[Samba] Kerberos verfy ticket failed

Christoph Scheeder christoph.scheeder at scheeder.de
Thu Aug 12 08:49:48 GMT 2004 

Hi,
a few things:
1.) Update your kerberos-version. i had to use at least 1.3.3 (MIT).
With lower versions most seemed to work, but i couldn't connect from a
win2k-workstation to the samba-server using a domain-account.
2.) Reading the logs you give i would say there is something realy
messed up with your integration of the samba-server into your AD-Domain.

What is in your smb.conf, what where the exact steps you did to
integrate the samba server into the AD-Domain?
Christoph


Aaron Rosenblum schrieb:
> I am having this problem as well.  In my case, "wbinfo -t" fails.  My  
> kerberos version is 1.3.1 (MIT) and my config file is very minimal:
> 
> [libdefaults]
>     ticket_lifetime = 600
>     dns_fallback = no
> [realms]
>     SUBDOMAIN.DOMAIN.EDU = {
>         kdc = myserver1.subdomain.domain.edu.:88
>         admin_server = myserver1.subdomain.domain.edu.
>     }
> 
> I see these messages in the smbd log:
> 
> [2004/07/25 10:19:16, 0]  
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: 
> reply_sesssetup_and_X(645)
>   reply_sesssetup_and_X:  Rejecting attempt at SPNEGO session setup  
> when it was not negoitiated.
> 
> [2004/07/29 16:33:54, 1]  
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: 
> reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
> 
> [2004/07/29 17:03:09, 2]  
> /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: 
> setup_new_vc_session(591)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close  
> all old resources.
> [2004/07/29 17:03:09, 1]  
> /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c: 
> ads_verify_ticket(203)
>   ads_verify_ticket: failed to fetch machine password
> 
> On Aug 11, 2004, at 3:36 AM, Christoph Scheeder wrote:
> 
>> Hi,
>> what's in your krb.conf?
>> AFAIR it should be realy minimalistic. (in fact mine doesn't even  exist,
>> but i'm using a win2k server, not win2k3)
>> espacialy there shouldn't be settings for default encryption types.
>> Some persons reported these to produce problems.
>> And you definitly need a kerberos-version >=1.3.3 if you use  
>> MIT-kerberos to get it working.
>> Hope it helps.
>> Christoph
>>
>> Raphael RIGNIER schrieb:
>>
>>> Hello list.
>>> I've got a problem using samba-3.0.4 (RedHat AS 3.0)
>>> the server is member of a Win2003 Active directory domain
>>> All stuff about krb5 seems to work correctly
>>> kinit user at REALM
>>> klist
>>> etc...
>>> net ads join -U administrator has worked well too
>>> But when any Windows client member of the domain try to connect to the
>>> server it asks me for a user/pass.
>>> here is the log.
>>> [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>>>   wct=12 flg2=0xc807
>>> [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>>>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would  close
>>> all old resources.
>>> [2004/08/10 18:56:42, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>>   Doing spnego session setup
>>> [2004/08/10 18:56:42, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>>   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
>>> PrimaryDomain=[]
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>>   Got OID 1 2 840 48018 1 2 2
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>>   Got OID 1 2 840 113554 1 2 2
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>>   Got OID 1 3 6 1 4 1 311 2 2 10
>>> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>>>   Got secblob of size 1191
>>> [2004/08/10 18:56:42, 3]  
>>> libads/kerberos_verify.c:ads_verify_ticket(185)
>>>   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
>>> integrity check failed
>>> [2004/08/10 18:56:43, 3]  
>>> libads/kerberos_verify.c:ads_verify_ticket(193)
>>>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption  type)
>>> [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
>>>   Failed to verify incoming ticket!
>>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
>>>   error string = Aucun fichier ou répertoire de ce type
>>> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
>>>   error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
>>> NT_STATUS_LOGON_FAILURE
>>> [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
>>>   timeout_processing: End of file from client (client has  
>>> disconnected).
>>> [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
>>>   Closing connections
>>> [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
>>>   Yielding connection to [2004/08/10 18:56:44, 3]  
>>> smbd/connection.c:yield_connection(76)
>>>   yield_connection: tdb_delete for name  failed with error Record does
>>> not exist.
>>> [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
>>>   Server exit (normal exit)
>>> I'm not sure it's due to Win2k3 server because enc type [3] is
>>> des-cbc-md5.
>>> I definitiveley Don't know what's wrong!
>>> I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
>>> without success.
>>> Any help would be appretciated.
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>

More information about the samba mailing list