[Samba] Samba 3.0.2 ADS Member - Failed to verify incoming ticket!
TBrown at neurology.ahsc.arizona.edu
TBrown at neurology.ahsc.arizona.edu
Fri Feb 13 17:20:59 GMT 2004
I am having similar issues:
I'm using Heimdal Kerberos (heimdal-0.6-67) and Windows 2000 Advanced
Server. I've spent a bit of time working on the krb5.conf file to determine
encryption settings that essentially work. I can only get the Samba 3.0.2
server talking to the Windows 2000 ADS when the default_etypes are set to:
des-cbc-crc. If I omit default etype settings, they fail to talk.
Basically I can join the ADS domain without trouble:
% s-gowers:/usr/local/samba/bin # ./net ads join
% [2004/02/09 12:54:31, 0] libads/ldap.c:ads_add_machine_acct(1006)
% Host account for s-gowers already exists - modifying old account
% Using short domain name -- NEUROLOGY
% Joined 'S-GOWERS' to realm 'NEUROLOGY.AHSC.ARIZONA.EDU'
And from here I can surf my shares on the windows 2000 server using the
smbclient //server/share -k command. Likewise, I can list the shares
available using the smbclient -k -L server. Also, I can send messages using
the smbclient -k -M host without a glitch.
But when I attempt to connect to the Samba 3.0.2 server via \\NetBIOS name
from windows, I get a usernam/password dialogue box and a bunch of entries
in the smb.log saying that:
% [2004/02/09 12:52:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
% Failed to verify incoming ticket!
I cannot access these shares using the IP address instead of the NetBIOS
name either. I've been working on this for a couple days now and really
can't figure it out. I've used versions 3.0.0, 3.0.1, and now 3.0.2 with
identical results with all three. I've tried this with and without a keytab
file generated using Windows 2000 Server (ktpass).
I compiled the source using: --enable-cups --with-ads --with-winbind
Here's my krb5.conf:
===============
[libdefaults]
default_realm = NEUROLOGY.AHSC.ARIZONA.EDU
ticket_lifetime = 2400
clockskew = 300
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
default_keytab_name = 'FILE:/etc/krb5.keytab'
forwardable = true
dns_lookup_realm = false
kdc_timesync = true
scan_interfaces = true
[realms]
NEUROLOGY.AHSC.ARIZONA.EDU = {
kdc = jackson.neurology.ahsc.arizona.edu
admin_server = jackson.neurology.ahsc.arizona.edu
kpasswd_server = jackson.neurology.ahsc.arizona.edu
default_domain = neurology.ahsc.arizona.edu
}
[domain_realm]
.neurology.ahsc.arizona.edu = NEUROLOGY.AHSC.ARIZONA.EDU
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
Tracy Steven Brown
University of Arizona
Dept. Neurology
(520) 626-4660
"Alexander
Wenzel"
<Hondansx at gmx.de> To
Sent by: samba at lists.samba.org
samba-bounces+tsb cc
=u.arizona.edu at li
sts.samba.org Subject
[Samba] Samba 3.0.2 ADS Member -
Failed to verify incoming ticket!
02/13/2004 05:47
AM
I use Samba 3.0.2rc2 on Suse 9.0 (heimdal 0.6-68) as a Domainmember for
File
-and Printservices (about 100 Users).
The Linuxbox ist added to the ADS, the User are mapped through winbindd.
Everything works..
The I upgraded to Samba 3.0.2 and if I start the daemon, after a while
follow Error occured if a Domainclient
will connect to the Sambabox:
[2004/02/13 13:33:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/02/13 13:35:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
A new recompile didn't help!!?
If the Client will connect through the IpAdress then it works...What
happend
???
Any Help or Suggestions....
--
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel
+++
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list