[Samba] Debian Stable Samba 3.0.5 to 3.0.6 upgrade - broke my config?

Josh T mortonjt at rochester.rr.com
Mon Aug 30 14:44:24 GMT 2004 

I upgraded Samba from 3.0.5 to 3.0.6 using apt & the Debian Stable 
binary packages on samba.org.  Samba server was a member server for a 
Windows 2000 AD domain.  Since then, I have been having problems 
connecting to it by name (\\TERABYTE) - ip address works fine, but by 
name I'm prompted for a username/password and nothing works.  I'm 
guessing this is a Kerberos problem, and either the upgrade broke 
something with it or possibly exposed a flaw in my configuration?

On the Samba server:
kinit user at MYDOMAIN.local --works
smbclient -k //dc1/c$ -- works, where DC1 is a Windows 2000 Server 
Domain Controller
smbclient -k //workstation/c$ -- works, where workstation are either XP 
SP2 Pro or 2000 SP4, or seems any Windows PC in the domain
smbclient -k //terabyte/disk1 -- fails with
	session setup failed: NT_STATUS_LOGON_FAILURE
smbclient -U user //terabyte/disk1 -- prompts for password & then works

As far as I can tell - wbinfo -t, net ads testjoin, getent passwd are 
giving the same expected results they always have.

Under Windows XP, using klist.exe (from Server 2003 Resource Kit), if 
"klist tickets" show cached tickets for the Samba server, I can use 
"klist purge" and purge all tickets, then I am able to access the Samba 
server by name as normal with no prompts for a while, until Xp decides 
to use Kerberos again - "klist tickets" will report no tickets for a 
while.  Under Windows 2000, using klist from the Server 2000 RK, this 
doesn't work - after "klist purge" I'm still prompted for the passord 
and "klist tickets" shows two tickets:

    Server: krbtgt/MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 8/30/2004 20:24:18
       Renew Time: 9/6/2004 10:24:18

    Server: terabyte$@MYDOMAIN.LOCAL
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 8/30/2004 20:24:18
       Renew Time: 9/6/2004 10:24:18

I've been fiddling the krb5.conf file without any luck - Debian stable 
uses version "1.2.4-5woody5" for package "libkrb53."  There seem to be 
encryption related error messages in the samba logs - such as this from 
a Windows 2000 client failing to connect:

[2004/08/30 10:30:20, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with error 
Program lacks support for encryption type
[2004/08/30 10:30:20, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
   ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/08/30 10:30:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
   Failed to verify incoming ticket!
[2004/08/30 10:30:20, 3] smbd/error.c:error_packet(105)
   error string = No such file or directory
[2004/08/30 10:30:20, 3] smbd/error.c:error_packet(129)
   error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

If anyone can provide some insight into what's going wrong, I'd greatly 
appreciate it.

Thanks,
Josh


### output of testparm ###
# Global parameters
[global]
         workgroup = MYDOMAIN
         realm = MYDOMAIN.LOCAL
         server string = %h server (Samba %v)
         security = ADS
         obey pam restrictions = Yes
         password server = DC1 DC2
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
         lanman auth = No
         ntlm auth = No
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         log level = 3
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         dns proxy = No
         wins server = 192.168.100.8
         ldap ssl = no
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template homedir = /home/%D
         winbind separator = +
         invalid users = root
         hosts allow = 192.168.100., 127.

[Disk1]
         comment = Data Storage Disk 1
         path = /mnt/disk1
         valid users = "@MYDOMAIN+Domain Admins"
         admin users = "@MYDOMAIN+Domain Admins"
         read only = No

### /etc/krb5.conf ###
[libdefaults]
         default_realm = MYDOMAIN.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
         default_tgs_enctypes = rc4-hmac des-cbc-md5
         default_tkt_enctypes = rc4-hmac des-cbc-md5
         permitted_enctypes = rc4-hmac des-cbc-md5

         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }

[realms]
MYDOMAIN.LOCAL = {
         kdc = DC1.MYDOMAIN.LOCAL:88
         kdc = DC2.MYDOMAIN.LOCAL:88
         admin_server = DC1.MYDOMAIN.LOCAL
}

[domain_realm]

[login]
         krb4_convert = true
         krb4_get_tickets = true


### log.192.168.100.14 of me using smbclient -k on the Samba server to 
connect to itself ###
[2004/08/30 09:41:58, 3] smbd/oplock.c:init_oplocks(1302)
   open_oplock_ipc: opening loopback UDP socket.
[2004/08/30 09:41:58, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
   Linux kernel oplocks enabled
[2004/08/30 09:41:58, 3] smbd/oplock.c:init_oplocks(1333)
   open_oplock ipc: pid = 22178, global_oplock_port = 36676
[2004/08/30 09:41:58, 3] lib/access.c:check_access(313)
   check_access: no hostnames in host allow/deny list.
[2004/08/30 09:41:58, 2] lib/access.c:check_access(324)
   Allowed connection from  (167.120.214.14)
[2004/08/30 09:41:58, 3] smbd/process.c:process_smb(1092)
   Transaction 0 of length 183
[2004/08/30 09:41:58, 3] smbd/process.c:switch_message(887)
   switch message SMBnegprot (pid 22178) conn 0x0
[2004/08/30 09:41:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [MICROSOFT NETWORKS 1.03]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [MICROSOFT NETWORKS 3.0]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [LANMAN1.0]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [LM1.2X002]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [DOS LANMAN2.1]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(457)
   Requested protocol [Samba]
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_nt1(329)
   using SPNEGO
[2004/08/30 09:41:58, 3] smbd/negprot.c:reply_negprot(545)
   Selected protocol NT LANMAN 1.0
[2004/08/30 09:41:58, 3] smbd/process.c:process_smb(1092)
   Transaction 1 of length 1276
[2004/08/30 09:41:58, 3] smbd/process.c:switch_message(887)
   switch message SMBsesssetupX (pid 22178) conn 0x0
[2004/08/30 09:41:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
   wct=12 flg2=0xc801
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
   Doing spnego session setup
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
   NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
   Got OID 1 2 840 48018 1 2 2
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
   Got OID 1 3 6 1 4 1 311 2 2 10
[2004/08/30 09:41:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
   Got secblob of size 1136
[2004/08/30 09:41:58, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with error 
Decrypt integrity check failed
[2004/08/30 09:41:58, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
   ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/08/30 09:41:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
   Failed to verify incoming ticket!
[2004/08/30 09:41:58, 3] smbd/error.c:error_packet(105)
   error string = No such file or directory
[2004/08/30 09:41:58, 3] smbd/error.c:error_packet(129)
   error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2004/08/30 09:41:58, 3] smbd/process.c:timeout_processing(1332)
   timeout_processing: End of file from client (client has disconnected).
[2004/08/30 09:41:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/30 09:41:58, 2] smbd/server.c:exit_server(571)
   Closing connections
[2004/08/30 09:41:58, 3] smbd/connection.c:yield_connection(69)
   Yielding connection to
[2004/08/30 09:41:58, 3] smbd/connection.c:yield_connection(76)
   yield_connection: tdb_delete for name  failed with error Record does 
not exist.
[2004/08/30 09:41:58, 3] smbd/server.c:exit_server(614)
   Server exit (normal exit)

More information about the samba mailing list