[Samba] 3.0.0-beta3-rc1 ADS ticket problems

Tom Dickson tdickson at inostor.com
Thu Jul 24 22:01:02 GMT 2003 

I've got samba-3.0.0-beta3-rc1 running, and am trying to connect to a
Windows 2000 domain using security = ADS

After following the instructions in the Samba-HOWTO-Collection, I've got
kinit working, and am able to browse the Windows 2000 machines shares with
smbclient //win2kmixed/c\$ -k without a password.

However, if I try to connect to the machine, either through network
neighborhood or with (on w2k net use * \\server\share), it fails (asks for
username/password).

The HOWTO says to run klist tickets, which shows no tickets. It doesn't say
what to do if that happens.

The log files for the machine trying to connect say:

[2003/07/24 14:58:09, 1] libads/kerberos_verify.c:ads_verify_ticket(69)
  failed to fetch machine password
[2003/07/24 14:58:09, 1] smbd/sesssetup.c:reply_spnego_kerberos(178)
  Failed to verify incoming ticket!

smb.conf has:

# Global parameters
[global]
        workgroup = MIXEDDOMAIN
        realm = MIXEDDOMAIN.LOCAL
        netbios name = MP3BOX2
        server string = Big Bad Music
        security = ADS
        password server = win2kmixed
        log file = /var/log/samba/log.%m
        max smbd processes = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        enhanced browsing = No
        idmap uid = 10000-12000
        idmap gid = 10000-12000
        template homedir = /dev/null
        template shell = /sbin/nologin
        winbind separator = +
        create mask = 0700
        directory mask = 0700
        directory security mask = 0700
        max connections = 1000
        map archive = No
        follow symlinks = No

[share1]
        comment = share1
        path = /mnt/floppy/share1
        write list = MIXEDDOMAIN+Administrator
        read only = No
        inherit permissions = Yes
        inherit acls = Yes
        map acl inherit = Yes

klist tickets returns:

klist: No credentials cache found (ticket cache FILE:tickets)

klist returns:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR at MIXEDDOMAIN.LOCAL

Valid starting     Expires            Service principal
07/24/03 14:18:34  07/25/03 00:18:34
krbtgt/MIXEDDOMAIN.LOCAL at MIXEDDOMAIN.LOCAL
07/24/03 14:54:22  07/25/03 00:18:34  mp3box2$@MIXEDDOMAIN.LOCAL

Even trying to connect from the Linux machine fails with

[root at mp3box pty/s0] smbclient //mp3box2/share1 -k
session setup failed: NT_STATUS_LOGON_FAILURE

Any help would be appreciated; the documentation here is not quite clear.

-Tom

More information about the samba mailing list