall to see if it will stick... 

I know there have been some Windows compatibility improvements in recent
versions of MIT Kerberos (such as TCP support for password changes). So
upgrading it may help you avoid other problems, but...

More spaghetti: Any chance of trying Heimdal Kerberos?

When I ran into this problem, only Windows Kerberos was in play. So
chances are good it has nothing to do with Kerberos at all.

You might also try enabling NetLogon debugging on the windows side and
then playing around with ntlmauth to see if any clues come up in the
windows log files

http://support.microsoft.com/kb/109626

Running out of ideas fast...

Dave



More information about the samba-technical mailing list