Samba refusing connection after machine account password change
jinyunshuai
jinyunshuai at 126.com
Tue Apr 5 22:37:17 MDT 2011
Thanks for reply,
The version of Samba I am using is samba-3.3.9.
is this a bug of samba-3.3.9?(is there some method to fix it, as 3.3.9 nokerberos method option)
I have tried with samba-3.5.4 and with seting
'kerberos method = system keytab'.
it can work well.
now I have a question,when I with setting
'kerberos method = secrets and keytab '
Samba refusing connection again.
According to smb.conf
secrets and keytab - use the secrets.tdb first, then the system keytab
system keytab - use only the system keytab for ticket verification
so I think with setting'kerberos method = secrets and keytab '
it should work well too?
thinks
At 2011-04-06 11:43:05,"Andrew Bartlett" <abartlet at samba.org> wrote:
>On Wed, 2011-04-06 at 08:46 +1000, Andrew Bartlett wrote:
>> On Thu, 2011-03-24 at 14:40 +0800, jinyunshuai wrote:
>> > Hi all,
>> >
>> > Description:
>> > Samba share is refusing a connection after the machine password has been changed.
>> >
>> > log.smbd:
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
>> > ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
>> > [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
>> > ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
>> > [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_verify_ticket(477)
>> > ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
>> > [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
>> > ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
>> > [2011/03/23 17:41:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>> > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> > [2011/03/23 17:41:18, 3] smbd/error.c:error_packet_set(61)
>> > error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>> >
>> > I have already set following options:
>> > use kerberos keytab = Yes
>> >
>> > Can somebody tell me how to make samba work well after machine account password change?
>>
>> I'm adding Kerberos tests to Samba3 at the moment, and I'll add one for
>> this. When you don't use this option, it only happens for encrypted RPC
>> pipes. I think we just need to sort out our keytab generation code.
>
>I've fixed this for the default case, but adding tests for your case
>will be more difficult. A code inspection seems to indicate that this
>should work however, and it seems you are not running the most recent
>code in any case.
>
>Can you let me know exactly what version of Samba you are using?
>
>If you can try again (including rejoining the domain or running 'net
>changetrustpw') with Samba master from GIT then I'm pretty sure this
>will just work.
>
>If you do need the semantics of 'use kerberos keytab = Yes' then you
>will need to set 'kerberos method = system keytab'.
>
>Andrew Bartlett
>--
>Andrew Bartlett http://samba.org/~abartlet/
>Authentication Developer, Samba Team http://samba.org
>
More information about the samba-technical
mailing list