Samba refusing connection after machine account password change

jinyunshuai jinyunshuai at 126.com
Tue Apr 5 22:37:17 MDT 2011 



Thanks for reply,

The version of Samba I am using is samba-3.3.9.

is this a bug of samba-3.3.9?(is there some method to fix it, as 3.3.9 nokerberos method  option)

I have tried with samba-3.5.4 and with seting

 'kerberos method = system keytab'.

it can work well.

now I have a question,when I with setting

'kerberos method = secrets and keytab '

Samba refusing connection again.

 

According to smb.conf

secrets and keytab - use the secrets.tdb first, then the system keytab

system keytab - use only the system keytab for ticket verification

so I think with setting'kerberos method = secrets and keytab '

it should work well too?

thinks
At 2011-04-06 11:43:05,"Andrew Bartlett" <abartlet at samba.org> wrote:

>On Wed, 2011-04-06 at 08:46 +1000, Andrew Bartlett wrote:
>> On Thu, 2011-03-24 at 14:40 +0800, jinyunshuai wrote:
>> > Hi all,
>> >  
>> > Description:
>> > Samba share  is refusing a connection after the machine password has been changed.
>> >  
>> > log.smbd:
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> >   ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18,  3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
>> >   ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
>> > [2011/03/23 17:41:18,  3] libads/kerberos_verify.c:ads_verify_ticket(477)
>> >   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
>> >   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
>> > [2011/03/23 17:41:18,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>> >   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> > [2011/03/23 17:41:18,  3] smbd/error.c:error_packet_set(61)
>> >   error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>> >  
>> > I have already set  following options:
>> > use kerberos keytab = Yes
>> >  
>> > Can somebody tell me  how to make samba work well after machine account password change?
>> 
>> I'm adding Kerberos tests to Samba3 at the moment, and I'll add one for
>> this.  When you don't use this option, it only happens for encrypted RPC
>> pipes.  I think we just need to sort out our keytab generation code. 
>
>I've fixed this for the default case, but adding tests for your case
>will be more difficult.  A code inspection seems to indicate that this
>should work however, and it seems you are not running the most recent
>code in any case. 
>
>Can you let me know exactly what version of Samba you are using?
>
>If you can try again (including rejoining the domain or running 'net
>changetrustpw') with Samba master from GIT then I'm pretty sure this
>will just work.  
>
>If you do need the semantics of 'use kerberos keytab = Yes' then you
>will need to set 'kerberos method = system keytab'.
>
>Andrew Bartlett
>-- 
>Andrew Bartlett                                http://samba.org/~abartlet/
>Authentication Developer, Samba Team           http://samba.org
>

More information about the samba-technical mailing list