[Samba] Windows 2000 and krb5 tickets.

Mark Hudson m.c.hudson at open.ac.uk
Fri Dec 12 07:20:50 GMT 2003


I'm also getting the exact same problem.

The samba machine can be added into the w2k-controlled ads fine.

But when my w2k clients connect to it, they prompt for a username and
password. If this is entered, things work fine. The w2k clients also
cannot browse the sharelist on the samba server until they have
connected to a share with a valid UID/password first.

I am seeing the same errors in samba's logs.

The samba server is a stock Red Hat Enterprise Linux 3 ES machine.


----- Original Message ----- 
From: "Tim Jordan" <timothy_jordan at labor.state.ak.us>
To: "Tom Dickson" <tdickson at inostor.com>; <samba at samba.org>
Sent: Thursday, December 11, 2003 11:26 PM
Subject: Re: [Samba] Windows 2000 and krb5 tickets.


> I'm getting same error about encryption ...
>
> I have taken Tom's lead and have provided the output below.  Is there
a
> certain version of krb5 that we should be running?
>
>
> root at ANC-MDK-SMB3 tim]# smbd3 --version
> Version 3.0.1pre3
>
> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> KRB5_BRAND: krb5-1-3-final 1.3 20030708
>
> I'm running Mandrake 9.2
>
> Thank You Samba Team!
> Tim
>
> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > OK. I've done some more research, and here's what I get.
> >
> > smbd --version
> > Version 3.0.0
> >
> > strings libkrb5.so.3.2 | grep BRAND
> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> >
> > Everything seems to work, but trying to access the Samba server
results in:
> >
> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(308)
> > ~  ads_verify_ticket: enc type [23] failed to decrypt with error
Decrypt
> > integrity check failed
> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(316)
> > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
type)
> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > ~  Failed to verify incoming ticket!
> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > NT_STATUS_LOGON_FAILURE
> >
> > This is the same error you get if you're running the wrong KRB5
libs,
> > but I've the right ones. The windows 2000 machine is 5.00.2195
> >
> > Windows 2000 clients connect to the ADS server fine, and will
connect to
> > the Samba server if you enter Username/Password. The 2000 server
cannot
> > connect to the Samba machine at all, even with the right
username/pass.
> >
> > Is there a magic registry setting I'm missing? I've changed the
> > Administrator password at least once.
> >
> > - -Tom
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > F9F+8BTOPIyoybZBYIlCouU=
> > =94FA
> > -----END PGP SIGNATURE-----
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



More information about the samba mailing list