[Samba] Kerberos verfy ticket failed
Christoph Scheeder
christoph.scheeder at scheeder.de
Thu Aug 12 08:49:48 GMT 2004
Hi,
a few things:
1.) Update your kerberos-version. i had to use at least 1.3.3 (MIT).
With lower versions most seemed to work, but i couldn't connect from a
win2k-workstation to the samba-server using a domain-account.
2.) Reading the logs you give i would say there is something realy
messed up with your integration of the samba-server into your AD-Domain.
What is in your smb.conf, what where the exact steps you did to
integrate the samba server into the AD-Domain?
Christoph
Aaron Rosenblum schrieb:
> I am having this problem as well. In my case, "wbinfo -t" fails. My
> kerberos version is 1.3.1 (MIT) and my config file is very minimal:
>
> [libdefaults]
> ticket_lifetime = 600
> dns_fallback = no
> [realms]
> SUBDOMAIN.DOMAIN.EDU = {
> kdc = myserver1.subdomain.domain.edu.:88
> admin_server = myserver1.subdomain.domain.edu.
> }
>
> I see these messages in the smbd log:
>
> [2004/07/25 10:19:16, 0]
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
> reply_sesssetup_and_X(645)
> reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup
> when it was not negoitiated.
>
> [2004/07/29 16:33:54, 1]
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
> reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
>
> [2004/07/29 17:03:09, 2]
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
> setup_new_vc_session(591)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2004/07/29 17:03:09, 1]
> /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:
> ads_verify_ticket(203)
> ads_verify_ticket: failed to fetch machine password
>
> On Aug 11, 2004, at 3:36 AM, Christoph Scheeder wrote:
>
>> Hi,
>> what's in your krb.conf?
>> AFAIR it should be realy minimalistic. (in fact mine doesn't even exist,
>> but i'm using a win2k server, not win2k3)
>> espacialy there shouldn't be settings for default encryption types.
>> Some persons reported these to produce problems.
>> And you definitly need a kerberos-version >=1.3.3 if you use
>> MIT-kerberos to get it working.
>> Hope it helps.
>> Christoph
>>
>> Raphael RIGNIER schrieb:
>>
>>> Hello list.
>>> I've got a problem using samba-3.0.4 (RedHat AS 3.0)
>>> the server is member of a Win2003 Active directory domain
>>> All stuff about krb5 seems to work correctly
>>> kinit user at REALM
>>> klist
>>> etc...
>>> net ads join -U administrator has worked well too
>>> But when any Windows client member of the domain try to connect to the
>>> server it asks me for a user/pass.
>>> here is the log.
>>> [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>>> wct=12 flg2=0xc807
>>> [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2004/08/10 18:56:42, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>> Doing spnego session setup
>>> [2004/08/10 18:56:42, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
>>> PrimaryDomain=[]
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>> Got OID 1 2 840 48018 1 2 2
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>> Got OID 1 2 840 113554 1 2 2
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>> Got OID 1 3 6 1 4 1 311 2 2 10
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>>> Got secblob of size 1191
>>> [2004/08/10 18:56:42, 3]
>>> libads/kerberos_verify.c:ads_verify_ticket(185)
>>> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
>>> integrity check failed
>>> [2004/08/10 18:56:43, 3]
>>> libads/kerberos_verify.c:ads_verify_ticket(193)
>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>>> [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
>>> Failed to verify incoming ticket!
>>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
>>> error string = Aucun fichier ou répertoire de ce type
>>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
>>> error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
>>> NT_STATUS_LOGON_FAILURE
>>> [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
>>> timeout_processing: End of file from client (client has
>>> disconnected).
>>> [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
>>> Closing connections
>>> [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
>>> Yielding connection to [2004/08/10 18:56:44, 3]
>>> smbd/connection.c:yield_connection(76)
>>> yield_connection: tdb_delete for name failed with error Record does
>>> not exist.
>>> [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
>>> Server exit (normal exit)
>>> I'm not sure it's due to Win2k3 server because enc type [3] is
>>> des-cbc-md5.
>>> I definitiveley Don't know what's wrong!
>>> I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
>>> without success.
>>> Any help would be appretciated.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list