Samba refusing connection after machine account password change
Andrew Bartlett
abartlet at samba.org
Tue Apr 5 21:43:05 MDT 2011
On Wed, 2011-04-06 at 08:46 +1000, Andrew Bartlett wrote:
> On Thu, 2011-03-24 at 14:40 +0800, jinyunshuai wrote:
> > Hi all,
> >
> > Description:
> > Samba share is refusing a connection after the machine password has been changed.
> >
> > log.smbd:
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> > [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
> > ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
> > [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_verify_ticket(477)
> > ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
> > ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
> > [2011/03/23 17:41:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
> > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> > [2011/03/23 17:41:18, 3] smbd/error.c:error_packet_set(61)
> > error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> >
> > I have already set following options:
> > use kerberos keytab = Yes
> >
> > Can somebody tell me how to make samba work well after machine account password change?
>
> I'm adding Kerberos tests to Samba3 at the moment, and I'll add one for
> this. When you don't use this option, it only happens for encrypted RPC
> pipes. I think we just need to sort out our keytab generation code.
I've fixed this for the default case, but adding tests for your case
will be more difficult. A code inspection seems to indicate that this
should work however, and it seems you are not running the most recent
code in any case.
Can you let me know exactly what version of Samba you are using?
If you can try again (including rejoining the domain or running 'net
changetrustpw') with Samba master from GIT then I'm pretty sure this
will just work.
If you do need the semantics of 'use kerberos keytab = Yes' then you
will need to set 'kerberos method = system keytab'.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list