Samba refusing connection after machine account password change
Andrew Bartlett
abartlet at samba.org
Tue Apr 5 16:46:02 MDT 2011
On Thu, 2011-03-24 at 14:40 +0800, jinyunshuai wrote:
> Hi all,
>
> Description:
> Samba share is refusing a connection after the machine password has been changed.
>
> log.smbd:
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
> ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
> [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_verify_ticket(477)
> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
> ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
> [2011/03/23 17:41:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2011/03/23 17:41:18, 3] smbd/error.c:error_packet_set(61)
> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>
> I have already set following options:
> use kerberos keytab = Yes
>
> Can somebody tell me how to make samba work well after machine account password change?
I'm adding Kerberos tests to Samba3 at the moment, and I'll add one for
this. When you don't use this option, it only happens for encrypted RPC
pipes. I think we just need to sort out our keytab generation code.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list