[Samba] My Samba 3.0beta1 stopped working as ADS member

Andrew Bartlett abartlet at samba.org
Wed Jun 18 10:07:32 GMT 2003


On Wed, 2003-06-18 at 16:44, Patrik Gustavsson PS Sweden Senior
Technical Consultant wrote:
> 
> I had a working Samba 3.0beta1 as ADS member of a W2003 server.
> My w2000 client could log in to the W2003 server and use services on
> Samba (home directory).
> 
> Winbind is working.
> 
> So I tried to re-do all my work again.
> 
> And suddenly the w2k can use any services on Samba anymore.
> 
> The output from the logfile tells me it's kerberos problem:
> [2003/06/18 08:35:03, 3] libads/kerberos_verify.c:(126)
>   krb5_rd_req with auth failed (Bad encryption type)
> [2003/06/18 08:35:03, 1] smbd/sesssetup.c:(175)
>   Failed to verify incoming ticket!
> [2003/06/18 08:35:03, 3] smbd/error.c:(94)
>   error string = No such file or directory
> 
> Winbind/wbinfo works as it should.
> 
> I know what problem it is, but not WHY and not HOW to fix it ?

The user you are using has not had their password changed since Win2k
installation/AD upgrade.   This means that they only have their 'type
23' encryption type - the type that is based on the NT4 password.

If you change the password, it should work.  The proper solution is to
compile with MIT Krb5 1.3, or a recent Heimdal kerberos.  These versions
support the new encryption type, and should allow it to work out of the
box.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030618/9c84e1f5/attachment.bin


More information about the samba mailing list