[Samba] another "Failed to verify incoming ticket"
pgs at synerway.com
pgs at synerway.com
Mon Apr 5 09:01:38 GMT 2004
Hello everyone,
I'm sorry for this long post, but I think there is a real understanding
problem for many people on ADS domain membership.
I'm not the first to post about this type of problem, however I didn't find
an answer to it in the archives and I followed the HOWTO-collection.
Well, this is what I'm doing :
I am using samba-3.0.1 compiled from source,
MIT kerberos 1.3.1 compiled from source
openldap 2.1.25 compiled from source
on a non-standard linux distribution.
I have:
a win2k DC that controls a test domain, my linux domain member with samba and
kerberos and a WinXP workstation.
I made my configurations as follows :
smb.conf :
[global]
netbios name = linuxbox
workgroup = test
realm = TEST.COM
security = ads
encrypt passwords = yes
obey pam restrictions = yes
idmap uid = 10000-10813
idmap gid = 10000-10813
winbind separator = -
winbind enum users = yes
winbind enum groups = yes
template homedir = /share/%U
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 3
krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST.COM
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TEST.COM = {
kdc = ntserver.test.com
admin_server = ntserver.test.com
default_domain = test.com
}
[domain_realm]
test.com = TEST.COM
.test.com = TEST.COM
I also tried with enctypes rc4-hmac, the results were the same.
I ran successively :
$ nmbd -D
$ smbd -D
$ kinit administrator at TEST.COM
$ net ads join -U administrator
$ winbindd
All this works fine, I can see my ADS users, klist gives me :
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TEST.COM
Valid starting Expires Service principal
04/02/04 13:47:34 04/02/04 23:47:40 krbtgt/TEST.COM at TEST.COM
renew until 04/03/04 13:47:34
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Then I run on my linux box :
$ smbclient -k //linuxbox/pascal -U pascal
and get a
tree connect failed: NT_STATUS_ACCESS_DENIED
If I run klist after this command I get the following :
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TEST.COM
Valid starting Expires Service principal
04/02/04 13:47:34 04/02/04 23:47:40 krbtgt/TEST.COM at TEST.COM
renew until 04/03/04 13:47:34
04/02/04 13:50:52 04/02/04 23:47:40 linuxbox$@TEST.COM
renew until 04/03/04 13:47:34
Kerberos 4 ticket cache: /tmp/tkt0
...
/var/log/samba/log.linuxbox is empty bu I get the following lines in
/var/log/samba/log.172.16.1.58 :
[2004/04/02 14:57:24, 3] smbd/oplock.c:init_oplocks(1226)
open_oplock_ipc: opening loopback UDP socket.
[2004/04/02 14:57:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
Linux kernel oplocks enabled
[2004/04/02 14:57:24, 3] smbd/oplock.c:init_oplocks(1257)
open_oplock ipc: pid = 31339, global_oplock_port = 33200
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
Transaction 0 of length 183
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
switch message SMBnegprot (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [LANMAN1.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [LM1.2X002]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [DOS LANMAN2.1]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [Samba]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_nt1(329)
using SPNEGO
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(532)
Selected protocol NT LANMAN 1.0
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
Transaction 1 of length 1488
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(591)
wct=12 flg2=0xc801
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(471)
Doing spnego session setup
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(502)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(380)
Got OID 1 2 840 48018 1 2 2
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(380)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(383)
Got secblob of size 1348
[2004/04/02 14:57:24, 3] libads/kerberos_verify.c:setup_keytab(147)
unable to create MEMORY: keytab (Unknown Key table type)
[2004/04/02 14:57:24, 3] libads/kerberos_verify.c:ads_verify_ticket(280)
ads_verify_ticket: unable to setup keytab
[2004/04/02 14:57:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(94)
error string = No such file or directory
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
Transaction 2 of length 92
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
switch message SMBtconX (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 1] smbd/service.c:make_connection(792)
make_connection: refusing to connect with no session setup
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(118)
error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2004/04/02 14:57:24, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 2] smbd/server.c:exit_server(558)
Closing connections
[2004/04/02 14:57:24, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/04/02 14:57:24, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not exist.
[2004/04/02 14:57:24, 3] smbd/server.c:exit_server(601)
Server exit (normal exit)
I turned off client use spnego and I got this log :
...
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
Selected protocol NT Lanman 1.0
...
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [pascal] -> [pascal] FAILED with error NT_STATUS_WRONG_PASSWORD
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
Error string = NO such file or directory
...
[2004/04/02 15:08:03, 2] smbd/server.c:exit_server(558)
Closing connections
With the XP client, when connecting to the domain I don't see the linuxbox
but the following lines appear in /var/log.172.16.1.42 :
[2004/04/02 15:35:58, 3] smbd/oplock.c:init_oplocks(1226)
open_oplock_ipc: opening loopback UDP socket.
[2004/04/02 15:35:58, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
Linux kernel oplocks enabled
[2004/04/02 15:35:58, 3] smbd/oplock.c:init_oplocks(1257)
open_oplock ipc: pid = 2470, global_oplock_port = 33204
[2004/04/02 15:35:58, 3] smbd/process.c:process_smb(890)
Transaction 0 of length 72
[2004/04/02 15:35:58, 2] smbd/reply.c:reply_special(105)
netbios connect: name1=LINUXBOX name2=POSTE1
[2004/04/02 15:35:58, 2] smbd/reply.c:reply_special(112)
netbios connect: local=linuxbox remote=poste1, name type = 0
and sometimes no log at all.
Well I really don't know what goes wrong.
Did I forget some steps?
As I said I followed the HOWTO-collection, so I wonder if there is not a lack
of explanations in it about this kind of problem, as many people seem
to be confronted to it.
Does anyone have any idea on my problem?
Is it normal that the selected protocole is NT LANMAN 1.0? I don't want any NT
compatibility.
Really thank you
--
Thundax
More information about the samba
mailing list