[Samba] Windows 2000 and krb5 tickets.

Tom Dickson tdickson at inostor.com
Thu Dec 11 23:33:17 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Page 76 of the Samba HOWTO has some options, but says they deal with
Heimdal before 0.6. I tried then anyway, and it still didn't work. I
also found that the reverse DNS wasn't working, but fixing that didn't help.

Anything else worth trying?

- -Tom

Gerald (Jerry) Carter wrote:

| Tom Dickson wrote:
| | OK. I've done some more research, and here's what I get.
| |
| | smbd --version
| | Version 3.0.0
| |
| | strings libkrb5.so.3.2 | grep BRAND
| | KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
| |
| | Everything seems to work, but trying to access the Samba server
| results in:
| |
| | [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308)
| | ~  ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt
| | integrity check failed
| | [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316)
| | ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
| | [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
| | ~  Failed to verify incoming ticket!
| | [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
| | ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
| | NT_STATUS_LOGON_FAILURE
| |
| | This is the same error you get if you're running the wrong KRB5 libs,
| | but I've the right ones. The windows 2000 machine is 5.00.2195
| |
| | Windows 2000 clients connect to the ADS server fine, and will connect to
| | the Samba server if you enter Username/Password. The 2000 server cannot
| | connect to the Samba machine at all, even with the right username/pass.
| |
| | Is there a magic registry setting I'm missing? I've changed the
| | Administrator password at least once.
|
| do you have the right enc types enabled in krb5.conf ?
| See the Samba-HOWTO-COllection for details if you have already.
|
|
|
|
|
|
| jerry-who-is-answering-mail-while-waiting-on-a-compile-to-finish-.....

.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/2P682dxAfYNwANIRAv9OAJ0eDcv0XWjYKxrXfJI4dZIV22+UdQCgmmOK
cegWBJj4iaAE995YPYxilL4=
=5jIj
-----END PGP SIGNATURE-----

More information about the samba mailing list