[Samba] My Samba 3.0beta1 stopped working as ADS member

Andrew Bartlett abartlet at samba.org
Wed Jun 18 10:07:32 GMT 2003

On Wed, 2003-06-18 at 16:44, Patrik Gustavsson PS Sweden Senior
Technical Consultant wrote:
> I had a working Samba 3.0beta1 as ADS member of a W2003 server.
> My w2000 client could log in to the W2003 server and use services on
> Samba (home directory).
> Winbind is working.
> So I tried to re-do all my work again.
> And suddenly the w2k can use any services on Samba anymore.
> The output from the logfile tells me it's kerberos problem:
> [2003/06/18 08:35:03, 3] libads/kerberos_verify.c:(126)
>   krb5_rd_req with auth failed (Bad encryption type)
> [2003/06/18 08:35:03, 1] smbd/sesssetup.c:(175)
>   Failed to verify incoming ticket!
> [2003/06/18 08:35:03, 3] smbd/error.c:(94)
>   error string = No such file or directory
> Winbind/wbinfo works as it should.
> I know what problem it is, but not WHY and not HOW to fix it ?

The user you are using has not had their password changed since Win2k
installation/AD upgrade.   This means that they only have their 'type
23' encryption type - the type that is based on the NT4 password.

If you change the password, it should work.  The proper solution is to
compile with MIT Krb5 1.3, or a recent Heimdal kerberos.  These versions
support the new encryption type, and should allow it to work out of the

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030618/9c84e1f5/attachment.bin

More information about the samba mailing list