Samba refusing connection after machine account password change

Andrew Bartlett abartlet at samba.org
Tue Apr 5 16:46:02 MDT 2011


On Thu, 2011-03-24 at 14:40 +0800, jinyunshuai wrote:
> Hi all,
>  
> Description:
> Samba share  is refusing a connection after the machine password has been changed.
>  
> log.smbd:
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18,  3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
>   ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
> [2011/03/23 17:41:18,  3] libads/kerberos_verify.c:ads_verify_ticket(477)
>   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
>   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
> [2011/03/23 17:41:18,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2011/03/23 17:41:18,  3] smbd/error.c:error_packet_set(61)
>   error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>  
> I have already set  following options:
> use kerberos keytab = Yes
>  
> Can somebody tell me  how to make samba work well after machine account password change?

I'm adding Kerberos tests to Samba3 at the moment, and I'll add one for
this.  When you don't use this option, it only happens for encrypted RPC
pipes.  I think we just need to sort out our keytab generation code. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list