Samba refusing connection after machine account password change
Sam Liddicott
sam at liddicott.com
Sat Mar 26 08:57:24 MDT 2011
I have noticed that using samba4 client on a windows 2003 domain, if I
sneakily change the samba machine account on the domain controller using:
net user machine$ new-password /domain
that ldbsearch -U machine -P `mymachinepw` to the domain controller will
work (using the old password), but kinit will fail right away.
I mention it here because some of the same concepts seem to be involved
and it may help.
Sam
On 24/03/11 16:52, Dave Daugherty wrote:
> We too are currently investigating perhaps the same issue.
>
> So far our theory is that ads_keytab_verify_ticket does not always find previous kvno password hashes
>
> Did you try flushing the Kerberos tickets on the client side to see if it clears up the problem? If it's a windows client you can use
> Klist.exe or kerbtray.exe or logout and log back on. If it's a Unix client use kdestroy to flush tickets
>
> You can dump your keytab file using klist -kte to see what password hashes currently exist.
>
> Regards
>
> Dave Daugherty
> Centrify
>
>
>
>
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of jinyunshuai
> Sent: Wednesday, March 23, 2011 11:40 PM
> To: abartlet at samba.org; samba-technical at samba.org
> Subject: Samba refusing connection after machine account password change
>
> Hi all,
>
> Description:
> Samba share is refusing a connection after the machine password has been changed.
>
> log.smbd:
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
> ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
> [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
> ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
> [2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_verify_ticket(477)
> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
> [2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
> ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
> [2011/03/23 17:41:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2011/03/23 17:41:18, 3] smbd/error.c:error_packet_set(61)
> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>
> I have already set following options:
> use kerberos keytab = Yes
>
> Can somebody tell me how to make samba work well after machine account password change?
>
> thanks in advance.
>
>
>
--
[FSF Associate Member #2325]
<http://www.fsf.org/register_form?referrer=2325>
<http://www.openrightsgroup.org/>
More information about the samba-technical
mailing list