[Samba] Kerberos verfy ticket failed

[Raphael RIGNIER]

Hi again!
After many many many tries I decided to restart with a frech AD
Installation.

And now it works well!

I think this was due to a corrupted KDC database.
I think because of multiple bad uses of ktpass.exe (I needed this with
nis_ldap).

If you now some other solution to correct win2003 AD KDC without
reinstalling AD, please, let me know!



Le mer 11/08/2004 Ã  09:36, Christoph
Scheedersamba at lists.samba.orgsamba@lists.samba.org a écrit :
> Hi,
> what's in your krb.conf?
> AFAIR it should be realy minimalistic. (in fact mine doesn't even exist,
> but i'm using a win2k server, not win2k3)
> espacialy there shouldn't be settings for default encryption types.
> Some persons reported these to produce problems.
> And you definitly need a kerberos-version >=1.3.3 if you use 
> MIT-kerberos to get it working.
> Hope it helps.
> Christoph
> 
> Raphael RIGNIER schrieb:
> 
> > Hello list.
> > 
> > I've got a problem using samba-3.0.4 (RedHat AS 3.0)
> > the server is member of a Win2003 Active directory domain
> > All stuff about krb5 seems to work correctly
> > 
> > kinit user at REALM
> > klist
> > etc...
> > 
> > net ads join -U administrator has worked well too
> > 
> > But when any Windows client member of the domain try to connect to the
> > server it asks me for a user/pass.
> > 
> > here is the log.
> > 
> > [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
> >   wct=12 flg2=0xc807
> > [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> > all old resources.
> > [2004/08/10 18:56:42, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> >   Doing spnego session setup
> > [2004/08/10 18:56:42, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> >   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> > PrimaryDomain=[]
> > [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> >   Got OID 1 2 840 48018 1 2 2
> > [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> >   Got OID 1 2 840 113554 1 2 2
> > [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> >   Got OID 1 3 6 1 4 1 311 2 2 10
> > [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
> >   Got secblob of size 1191
> > [2004/08/10 18:56:42, 3] libads/kerberos_verify.c:ads_verify_ticket(185)
> >   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> > integrity check failed
> > [2004/08/10 18:56:43, 3] libads/kerberos_verify.c:ads_verify_ticket(193)
> >   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> > [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
> >   Failed to verify incoming ticket!
> > [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
> >   error string = Aucun fichier ou répertoire de ce type
> > [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
> >   error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
> > NT_STATUS_LOGON_FAILURE
> > [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
> >   timeout_processing: End of file from client (client has disconnected).
> > [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
> >   Closing connections
> > [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
> >   Yielding connection to 
> > [2004/08/10 18:56:44, 3] smbd/connection.c:yield_connection(76)
> >   yield_connection: tdb_delete for name  failed with error Record does
> > not exist.
> > [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
> >   Server exit (normal exit)
> > 
> > I'm not sure it's due to Win2k3 server because enc type [3] is
> > des-cbc-md5.
> > 
> > I definitiveley Don't know what's wrong!
> > 
> > I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
> > without success.
> > 
> > Any help would be appretciated.
> >